Consultancy for Information Security Services and Audit according to ISO27001:2013

1. Executive Summary

Information Security Services and Audit according to ISO27001:2013

The purpose of this Request for Proposal (RFP) is to request proposals from qualified auditing firms for ISO27001 information security services and audit of the Resettlement Support Center program in our office located in San Salvador, El Salvador. The Resettlement Support Center is implemented on behalf of the United States government and uses systems and data that originate in the United States. Information on resettlement applicants is processed in San Salvador, El Salvador, by the Resettlement Support Center staff, who are IOM staff, and includes in-person and telephone interaction with the applicants, coordination of logistical services for United States government entities to screen and select applicants, and preparation of travel documents for those selected for resettlement to the United States. The United States government has requested that our Resettlement Support Center program in San Salvador, El Salvador be certified by an internationally recognized auditing firm under ISO27001. The Resettlement Support Center operates within the IOM premises and utilized the IOM corporate network, as well as US-based software applications, to process resettlement applications.

2. Organization information

Established in 1951, IOM is an international intergovernmental organization that recently joined the United Nations system. With over 160 member states and offices in more than 150 countries, the breadth and depth of IOM’s work reflect a level of experience and expertise in providing migrant services that is unmatched in the international community. IOM provides advice and services to governments to promote the principle that humane and orderly migration benefits migrants and society.

IOM works with its partners in the international community to meet the growing operational challenges of migration, advance understanding of migration issues, encourage social and economic development through migration, and uphold the well-being and human rights of migrants. IOM works to help ensure the orderly and humane management of migration, to promote international cooperation on migration issues, to assist in the search for practical solutions to migration problems and to provide humanitarian assistance to migrants in need, including refugees and internally displaced people.

IOM provides its services through a world-wide network of more than 400 field locations in more than 150 countries, including 9 Regional Offices, the Head Quarters in Geneva, and 2 Administrative Centers located in Panama and Manila, which provide core support in the areas of information technology, finance, human resources and other administrative services to IOM’s network of offices.

3. Project Background

The Resettlement Support Center (RSC) in San Salvador, El Salvador, is funded and managed by the United State Department of State’s Bureau of Population, Refugees and Migration (PRM) and processes refugee applications to the United States Refugee Admissions Program (USRAP) originating in Latin America. Other RSCs throughout the world process refugee applications for the United States on a regional basis. Applications to the program can be referred by the United Nations High Commissioner for Refugees (UNHCR), a U.S. Embassy, specially trained non-governmental organizations, or by direct relatives in the United States. The RSC in El Salvador prepares eligible refugee applications for U.S. resettlement consideration.

The RSC collects biographic and other information from the applicants to prepare for the adjudication interview and for security screening. Enhanced security screening is a joint responsibility of the US Department of State and the Department of Homeland Security and includes the participation of multiple US Government security agencies.

Officers from the Department of Homeland Security’s US Citizenship and Immigration Services (USCIS) review all the information that the RSC has collected and also conduct an in-person interview with each refugee applicant before deciding whether to approve him or her for resettlement to the United States.

All USCIS-approved refugees undergo a health screening to identify medical needs and ensure that those with a contagious disease such as tuberculosis do not enter the United States. Finally, the RSC requests a sponsorship assurance from a US-based resettlement agency that is experienced in providing assistance to newly arrived refugees. Most refugees undergo a brief U.S. cultural orientation course prior to departure to the United States.

4. Current Environment

The RSC in San Salvador, El Salvador, is utilizing a variety of software applications to process refugee applications within the IOM corporate network. Some of these applications are owned and hosted by the United States Department of State and are accessed remotely. Other applications are hosted inside the IOM network and help manage internal workflows and the management of physical files. The RSC maintains a call center to interact with refugee applicants, primarily by telephone and e-mail, as well as software to track these interactions. Physical and information security protocols, policies, and standard operating procedures are in place to protect the personal data being collected and processed by the RSC.

The United States Department of State has required each RSC to conduct both internal and external information security audits to identify gaps in information security and address these gaps both locally and program-wide. In January 2020, IOM’s Senior Information Security Officer and a representative from IOM’s USRAP global coordination office conducted an internal information security audit which included an inventory of assets, risk assessment, assignment of risk owners, and follow up on gaps.

The RSC is required to complete an external audit by an internationally recognized auditing firm to assess its compliance with ISO27001 standard. The deadline for completion 15 December 2020.

5. Requirements

There are two parts to the required services under this engagement.

PART A – Consultancy Services

Proposed services should include, but are not limited to the following:

· Perform a gap analysis in order to assess and evaluate the controls to be implemented to achieve ISO 27001:2013 certification and accreditation.

· Review existing systems at RSC Latin America pertaining to security controls, policies, processes and any other established procedures on managing risk and improving information security to deliver results in accordance with the organization’s overall policies and objectives.

· Scoping of certification project and documenting the scope as per ISO 27001:2013 certification, detailing the functional areas and processes to be covered in the certification scope.

· Review and validate the list of information assets of RSC Latin America, it’s ownership, classification of assets and prepare information asset registers.

· Review the risk assessment performed in January 2020, identified risk, controls and remediation plans and proposed changes if required. Check if remediation plans are being performed and documented ad planned.

· Review IOM’s Risk Assessment Methodology appropriateness to meet ISO27001 requirements for risk identification, mitigation and treatment and propose changes if required.

· With the assistance of RSC Latin America, HQ and other locations Implement an ISMS based on the requirements of ISO 27001:2013.

· Review the current Organizational Structure and advise/modify to create an environment where policies, procedures and processes to manage and monitor regulatory, legal, risk, environmental and operational requirements are understood and inform the management of security risks.

· Define all ISO 27001:2013 roles and responsibilities and mapping them to existing business departments or positions according to the approved Organizational Structure.

· Define and develop required information security policies and procedures for RSC Latin America.

· Define and create an evaluation method and metrics of the ISMS and the implemented controls. The plan should:

• o describe the goal of measurement objective;
• o define methods of collecting performance data;
• o define the frequency and method of monitoring;
• o define performance metrics, KPIs and dashboards for implemented security controls.

· Conduct ISO 27001:2013 awareness sessions to RSC Latin America staff.

PART B – Certification

The provider is responsible for engaging an independent accredited certification body to perform the ISO 27001 audit/certification.

Activities during the onsite formal assessment should include, but are not limited to the following:

· Audit the ISMS and related activities, processes, procedures and documentations in accordance to the ISO27001:2013 standard.

· Any observations which may lead to noncompliance to ISO 27001:2013 should be advised to the RSC Latin America team immediately and confirmatory testing should be completed after fixing of the observation. As many iterations of audit may be performed as required to get the compliance to ISO 27001:2013

At the conclusion of certification audit expects to receive:

a) Globally accepted ISO27001 compliance certificate

b) Nonconformities (NC) and observations report

c) Recommendations associated with NC’s and observations

A formal documentation of the findings and recommendations are required.

Instructions to Service Providers / Consulting Firms

1. Introduction

1.1 Only eligible Service Providers / Consulting Firms may submit a Technical Proposal and Financial Proposal for the services required. The proposal shall be the basis for contract negotiations and ultimately for a signed contract with the selected Service Providers / Consultant Firm.

1.2 Service Providers / Consulting Firms should familiarize themselves with local conditions and take them into account in preparing the proposal. Service Providers/ Consulting Firms are encouraged to clarify all questions before submitting a proposal.

1.3 The Service Providers/ Consulting Firms costs of preparing the proposal and of negotiating the contract, including visit/s to the IOM, are not reimbursable as a direct cost of the assignment.

1.4 Service Providers / Consulting Firms shall not be hired for any assignment that would be in conflict with their prior or current obligations to other procuring entities, or that may place them in a position of not being able to carry out the assignment in the best interest of the IOM.

1.5 IOM is not bound to accept any proposal and reserves the right to annul the selection process at any time prior to contract award, without thereby incurring any liability to the Service Providers / Consulting Firms.

1.6 IOM shall provide at no cost to the Service Provider / Consulting Firm the necessary inputs and facilities and assist the Firm in obtaining licenses and permits needed to carry out the services and make available relevant project data and report.

2. Corrupt, Fraudulent, and Coercive Practices

2.1 IOM Policy requires that all IOM Staff, bidders, manufacturers, suppliers or distributors, observe the highest standard of ethics during the procurement and execution of all contracts. IOM shall reject any proposal put forward by bidders, or where applicable, terminate their contract, if it is determined that they have engaged in corrupt, fraudulent, collusive or coercive practices. In pursuance of this policy, IOM defines for purposes of this paragraph the terms set forth below as follows:

· Corrupt practice means the offering, giving, receiving or soliciting, directly or indirectly, of anything of value to influence the action of the Procuring/Contracting Entity in the procurement process or in contract execution;

· Fraudulent practice is any act or omission, including a misrepresentation, that knowingly or recklessly misleads, or attempts to mislead, the Procuring/Contracting Entity in the procurement process or the execution of a contract, to obtain a financial gain or other benefit to avoid an obligation.

· Collusive practice is an undisclosed arrangement between two or more bidders designed to artificially alter the results of the tender procedure to obtain a financial gain or other benefit;

· Coercive practice is impairing or harming, or threatening to impair or harm, directly or indirectly, any participant in the tender process to influence improperly its activities in a procurement process, or affect the execution of a contract

3. Conflict of Interest

3.1 All bidders found to have conflicting interests shall be disqualified to participate in the procurement at hand. A bidder may be considered to have conflicting interest under any of the circumstances set forth below:

· A Bidder has controlling shareholders in common with another Bidder;

· A Bidder receives or has received any direct or indirect subsidy from another Bidder;

· A Bidder has the same representative as that of another Bidder for purposes of this bid;

· A Bidder has a relationship, directly or through third parties, that puts them in a position to have access to information about or influence on the Bid of another or influence the decisions of the Mission/procuring Entity regarding this bidding process;

· A Bidder submits more than one bid in this bidding process;

· A Bidder who participated as a consultant in the preparation of the design or technical specifications of the Goods and related services that are subject of the bid.

4. Clarifications and Amendments to RFP Documents

4.1 At any time before the submission of the proposals, IOM may, for any reason, whether at its own initiative or in response to a clarification amend the RFP. Any amendment made will be made available to all short-listed Service Providers/ Consulting Firms who have acknowledged the Letter of Invitation.

4.2 Service Providers/ Consulting Firms may request for clarification(s) on any part of the RFP. The request must be sent in writing or by standard electronic means and submitted to IOM at the address and time frame indicated in the invitation. IOM will respond in writing or by standard electronic means to the said request and this will be made available to all those who acknowledged intention of participation to the RFP without identifying the source of the inquiry.

5. Preparation of the Proposal

5.1 A Service Provider/ Consulting Firm Proposal shall have two (2) components:

a) The Technical Proposal, and

b) The Financial Proposal.

5.2 The Proposal, and all related correspondence exchanged by the Service Providers/ Consulting Firms and IOM, shall be in English. All reports prepared by the contracted Service Provider/ Consulting Firm shall be in English.

5.3 The Service Providers/ Consulting Firms are expected to examine in detail the documents constituting this Request for Proposal (RFP). Material deficiencies in providing the information requested may result in rejection of a proposal.

6. Technical Proposal

6.1 When preparing the Technical Proposal, Service Providers/ Consulting Firms must give particular attention to the following:

a) If a Service Provider/ Consulting Firm deems that it does not have all the expertise for the assignment, it may obtain a full range of expertise by associating with individual consultant(s) and/or other consultants or entities in a joint venture or sub-consultancy, as appropriate. Service Providers/ Consulting Firms may associate with the other consultants invited for this assignment or to enter into a joint venture with consultants not invited, only with the approval of IOM. In case of a joint venture, all partners shall be jointly and severally liable and shall indicate who will act as the leader of the joint venture.

b) For assignment of the staff, the proposal shall be based on the number of professional staff-months estimated by the firm, no alternative professional staff shall be proposed.

c) It is desirable that the majority of the key professional staff proposed is permanent employees of the firm or have an extended and stable working relationship with it.

d) Proposed professional staff must, at a minimum, have the experience of at least 5 years, preferably working under conditions similar to those prevailing in the country of the assignment.

e) The bidder must have experience in designing, developing, implementing, auditing in ISO 27001:2013. It must have performed at least 3 ISO 27001:2013 engagements where the customers was successfully certified, in the last 3 years.

6.2 The Technical Proposal shall provide the following information using the attached Technical Proposal Standard Forms TPF 1 to TPF 5 (Section III).

a) A brief description of the Service Providers/ Consulting Firms organization and an outline of recent experience on assignments of a similar nature (TPF-2), if it is a joint venture, for each partner. For each assignment, the outline should indicate the profiles of the staff proposed, duration of the assignment, contract amount, and firm’s involvement.

b) A description of the approach, methodology and work plan for performing the PART A (TPF-3) and PART B (TPF-4) of assignment. This should normally consist of maximum of ten (10) pages including charts, diagrams, and comments and suggestions, if any, on Terms of Reference and counterpart staff and facilities. The work plan should be consistent with the work schedule (TPF-9).

c) Provide 3-5 key performance indicators (KPI) to be used to demonstrate that the work is delivered on time at the quality outlined in the proposal. These KPI’s should include measurable targets (TPF-5).

d) Provide a boilerplate policy relevant to the SOW and a standard for review of format, clarity and effectiveness (TPF-6).

e) The list of proposed Professional Staff team by area of expertise, the position and tasks that would be assigned to each staff team members (TPF-7).

f) A description of previous ISO27001 engagements and contact details of the customers (TPF-8).

g) A time schedule (bar chart) showing the time proposed to undertake that the activities indicated in the work plan (TPF-9).

h) A detailed description of the proposed methodology and staffing for training if the RFP specifies training as specific component of the assignment.

6.3 The technical proposal shall not include any financial information.

7. Financial Proposal

7.1 In preparing the Financial Proposal, consultants are expected to take into account the requirements and conditions outlined in the RFP. The Financial Proposal shall follow the Financial Proposal Standard Forms (Section IV).

7.2 The Financial proposal shall include all costs associated with the assignment. If appropriate, these costs should be broken down by activity/modules (FPF-2). All items and activities described in the Technical proposal must be priced separately; activities and items in the Technical Proposal but not priced shall be assumed to be included in the prices of other activities or items/modules.

7.3 The Service Provider/ Consulting Firm may be subject to local taxes on amounts payable under the Contract. If such is the case, IOM may either: a) reimburse the Service Provider/ Consulting Firm for any such taxes or b) pay such taxes on behalf of the Consultant. Taxes shall not be included in the sum provided in the Financial Proposal as this will not be evaluated, but they will be discussed at contract negotiations, and applicable amounts will be included in the Contract.

7.4 Service Providers/ Consulting Firms shall express the price of their services in USD.

7.5 The Financial Proposal shall be valid for 90 days. During this period, the Service Provider/ Consulting Firm is expected to keep available the professional staff for the assignment. IOM will make its best effort to complete negotiations and determine the award within the validity period. If IOM wishes to extend the validity period of the proposals, the Service Provider/ Consulting Firm has the right not to extend the validity of the proposals.

7.6 The financial eligibility of the Service Provider/ Consulting Firm is estimated with the records of the financial statements of the last two closed years. financial statements for previous years, or partial financial statements, will not be considered for any reason. IOM reserves the right to evaluate the Financial Statements of the Service Provider/ Consulting Firm in accordance with the financial indicators or generally accepted methods with which the financial capacity to comply with the obligations of these RFP can be determined, so it is necessary to present the referred Financial Statements.

8. Submission, Receipt, and Opening of Proposals

8.1 Service Providers/ Consulting Firms may only submit one proposal. If a Service

Provider/ Consulting Firm submits or participates in more than one proposal such proposal shall be disqualified.

8.2 Submission on hand or by post/mail**

• The original Proposal (both Technical and Financial Proposals) shall be prepared in indelible ink. It shall contain no overwriting, except as necessary to correct errors made by the Service Providers/ Consulting Firms themselves. Any such corrections or overwriting must be initialed by the person(s) who signed the Proposal.

• The Service Providers/ Consulting Firms shall submit one original and one copy of the Proposal. Each Technical Proposal and Financial Proposal shall be marked “Original” or “Copy” as appropriate. If there are any discrepancies between the original and the copies of the Proposal, the original governs.

• The original and all copies of the Technical Proposal shall be placed in a sealed envelope clearly marked “TECHNICAL PROPOSAL.” Similarly, the original Financial Proposal shall be placed in a sealed envelope clearly marked “FINANCIAL PROPOSAL” and with a warning “DO NOT OPEN WITH THE TECHNICAL PROPOSAL.” Both envelopes shall be placed into an outer envelope and sealed. The outer envelope shall be labeled with the submission address, reference number and title of the project and the name of the Service Provider/ Consulting Firm.

• Proposals must be received by IOM at the place, date and time indicated in the invitation to submit proposal or any new place and date established by the IOM. Any Proposal submitted by the Service Provider/ Consulting Firm after the deadline for receipt of Proposals prescribed by IOM shall be declared “Late,” and shall not be accepted by the IOM and returned to the consultant unopened.

• After the deadline for the submission of Proposals, all the Technical Proposal shall be opened first by the BEAC. The Financial Proposal shall remain sealed until all submitted Technical. Proposals are opened and evaluated. The BEAC has the option to open the proposals publicly or not.

8.3 Submission by e-mail

• Technical and Financial proposal should be submitted in separate files. Technical proposal should not contain, neither explain, any financial details. Financial details should be part only of the financial proposal.

• Each standard form is to be submitted separately duly signed, where preview to be, and scanned in PDF form.

9. Evaluation of Proposals

9.1 After the Proposals have been submitted to the BEAC and during the evaluation period, Service Providers/ Consulting Firms that have submitted their Proposals are prohibited from making any kind of communication with any BEAC member, as well as its Secretariat regarding matters connected to their Proposals. Any effort by the Service Providers/ Consulting Firms to influence IOM in the examination, evaluation, ranking of Proposal, and recommendation for the award of contract may result in the rejection of the Service Providers/ Consulting Firms Proposal.

1. Technical Evaluation

10.1 The entire evaluation process, including the submission of the results and approval by the approving authority, shall be completed in not more than one week after the deadline for receipt of proposals.

10.2 The BEAC shall evaluate the Proposals and POC solutions on the basis of their responsiveness to the Terms of Reference, compliance to the requirements of the RFP and by applying an evaluation criteria, sub criteria and point system. Each responsive proposal shall be given a technical score (St). The proposal with the highest score or rank shall be identified as the Highest Rated/Ranked Proposal.

10.3 A proposal shall be rejected at this stage if it does not respond to important aspects of the TOR or if it fails to achieve the minimum technical qualifying score which is **70%***.*

10.4 The technical proposals of Service Providers/ Consulting Firms shall be evaluated based on the following criteria and sub-criteria:

SCHEDULE OF ACTIVITIES

Invitation date: 10/23/2020

Question and answer period for bidders: From 10/26/2020 to 11/06/2020 at 5:00 pm

Receipt of offers via e-mail or at IOM offices: 11/13/2020 at 03:00 pm

Technical and financial evaluation of the proposal

Preparation of award letter

The minimum technical score required to pass is: 70 Points

10.5 Technical Proposal shall not be considered for evaluation in any of the following cases:

a) late submission, i.e., after the deadline set

b) failure to submit any of the technical requirements and provisions provided under the Instruction to Service Provider/ Consulting Firm (ITC) and Terms of Reference (TOR);

11. Financial Evaluation

11.1 After completion of the Technical Proposal evaluation, IOM shall notify those Service Providers/ Consulting Firms whose proposal did not meet the minimum qualifying score or were considered non responsive based on the requirements in the RFP, indicating that their Financial Proposals shall be returned unopened after the completion of the selection process.

11.2 IOM shall simultaneously notify the Service Providers/ Consulting Firms that have passed the minimum qualifying score indicating the date and opening of the Financial Proposal. The BEAC has the option to open the Financial proposals publicly or not.

11.3 The BEAC shall determine the completeness of the Financial Proposal whether all the Forms are present and the required to be priced are so priced.

11.4 The BEAC will correct any computational errors. In case of a discrepancy between a partial amount and the total amount, or between words and figures, the former will prevail. In addition, activities and items described in the Technical proposal but not priced, shall be assumed to be included in the prices of other activities or items.**

11.5 The Financial Proposal of Service Providers/ Consulting Firms who passed the qualifying score shall be opened, the lowest Financial Proposal (F1) shall be given a financial score (Sf) of 100 points. The financial scores (Sf) of the other Financial Proposals shall be computed based on the formula:**

Sf = 100 x F1 / F

Where:

Sf – is the financial score of the Financial Proposal under consideration,

Fl – is the price of the lowest Financial Proposal, and

F – is the price of the Financial Proposal under consideration.

The proposals shall then be ranked according to their combined (Sc) technical (St) and financial (Sf) scores using the weights (T = the weight given to the Technical Proposal = 0.70; F = the weight given to the Financial Proposal = 0.30; T + F = 1)

Sc = St x T% + Sf x F%

The firm achieving the highest combined technical and financial score will be invited for negotiations.

12. Negotiations

12.1 The aim of the negotiation is to reach agreement on all points and sign a contract. The expected date and address for contract negotiation is 11/27/2020.

12.2 Negotiation will include: a) discussion and clarification of the Terms of Reference (TOR) and Scope of Services; b) Discussion and finalization of the methodology and work program proposed by the Service Provider/ Consulting Firm; c) Consideration of appropriateness of qualifications and pertinent compensation, number of man-months and the personnel to be assigned to the job, and schedule of activities (manning schedule); d) Discussion on the services, facilities and data, if any, to be provided by IOM; e) Discussion on the financial proposal submitted by the Service Provider/ Consulting Firm; and f) Provisions of the contract. IOM shall prepare minutes of negotiation which will be signed both by IOM and the Service Providers/ Consulting Firms.

12.3 The financial negotiations will include clarification on the tax liability and the manner in which it will be reflected in the contract and will reflect the agreed technical modifications (if any) in the cost of the services. Unless there are exceptional reasons, the financial negotiations will involve neither the remuneration rates for staff nor other proposed unit rates.

12.4 Having selected the Service Provider/ Consulting Firm on the basis of, among other things, an evaluation of proposed key professional staff, IOM expects to negotiate a contract on the basis of the experts named in the proposal. Before contract negotiations, IOM shall require assurances that the experts shall be actually available. IOM will not consider substitutions during contract negotiation unless both parties agree that the undue delay in the selection process makes such substitution unavoidable or for reasons such as death or medical incapacity. If this is not the case and if it is established that staff were referred in their proposal without confirming their availability the Service Provider/ Consulting Firm may be disqualified. Any proposed substitution shall have equivalent or better qualifications and experience than the original candidate.

12.5 All agreement in the negotiation will then be incorporated in the description of services and form part of the Contract.

12.6 The negotiations shall conclude with a review of the draft form of the Contract which forms part of this RFP (Section V). To complete negotiations, IOM and the Service Providers/ Consulting Firms shall initial the agreed Contract. If negotiations fail, IOM shall invite the second ranked Service Provider/ Consulting Firm to negotiate a contract. If negotiations still fail, the IOM shall repeat the process for the next-in-rank Service Providers/ Consulting Firms until the negotiation is successfully completed.

13. Award of Contract

13.1 The contract shall be awarded, through a notice of award, following negotiations and subsequent post-qualification to the Service Provider/ Consulting Firm with the Highest Rated Responsive Proposal. Thereafter, the IOM shall promptly notify other Service Providers/ Consulting Firms on the shortlist that they were unsuccessful and shall return their unopened Financial Proposals. Notification will also be sent to those Service Providers/ Consulting Firms who did not pass the technical evaluation.

13.2 The Service Provider/ Consulting Firm is expected to commence the assignment on 12-01-2020.

14. Confidentiality

14.1.1 Information relating to the evaluation of proposals and recommendations concerning awards shall not be disclosed to the Service Provider/ Consulting Firm who submitted Proposals or to other persons not officially concerned with the process. The undue use by any Service Provider/ Consulting Firm of confidential information related to the process may result in the rejection of its Proposal and may be subject to the provisions of IOM’s anti-fraud and corruption policy.**