REQUEST FOR EXPRESSIONS OF INTEREST (CONSULTING SERVICES FIRMS SELECTION) Country : INDIA Project : FINANCING PUBLIC PRIVATE PARTNERSHIP THROUGH SUPPORT TO THE INDIA INFRASTRUCTURE FINANCE COMPANY LIMITED Sector : Finance and Private Sector Development Grant No. : TF096466 Reference No. : C 3 Assignment Title: Implementation of ISO 27001 based Information Security Management System 1. The India Infrastructure Finance Company Limited (IIFCL) has received a Grant from the World Bank-towards the cost of Building Capacity and Strengthening Monitoring and Implementation Capability of India Infrastructure Company Finance Limited, and intends to apply part of the proceeds to payment for goods and consulting services to be procured under this Grant. 2. The consultants will implement an Information Security Management System (ISMS) based on the latest version of International Information Security Standard ISO /IEC 27001 at all IIFCL offices located in New Delhi. The broad steps to be carried out and the major deliverables at various milestones are given in Annex 1. 3. Skill Requirements / Eligibility Criteria for Vendors or Consultants or IT Consultants Vendor to state the extent of compliance to the following qualification criteria: Robust Methodology: Vendor shall employ proven & robust framework for ISMS Implementation to ensure successful completion of project leading to certification under ISO 27001. ISMS implementation experience: Vendor shall provide references of at least three organizations in BFSI Sector where they have executed projects related to ISO 27001 (ISMS) implementation. Completion certificates of the assignments from these organizations would need to be furnished.
Vendor s Security Expertise: Vendor shall have at least two ISO 27001 Lead Auditors and / or Implementers and one CISSP/ CISA or SANS Certified Security Professionals employed with them. Team to be deployed for the project: Project Team must include an ISO 27001 Certified Security Consultant as Project Manager and a CISSP / CISA or SANS certified security professional in the team. Each member should have at least 3 years of experience and should have successfully implemented at least 3 ISMS projects each in BFSI space. Track Record in Information Security Services: Vendor should have an experience of at least 3 Years in offering Information Security Services (including Security Assessment, Security Policies & Procedures Design and Security Consulting assignments) to leading organizations including minimum of three BFSI organizations. Vendors must list all such security services assignments undertaken by them in the last three years outlining the client name, brief project description, location, project duration, project value & date of completion. Vendor should have executed at least three IS Audit, Security Project of minimum value of Rs 20 lakhs in BFSI Sector in the last 3 years. 4. The IIFCL now invites eligible consulting firms to indicate their interest in providing the above services. Interested Consultants must provide information (brochures, description of similar assignments, experience in similar conditions, and availability of appropriate skills among staff) indicating that they are qualified to perform the services. The information regarding the consultant s organization and experience to be provided in the relevant attached forms: a. Consultant s Organization : ref Form - I b. Consultant s Experience : ref Form - II 5. The attention of interested Consultants is drawn to paragraph 1.9 of the World Bank s Guidelines: Selection and Employment of Consultants by World Bank Borrowers May 2004 Revised October 1, 2006. ( Consultant Guidelines ), setting forth the World Bank s policy on conflict of interest. Consultants may associate with other firms in the form of a joint venture or a sub consultancy to enhance their qualifications.
6. A consultant will be selected in accordance with the procedures set out in the World Bank s Guidelines: Selection and Employment of Consultants by World Bank Borrowers May 2004 Revised October 1, 2006. 7. Further information can be obtained at the address below during office hours (1030 hours to 1700 hours) India Infrastructure Finance Company Limited CGM-IT 8 th Floor, Hindustan Times House, 18&20, Kasturba Gandhi Marg, New Delhi 110 001 Tel: +91-11-23708263, 23708264 Fax: +91-11-23736355 E-mail: technology@iifcl.org Web site: www.iifcl.org The Expressions of Interest must be delivered to the address below by 22nd October 2014 by 17:00 hrs.
Annexure I Information Security Management System (ISMS) IIFCL requires establishment and implementation of an Information Security management system (ISMS) based on the latest version of International Information Security Standard ISO /IEC 27001 at all IIFCL offices located in New Delhi. Broad steps required to be done by the vendor as an integral part of the exercise shall include, but not be limited, to the following: Gap Analysis -Assessment of Organization s security environment to assess the current security posture and level of preparedness of the Organization against the requirements of ISO 27001 standards. 1. Identification of various controls already implemented in the Organization including technical controls, administrative controls etc. Major Deliverable - Gap Analysis Report. 2. Development of Scope and Management Sign-off Major Deliverable Signed-off Scope statement 3. Setup of ISO (Information Security Organization) in the Organization preferably nominating a dedicated CISO and dedicated Information Security team. 4. Developing Risk Assessment Methodology and Management Sign-off Major Deliverable Signed-off Risk Assessment Methodology. 5. Identification of all Assets under scope of ISO 27001 together with all possible threats and vulnerabilities to these assets. Major Deliverable Asset Register 6. Vulnerability Assessment and Penetration Testing (VAPT) of all assets identified and system hardening to address all identified vulnerabilities. Major Deliverable VAPT report 7. Risk Assessment of all assets under scope of the project and development of Risk treatment plan esp. for all medium and high category risks identified. Major Deliverable Risk Assessment and Risk Treatment Reports.
8. Development and Implementation of appropriate Policies, Procedures, Standards and Guidelines. Major Deliverable Policies, Procedures, Standards and Guidelines. 9. List of all controls required and development of a SoA (Statement of Applicability) and procurement of all new controls to be implemented. Major Deliverable SoA (approved). 10. Establishing Control of Records and Control of Documents. 11. Implementation of all controls agreed to be implemented under SoA. 12. Training and awareness to all IIFCL staff & any third-party staff working at IIFCL office should be provided to create necessary awareness regarding Information Security and to foster a strong security culture within the organization. 13. Internal Audit to verify all risks identified have been successfully treated and all residual risks have been accepted by the management. Major Deliverable Internal Audit Report 14. Review of Internal Audit by Management. Major Deliverable Management commitment record 15. Prepare the Organization for Third Party/Certification Audit
FORM - I: Consultant s Organization and Experience A - Consultant s Organization [Provide here a brief (two pages) description of the background and organization of your firm/entity and each associate for this assignment.]
FORM - II B - Consultant s Experience [Using the format below, provide information on each assignment for which your firm, and each associate for this assignment, was legally contracted either individually as a corporate entity or as one of the major companies within an association, for carrying out consulting services similar to the ones requested under this assignment] Assignment name: Approx. value of the contract (in current US$ or Euro): Country: Location within country: Duration of assignment (months): Name of Client: Total No. of staff-months of the assignment: Address: Start date (month/year): Completion date (month/year): Name of associated Consultants, if any: Approx. value of the services provided by your firm under the contract (in current US$ or Euro): No. of professional staff-months provided by associated Consultants: Name of senior professional staff of your firm involved and functions performed (indicate most significant profiles such as Project Director/Coordinator, Team Leader): Narrative description of Project: Description of actual services provided by your staff within the assignment. State whether project since implemented