Provision of cybersecurity services and integration of supporting technical components

New clarification added: All team members must pass Ministry of Justice security checks and meet standard onboarding procedure (e.g. police check)Q1:.How long will this process take and what information would be requiredA1: Minimum 10 days

New clarification added: Q1:The portal under vendor submission is requesting Form E-G, however, these are not present in the RFQ Section II. Is there a specific format for these?A1:Forms E-G can be submitted in free form. The CVs of the proposed team members should have marked points referring to the tender criteria.Requirement: The bidder must hold valid ISO 9001, ISO/IEC 27001, and ISO/IEC 27701 certifications. Given that data privacy is a covered component under our ISO 27001 certification, we request that the requirement to hold ISO 27701 be marked as optional.Bidder must hold valid ISO 9001, ISO/IEC 27001, and ISO/IEC 27701 certifications.Ministry of Justice handles highly sensitive information including personally identifiable information and must ensure that third-party vendors (contractors) implement robust privacy controls, risk management processes, and data protection measures. Possessing the ISO/IEC 27701 certification demonstrates a proven contractor’s commitment to protecting personal data, meeting legal and regulatory requirements and reducing the risk of data breaches and penalties.·        Proof of employment of at least 3 engineers –  Is submitting the CV’s of employed engineers sufficient for “proof”?Proof of employment should be provided in the form of a statement signed by the authorized person of the company. ·       We do not see a section requesting methodology or approach – is this required as part of the RFQ?Methodology is not required by this RFQ.·       Is the 3-month delivery requirement strict? We believe, based on the SOW and our experience, it may take slightly longer.3-month delivery requirement is strict since it is influenced by the expiration of the project financing this intervention. ·       Can training be delivered remotely, through instructor led virtual webinar (interactive?)Training can not be delivered remotely.·       Can you clarify which Splunk license is used (cloud, on-prem, Enterprise Security?), and ingestion level (how many GB/day based on license limit)?MoJ has Splunk Enterprise, licensed to manage 10GB-19GB of logs per day.

New clarification added: Q1:How can a bidder, certified for software implementation and cybersecurity solutions integration, can demonstrate competence to provide services related to alignment with the ISO standards and GDPR compliance? In this context what specific competencies are considered acceptable to demonstrate that the budder is qualified to perform compliance verification with ISO/IEC 27001 and GDPR?A1:The bidder must demonstrate competence through:•       Certifications: Valid ISO/IEC 27001 and ISO/IEC 27701 certifications, which validate expertise in implementing security controls and data protection frameworks.•       Experience: Proven track record in projects involving ISO 27001/27701 alignment (e.g., gap assessments, control implementation, audits).•       Showcasing processes used to verify compliance (e.g., risk assessments, control mappings, audit reports) of the clients presented in the reference letters or reference lists.•       References: Track record in projects involving ISO 27001/GDPR alignment (e.g., gap assessments, control implementation, audits) proven by references showcasing successful projects.Examples of Acceptable Competencies:•       Conducting ISO 27001 audits or readiness assessments.•       Implementing GDPR-compliant data protection measures (e.g., Article 25 "Data Protection by Design").•       Delivering governance frameworks aligned with ISO 27001 Annex A controls.Q2:Why is it not required for the ISO 9001 certificate to have the scope specifically defined, while it is required for ISO/IEC 27001 and ISO/IEC 27701?A2:Scope Requirements for ISO 9001 vs. ISO/IEC 27001/27701•       ISO 9001 (Quality Management): Focuses on general process quality; scope specificity is less critical as it does not directly impact cybersecurity deliverables.•       ISO/IEC 27001/27701 (Security/Privacy): Require scope clarity to ensure the bidder’s certification covers cybersecurity services (e.g., risk management, SOC implementation), not just software development.Rationale: The project emphasizes security governance and operational resilience, necessitating validated expertise in these areas.Q3:Furthermore, how can a budder whose core business is software implementation and cybersecurity solutions integration meet the requirement listed under Bidder Capacity and Experience, namely: "The bidder must demonstrate a proven track record of successfully completing at least two contracts related to ISO/IEC 27001 or ISO/IEC 27701 in the last five (5) years” (consortium as a whole should meet this requirement)?Q3:A3:Bidder should provide reference letters from contracting authorities or a reference list containing all relevant information necessary to prove that at least two contracts related to ISO/IEC 27001 or ISO/IEC 27701 in the last five (5) years have been successfully completed (consortium as a whole should meet this requirement). Examples of such contracts are: integration of ISO 27001/27701 controls into software solutions, a SIEM implementation project that included ISO 27001 control mapping or GDPR-aligned log retention policies, gap analyses tied to the standards, and certification supportQ4:How can the specification require compliance with a version of a standard that is not the latest valid version? Specifically, ISO/IEC 27035:2023 is mentioned, while the most recent valid version of the standard, as of now, 2024. Could you please clarify which exact part and version of the ISO/IEC 27035 standard is being referred to?A4:The RFQ explicitly references ISO/IEC 27035:2023 (not 2024) because:1.      Intentional Scope: The 2023 edition (Parts 1–2) fully covers the RFQ’s requirements for internal SOC workflows (incident process/preparation). Part 4 (2024) focuses on external coordination, which is not a core requirement for this procurement.2.      Clarity: The RFQ avoids ambiguity by citing a single, complete version (2023). Bidders can optionally exceed requirements with Part 4Q5:Furthermore, the documentation refers to ISO/IEC 31000:2018. Please note that ISO 31000 is not an "ISO/IEC" standard but rather an ISO-only standard (ISO 31000:2018), and it is not certifiable. Could you please clarify the intention behind referencing this standard and the expected form of compliance?A5:Reference to ISO 31000:2018 (Non-Certifiable Standard)•       Intent: ISO 31000 is cited to emphasize risk management principles (e.g., risk assessment methodologies) for SOC performance monitoring.•       Expected Compliance: Demonstrate adherence to its guidelines (e.g., risk-driven KPIs, threat prioritization), not certification.Q6:What is meant by the reference to the standard ISO/IEC 27001:22 in the tender specification?  We assume this refers to ISO/IEC 27001:2022, but we kindly ask for confirmation to avoid any misinterpretation.A6:•       Confirmation: This refers to ISO/IEC 27001:2022 (typo in the document). All references should align with the 2022 version.Q7:Additionally, the tender documentation refers to compliance with ISO/IEC 27002. Please note that ISO/IEC 27002 is not a certifiable standard, nor is it implemented on its own. Rather, it provides guidelines and best practices for implementing the controls listed in Annex A of ISO/IEC 27001. Could you please clarify what is meant by “compliance” with ISO/IEC 27002 in this context?A7:Bidders can describe ISO 27001 control sets applied or integrated into IT solutions in reference letters or lists for specific clients

New amendment added #2: - Extension of the deadline for submission of offers until 12.00 CEST on Tuesday, 15 July 2025

New amendment added #1: - Revision of the tender criteria: Must have successfully completed at least two (2) large-scale cybersecurity projects (Projects with a value of over €100,000) in the past 5 years. These projects should also include SIEM solution implementation. (The consortium as a whole should meet this requirement)- Revision of the RFQ Section II Schedule of Requirements- Extension of the deadline for submission until 12.00 CEST on Tuesday, 08 July 2025

New clarification added: Q1:Would UNOPS please consider lowering the threshold for the following requirement:  Must have successfully completed at least two (2) large-scale cybersecurity projects (Projects with value over €100,000) in the past 5 years?  Even within a consortium, this requirement is difficult to demonstrate in a region where there have not been too many large cyber projects performed.  Furthermore, lowering the threshold to 50,000 EUR, for example, would enable a more competitive environment from qualified vendors that can bring unique past experience to the Ministry of Justice. A1: The UNOPS will revise the criteria as per your suggestion. With the change of the tender criteria the tender submission deadline will be extended for additional 7 days.

New clarification added: Q1 What DLP has been deployed?A1: A Symantec DLP solution has been implemented. The system includes policies for protecting sensitive data in transit and at rest, with coverage over email, web traffic and endpoints.Q2: What MFA is currently installed and in use?A2: We do not have our own solution, we use basic authentication via AD managed by the MPA, and additionally, Google Authenticator is used as a two-factor authentication method.Q3: How many external threat intelligence feeds is the customer willing to integrate?A3: The contractor, based on its expertise, is expected to conduct a needs analysis and propose the optimal number and type of sources for threat intelligence analysis, in accordance with the specific requirements and environment of the MoJ.Q4: When is the customer willing to start?A4: The latest deadline for the start of the intervention is mid-August 2025.Q5: How many comprehensive playbooks for SOC activities is the customer willing to create? Does the customer have a SOAR to create those playbooks?A5: The contractor is expected to propose appropriate playbooks tailored to the needs of the MFA, in line with its previous experience and best practices. There is currently no SOAR system implemented.Q6: The implementation timeline is 3 months within X number of months or is 3 consecutive months?A6: The project that is funding this activity is closing on 15 November 2025, which means that this intervention must be completed by the beginning of November 2025.Q7: Can the work be done fully remotely? Or does it require local presence for a specific period of time?A7: It cannot be done completely. Physical presence at the Ministry of Justice is required.Q8: May you please provide the list of expected deliverables?A8: The list of expected deliverables is defined per each phase in the chapter 4.b General Specification of Services per phases. 

New clarification added: Q1:Please advise if a detailed technical response required within the 'Technical Quotation Form' or is the primary evaluation criteria the CVs of resources and associated costs?A1:As the requested services and methodology for achieving the goals of this intervention are provided in advance, the tender will be evaluated based on the tendering criteria, which predominantly refer to the proposed team and the bidder's capacity. However, the Technical quotation form should have the rationale for implementation, for the evaluation team to understand that the vendors offering the services understands the requrements and offers all requested service.

New clarification added: Q1:A number of our bid team resources are on annual leave. Is an extension by approximately one working week possible, to ensure we can submit a more complete bid?A1:UNOPS is evaluating the potential extension of the bid submission deadline due to the holiday season. In case the extension is granted, all interested vendors will be informed through eSourcing platform.

New clarification added: Q1:Can you please clarify if all requested services can be performed remotely?A1: Not all requested services can be provided remotely, primarily for security reasons, in accordance with the specific requirements of the project and the service required from potential bidders. Additionally, the Ministry of Justice recently implemented the ISO 27001:2022 standard, whose requirements and recommendations are decisive in this regard.Q2: Can you also advise if there is an estimated budget for this project?A2: According to the UNOPS rules the estimated budget cannot be published.