Tender Description

REQUEST FOR PROPOSALS

Date: September 28th, 2025

Ref. No: CBS/RFP/005/2025

Terms of Reference (TOR) for ISO 27001:2022 Certification Services

1. Background

The Central Bank of Somalia (CBS) has completed its preparation for ISO 27001:2022 implementation, including establishing an Information Security Management System (ISMS), conducting internal audits, and addressing identified nonconformities. CBS now seeks the services of an internationally accredited certification body to perform an independent certification audit of its ISMS, with the aim of achieving ISO 27001:2022 certification.

2. Objective

The objective of this assignment is to engage a reputable and accredited certification body to conduct Stage 1 and Stage 2 audits for ISO 27001:2022, provide certification upon successful completion, and perform subsequent surveillance audits as required under the accreditation scheme.

3. Scope of Work

The selected certification body will be expected to:

•        Review CBS’s ISMS documentation, policies, procedures, and records.

•        Conduct Stage 1 (readiness review) to evaluate ISMS preparedness.

•        Conduct Stage 2 (certification audit) to assess conformity with ISO 27001:2022 requirements.

•        Issue ISO 27001:2022 certification upon successful completion.

•        Conduct periodic surveillance audits during the three-year certification cycle.

•        Conduct recertification audit at the end of the cycle.

•        Provide formal audit reports detailing findings, nonconformities, and recommendations.

The ISMS scope covers CBS’s critical operations, including IT infrastructure, data centers, payment systems, ERP, and supporting business processes.

4. Deliverables

The certification body will be required to provide:

•        Detailed audit plan for Stage 1 and Stage 2.

•        Stage 1 audit report (readiness review).

•        Stage 2 audit report, with details of compliance and any nonconformities.

•        ISO 27001:2022 certificate (upon successful completion).

•        Surveillance audit reports (annually for the duration of the certificate).

5. Qualification Requirements

Interested certification bodies must:

-        Accreditations

•        The firm must hold five (5) or more accreditations from internationally recognized accreditation bodies (e.g., UKAS, ANAB, DAkkS, JAS-ANZ, SANAS, NABCB, or equivalent).

-       Experience of the Firm

•        The firm must demonstrate over twenty (20) years of existence as a certification body, with a proven track record of ISO/IEC 27001 certification services.

•        The firm must demonstrate over twenty (20) years of operational and project experience within the African market, with evidence of locally conducted audits.

-       Sector-Specific Experience

•        The firm must have successfully certified at least one (1) Central Bank in Africa under ISO/IEC 27001.

•        The firm must have conducted ISO/IEC 27001 certifications for at least five (5) financial institutions in Africa (commercial banks, development banks, or equivalent).

Proof of Compliance

•        Bidders must provide valid documentation of accreditation(s), references, and evidence of past projects, including contact details of the institutions certified, to enable verification by CBS.

Skills Required

Follow us on social media