REQUEST FOR EXPRESSIONS OF INTERESTCONSULTING SERVICES - PREPARATION OF THE MOLDOVA E-GOVERNANCE AGENCY FOR THE ISO/IEC 27001:2022 COMPLIANCE CERTIFICATION AUDIT
REPUBLIC OF MOLDOVA
MICRO, SMALL AND MEDIUM-SIZED ENTERPRISES COMPETITIVENESS PROJECT
Sector: General industry and trade sector
IDA Credit No. 71740
IBRD Loan No. 94230
Project ID No. P177895
Reference No. MD-CEP-529198-CS-CQS
The Republic of Moldova has received financing from the World Bank toward the cost of the Micro, Small and Medium-Sized Enterprise Competitiveness Project (MSME) and intends to apply part of the proceeds for consulting services.
The consulting services (“the Services”) include rendering consultancy services for an Integrated Internal Audit services covering Information Security (ISMS), Privacy Information (PIMS), and Trust Services (TSP) frameworks, aimed at assessing readiness for certification and regulatory compliance. The audit shall be conducted against the following reference standards in their latest valid version:
- ISO/IEC 27001:2022 (Information security management systems - Requirements).
- ISO/IEC 27701:2025 (Privacy information management systems - Requirements).
- ETSI EN 319 401:2025 (General Policy Requirements for Trust Service Providers).
The assignment will be performed in the period March – June 2026 and will require a level of effort of approximately 150 man-days. The level of effort shall be determined by the Consultant in strict compliance with the mandatory duration requirements of the applicable standards for management systems and trust services. The technical proposal must explicitly justify the audit days allocated to ensure full coverage of the integrated scope (ISO 27001, ISO 27701 and ETSI EN 319 401).
The Terms of Reference (TOR) for the assignment is attached to this request for expressions of interest.
The Project Implementation Unit of the MSME Competitiveness Project now invites eligible consulting firms (“Consultants”) to indicate their interest in providing the Services. Interested Consultants should provide information demonstrating that they have the required qualifications and relevant experience to perform the Services (required qualifications and experience of the firm, but not individual experts’ bio data).
This assignment will require a Consultant, which can be a consulting firm or a consortium of such consulting firms, with experience in the field of implementation of the quality management systems according to ISO standards, including:
Requirements for the consulting firm
- Eligibility - Legal entity, legally authorized to provide information security consultancy and audit services.
- General Experience: At least 3 years of experience in providing consulting and audit services in the field of information security governance. Previous experience with implementation of similar projects for public sector entities, critical infrastructure operators, and/or Trust Service Providers (TSP) will be considered an advantage.
- Specific Experience: The Consultant shall present a portfolio of at least 3 similar internal audit projects (ISO27001) of comparable complexity (critical IT infrastructures, sensitive data management) carried out during the last 3 years for public sector entities or organizations.
- Independence (Conflict of Interest): To ensure objectivity, the Bidder must confirm that it has not provided conflicting services to MEGA (specifically, operational management of IT systems, direct implementation of ISMS controls, or other assignments that would result in reviewing their own work) within the last 24 months prior to this assignment.
Qualification of Key Experts
Key experts represent specific knowledge and/or expertise required for the successful project implementation. Although the Consultant Firm will form the project implementation team at its discretion, the Consultant Firm shall provide at least the following key experts:
- Key expert 1: Project manager/Team Leader.
- Key expert 2: ISMS Audit Lead (Focus on ISO 27001 & 27701).
- Key expert 3: Technical Expert / Trust Services Auditor (Focus on ETSI).
For proposed key experts, the CVs need to be submitted, demonstrating the minimum qualifications requirements, as detailed below. Reallocation of competences among key experts and/or splitting of key expert competences is only allowed upon receipt of prior consent of the client.
Minimum qualifications requirements for the key experts
Key expert 1. Project manager/Team Lead
- Overall management of the project, quality assurance of deliverables, and primary liaison with MEGA management.
- Providing guidance and coordinating team members to ensure integrated delivery across all three pillars (Security, Privacy, Trust Services).
- Qualification requirements:
- Bachelor’s Degree in IT, Management, Engineering, or related fields.
- Valid professional certification in Information Security Management or Audit (e.g., CISM, CISSP, CISA, CRISC, Lead Auditor ISO/IEC 27001, or equivalent).
- Minimum 5 years of experience in information security consulting/auditing.
- Proven experience in leading at least 3 projects of similar complexity (involving ISMS implementation or audit for public sector or critical infrastructure).
- Fluent oral and written Romanian language skills.
Key expert 2. ISMS Audit Lead (Focus on ISO 27001 & 27701)
- Execution of the internal audit and gap analysis against ISO 27001.
- Conducting the Privacy Compliance Audit (ISO 27701) and legal role assessment.
- Qualification requirements:
- Bachelor’s degree in computer science, IT, Telecommunications, or related fields.
- Valid Lead Auditor ISO/IEC 27001 certificate issued by an accredited body.
- Minimum 5 years of professional experience in auditing management systems.
- Proven experience in auditing ISMS based on ISO/IEC 27001 (evidence: list of projects or specific role description).
- Proven experience in auditing Privacy Information Management Systems (PIMS) based on ISO/IEC 27701 or GDPR compliance assessments. Professional certification in Privacy constitutes a distinct advantage (e.g., CIPM, Certified Lead Privacy Auditor or equivalent).
- Working knowledge of English and proficiency in Romanian (written and spoken).
Key expert 3: Technical Expert / Trust Services Auditor (Focus on ETSI)
- Conducting the specific compliance assessment for Trust Services products/solutions against ETSI EN 319 401 and technical controls.
- Qualification requirements:
- Bachelor’s Degree in IT, Engineering, or related fields.
- Relevant certification covering technical security audits (e.g., CISA, CISSP, CRISC or equivalent).
- Minimum 3 years of experience in IT security audits with a specific focus on PKI (Public Key Infrastructure), digital signatures, or e-IDAS/ETSI compliance.
- Proven experience in auditing or consulting for Qualified Trust Service Providers (QTSP) under eIDAS Regulation (EU) or equivalent national legislation.
- Working knowledge of English and proficiency in Romanian (written and spoken).
The attention of interested Consultants is drawn to Section III, paragraphs 3.14, 3.16, and 3.17 of the World Bank’s “Procurement Regulations for IPF Borrowers” November 2020 (“Procurement Regulations”), setting forth the World Bank’s policy on conflict of interest.
A Consultant will be selected in accordance with the “Consultant’s Qualification-based Selection” method set out in the Procurement Regulations.
Consultants may associate with other firms to enhance their qualifications; but should indicate clearly whether the association is in the form of a joint venture and/or a sub-consultancy. In the case of a joint venture, all the partners in the joint venture shall be jointly and severally liable for the entire contract, if selected.
The Expression of Interest shall clearly state the name of the Consultant (individual Firm, Joint Venture or sub-consultancy). The Consultant shall provide relevant references (assignment name, Client, time frame, the role of the firm (main Consultant/Partner in JV/sub-consultant, contract amount, tasks performed etc.) to confirm its experience and qualifications.
Further information can be obtained at the address below during office hours.
Expressions of interest must be delivered in a written form to the address below (in person, or by mail, or by e-mail) by February 20, 2026, COBD, indicating the assignment title in the subject line.
Project Implementation Unit of the MSME Competitiveness Project 180, Stefan cel Mare Ave., office 815, MD-2004, Chisinau, Republic of Moldova Tel: +373 22 296-723 e-mail: piu@mded.gov.md with cc: procurementmgf@gmail.com, partnerships@egov.md web: https://uipac.md/ Terms of Reference: https://www.tenderhub.md/ro/tender/1738
egov.md