Project Terms of References

Implementing Information Security Management Systems

in Ministry of Finance.
Table of Contents

1. Background and needs ..................................................................................................................... 3

2. ISMS benefits ................................................................................................................................... 3
3. Project Objectives ............................................................................................................................ 4
3.1. Objectives of the consulting services (A) .................................................................................. 4
3.2. Objectives of the training services (B) ...................................................................................... 4
3.3. Scope of consulting services (A) ............................................................................................... 5
3.4. Scope of training services (B) ................................................................................................... 6
4. Implementation arrangements .......................................................................................................... 7
4.1. Schedule for consulting services (A) ......................................................................................... 7
4.2. Schedule for training services (B) ........................................................................................... 8
5. Deliverables and reporting ............................................................................................................... 8
6. Budget ............................................................................................................................................. 8
1. Background and needs
The Ministry of Finance has an important role in the Government of the Republic of Kosovo and
is responsible for the planning and execution of the Kosovo budget at both central and local levels.
The Ministry of Finance has gradually developed and implemented various computer systems and
become a service-based organization, which provide the services to central and local government
organizations. The main IT systems of Ministry of Finance are: Kosovo Finance Information Management
System (KFIMS), Budget Development and Management System (BDMS), Public Investment Program
System (PIP), Property Tax System, and Data Warehouse and Reporting System. In addition, Ministry of
Finance has also IT Infrastructure services that are supporting the functions of all department. This
includes: MF Data Center, Active Directory and Supporting Services, Virtual Infrastructure, and Local Area
Network. Furthermore, data and IT Systems have become an important asset of Ministry of Finance,
therefore as a part of it strategy and commitment is planning to increase the information security of all IT
services and the organization.
Being a service-based organization, specifically a Department for Management of Information
Technology Systems of Ministry of Finance, it is a part of highly competitive, dynamically changing
environment relying of strict conformity to the information security standards. As such, in order to maintain
and prevail ongoing challenges and compliance, the Ministry of Finance needs to improve the way it
operates with regard to improving its information management system which crucial point to running more
efficiently and wining the trust of its stakeholders.
Currently, Ministry of Finance lack documented information security objectives, clear
responsibilities between units, projects, standard operating procedures, information and management
system, risk management system, and operational control with regard to secure exchange of information.
In order to overcome above issues, Ministry of Finance management deems it necessary to
implement Information Security Management System (ISMS) which will be compliant with the government
laws and regulation and based on ISO/IEC 27001:2013 standard.
In this regard, the Ministry of Finance wants to hire a qualified professional consultant to
implement Information Security Management System, and to provide the training for ISO 27001 Audit to
the staff of Ministry of Finance.

2. ISMS benefits
The main benefits of implementing ISMS are: information security risk reduction, standardization,
and structural approach.
The Ministry of Finance will benefit from implementing ISMS by bringing information security
under management control, allowing direction and improvements were needed. Better information security
will reduce the risk (probability of occurrence and adverse impacts) of incidents, cutting incident-related
losses and costs. In addition, ISMS include a structured, coherent and professional approach to the
management of information security, aligned with the government laws and regulations and ISO standards.
Furthermore, comprehensive information risk assessment and treatment according to organization and
security priorities, and focuses information security investment to greatest advantages.

3. Project Objectives
The two main project objectives are:

3.1. Objectives of the consulting services (A)

The overall objectives of the proposed project are to improve the organization’s efficiency, information
security and reputability and ultimately performance through introduced management systems in
accordance with ISMS ISO/IEC 27001 respectively. The specific objectives include:
 Demonstrate the ability to provide qualitative services to its clientele;
 Improve management processes and efficiency;
 Ensure protection of CIA – Confidentiality, Integrity and Availability of all client and company
information processed in-house.
 Prevent any information breach of company data or client data, respectively ensure security of all
information traffic within applications developed by company and used by clients;
 Increase reputability to its existing and potential clients;
 Further improve market penetration in foreign market; and
 Increase competitiveness.

3.2. Objectives of the training services (B)

Organize and intensive ISMS ISO/IEC 27001:2013 Lead Audit Training with further examination which
leads to candidate’s international certification.

This five-day intensive training “ISMS Lead Auditor” will contribute to the capacity building of
the participants and will enable them to develop the necessary expertise to audit an Information Security
Management System (ISMS) and to manage a team of auditors by applying widely recognized audit
principles, procedures and techniques. During this training, the participants will acquire the necessary
knowledge and skills to proficiently plan and perform internal and external audits in compliance with ISO
19011 the certification process according to ISO 17021. Based on practical exercises, the participant will
develop the skills (mastering audit techniques) and competencies (managing audit teams and audit program,
communicating with customers, conflict resolution, etc.) necessary to efficiently conduct an audit, and
inspect ISMS in the course of Ministry of Finance personnel.
 3.3. Scope of consulting services (A)

The consultant will start the project by analyzing company’s activities and its existing organization
and procedures, upon which will be developed gap analysis. Next, the consultant will train the appointed
ISMS team with regard to quality and information security management standards. In the second phase,
the consultant will develop the integrated management system manual, objectives and policies for ISMS,
and procedures such as: control of documented information, internal audit; control on nonconformities
services; corrective action; organization charts; process maps; organizational context; process flows and
internal communication – to continue with development of work instructions, risk treatment plan,
implementation of applicable security control, and management of ISMS resources. In the final stage, the
consultant will test the developed ISMS information security management system, will train the internal
audit team and along will conduct internal audit upon which nonconformities found will be eliminated. The
consultant will also assist the company during external certification audit. The project will be implemented
through the following phases:

Phase 1: Gap analysis and training

1.1 Assess company’s services, clients and projects;

1.2 Gap analysis and analyzing of existing procedures;
1.3 Risk assessment and preparation of statement of applicability; and
1.4 Train the appointed quality team and identification of project responsibilities for Quality & ISMS
Manager.

Phase 2: Documentation of the system

2.1 Development of integrated management system manual, objectives and policies for QMS and
ISMS;
2.2 Development of documented procedures: control of documents; control of records; internal
audit; control of nonconforming services; corrective action, organization charts, process maps,
statement of applicability, process flows and internal communications;
2.3 Design and development of work instructions;
2.4 Implementing risk assessment and treatment plan;
2.5 Implementing applicable security control;
2.6 Management of ISMS resources; and
2.7 Implementation of procedures for detecting and managing security incidents.
Phase 3: Implementation and system certification

3.1 Implementation of the documented QMS and ISMS;

3.2 Training of appointed internal auditors;
3.3 Internal audit (review and verification of the established system) and documentation of audit
findings;
3.4 Preparation of Management review reports to ensure that the QMS and ISMS is functioning and
to identify opportunities for correction;
3.5 Keep records of activities and incidents that may affect the effectiveness of the ISMS;
3.6 Eliminate any nonconformities found during the internal audit; and
3.7 Assist during external certification audit.

3.4. Scope of training services (B)

The “Certified ISO/IEC 27001 Lead Auditor” exam fully meets the requirements of the
PECB Examination and Certification Program (ECP). The exam covers the following competence
domains:
 Domain 1: Fundamental principles and concepts of information security
 Domain 2: Information Security Management System (ISMS)
 Domain 3: Fundamental audit concepts and principles
 Domain 4: Preparation of an ISO 27001 audit
 Domain 5: Conducting an ISO 27001 audit
 Domain 6: Closing an ISO 27001 audit
 Domain 7: Managing an ISO 27001 audit program
4. Implementation arrangements
The project will be carried out according to implementation schedule below. The beneficiary is
responsible for providing the necessary and relevant information, appoint the quality team and provide
equipment for the effective implementation of the project. All training and presentations session will be
held online, while testing of functionality of implemented systems will be done at beneficiary’ premises.
The beneficiary should have active participation in the project. The company management will be informed
on the project progress through monthly progress reports prepared and submitted by the consultant.

4.1. Schedule for consulting services (A)

The project will start on 01 November 2020 and is envisaged to be completed by 01 April 2020.
Individual project phases will be implemented as shown in the table below:
 4.2. Schedule for training services (B)

Training will be organized during 5 intensive days and exam will take place the final day.

5. Deliverables and reporting

The consultant shall submit to the beneficiary the following developed products: (A)

 Training Materials;
 Manual, policies and objectives for ISO/IEC 27001:2013;
 List of developed manuals, procedures, instructions, plans, other documents and forms;
 Risk Assessment report;
 Statement of Applicability;
 Report of Internal Audit for ISO/IEC 27001:2013;
 Management Review Report;
 Final report, with advice on maintenance of the established ISMS – Information Security
Management System based ISO/IEC 27001:2013 requirements.

The training shall submit to the beneficiary the following: (B)

Training Report on each candidate and individual progress report according to the exam results.

6. Budget
Consulting Services (A):
DIRECT COSTS
30 consultant days @ EUR 200 per day EUR 6,000.00

Training Services (B):

Candidate price 1,000.00 EUR (price includes: accredited training, accredited training materials, essey type
essey, food and drinks, 3 year international accredited certification);

For 8 persons, price will be 8,000.00 EUR.