Date of Publication 16 Mar 2026
Title PREPARATION OF THE MOLDOVA E-GOVERNANCE AGENCY FOR THE ISO/IEC 27001:2022 COMPLIANCE CERTIFICATION AUDIT
Category Services
Deadline 30 Mar 2026
Source UIPAC

REQUEST FOR EXPRESSIONS OF INTEREST

CONSULTING SERVICES - PREPARATION OF THE MOLDOVA E-GOVERNANCE AGENCY FOR THE ISO/IEC 27001:2022 COMPLIANCE CERTIFICATION AUDIT

REPUBLIC OF MOLDOVA MICRO, SMALL AND MEDIUM-SIZED ENTERPRISES COMPETITIVENESS PROJECT Sector: General industry and trade sector IDA Credit No. 71740 IBRD Loan No. 94230 Project ID No. P177895 Reference No. MD-CEP- 529198-CS-CQS

The Republic of Moldova has received financing from the World Bank toward the cost of the Micro, Small and Medium-Sized Enterprise Competitiveness Project (MSME) and intends to apply part of the proceeds for consulting services.

The consulting services (“the Services”) include rendering consultancy services for an Integrated Internal Audit services covering Information Security (ISMS), Privacy Information (PIMS), and Trust Services (TSP) frameworks, aimed at assessing readiness for certification and regulatory compliance. The audit shall be conducted against the following reference standards in their latest valid version: • ISO/IEC 27001:2022 (Information security management systems - Requirements). • ISO/IEC 27701:2025 (Privacy information management systems - Requirements). • ETSI EN 319 401:2025 (General Policy Requirements for Trust Service Providers).

The assignment will be performed in the period April – June 2026 and will require a level of effort of approximately 150 man-days. The level of effort shall be determined by the Consultant in strict compliance with the mandatory duration requirements of the applicable standards for management systems and trust services. The technical proposal must explicitly justify the audit days allocated to ensure full coverage of the integrated scope (ISO 27001, ISO 27701 and ETSI EN 319 401). The Terms of Reference (TOR) for the assignment is attached to this request for expressions of interest.

The Project Implementation Unit of the MSME Competitiveness Project now invites eligible consulting firms (“Consultants”) to indicate their interest in providing the Services. Interested Consultants should provide information demonstrating that they have the required qualifications and relevant experience to perform the Services (required qualifications and experience of the firm, but not individual experts’ bio data).

This assignment will require a Consultant, which can be a consulting firm or a consortium of such consulting firms, with experience in the field of implementation of the quality management systems according to ISO standards, including:

Requirements for the consulting firm

  • Eligibility - Legal entity, legally authorized to provide information security consultancy and audit services.
  • General Experience: At least 3 years of experience in providing consulting and audit services in the field of information security governance. Previous experience with implementation of similar projects for public sector entities, critical infrastructure operators, and/or Trust Service Providers (TSP) will be considered an advantage
  • Specific Experience: The Consultant shall present a portfolio of at least 3 similar internal audit projects (ISO27001) of comparable complexity (critical IT infrastructures, sensitive data management) carried out during the last 3 years for public sector entities or organizations.
  • Independence (Conflict of Interest): To ensure objectivity, the Bidder must confirm that it has not provided conflicting services to MEGA (specifically, operational management of IT systems, direct implementation of ISMS controls, or other assignments that would result in reviewing their own work) within the last 24 months prior to this assignment. Qualification of Key Experts Key experts represent specific knowledge and/or expertise required for the successful project implementation. Although the Consultant Firm will form project implementation team at its discretion, the Consultant Firm shall provide at least following key experts:
  • Key expert 1: Project manager/Team Leader.
  • Key expert 2: ISMS Audit Lead (Focus on ISO 27001 & 27701).
  • Key expert 3: Technical Expert / Trust Services Auditor (Focus on ETSI). For proposed key experts the CVs need to be submitted, demonstrating the minimum qualifications requirements, as detailed below. Reallocation of competences among key experts and/or splitting of key expert competences is only allowed upon receipt of prior consent of the client. Minimum qualifications requirements for the key experts are: Key expert 1. Project manager/Team Lead Roles and Responsibilities:
  • Overall management of the project, quality assurance of deliverables, and primary liaison with MEGA management.
  • Providing guidance and coordinating team members to ensure integrated delivery across all three pillars (Security, Privacy, Trust Services) Qualification requirements:
  • Bachelor’s Degree in IT, Management, Engineering, or related fields.
  • Valid professional certification in Information Security Management or Audit (e.g., CISM, CISSP, CISA, CRISC, Lead Auditor ISO/IEC 27001, or equivalent).
  • Minimum 5 years of experience in information security consulting/auditing.
  • Proven experience in leading at least 3 projects of similar complexity (involving ISMS implementation or audit for public sector or critical infrastructure).
  • Fluent oral and written Romanian language skills.
    Key expert 2. ISMS Audit Lead (Focus on ISO 27001 & 27701) Roles and Responsibilities:
  • Execution of the internal audit and gap analysis against ISO 27001.
  • Conducting the Privacy Compliance Audit (ISO 27701) and legal role assessment. Qualification requirements:
  • Bachelor’s degree in computer science, IT, Telecommunications, or related fields.
  • Valid Lead Auditor ISO/IEC 27001 certificate issued by an accredited body.
  • Minimum 5 years of professional experience in auditing management systems.
  • Proven experience in auditing ISMS based on ISO/IEC 27001 (evidence: list of projects or specific role description).
  • Proven experience in auditing Privacy Information Management Systems (PIMS) based on ISO/IEC 27701 or GDPR compliance assessments. Professional certification in Privacy constitutes a distinct advantage (e.g., CIPM, Certified Lead Privacy Auditor or equivalent).
  • Working knowledge of English and proficiency in Romanian (written and spoken). Key expert 3: Technical Expert / Trust Services Auditor (Focus on ETSI) Roles and Responsibilities:
  • Conducting the specific compliance assessment for Trust Services products/solutions against ETSI EN 319 401 and technical controls. Qualification requirements:
  • Bachelor’s Degree in IT, Engineering, or related fields.
  • Relevant certification covering technical security audits (e.g., CISA, CISSP, CRISC or equivalent).
  • Minimum 3 years of experience in IT security audits with a specific focus on PKI (Public Key Infrastructure), digital signatures, or e-IDAS/ETSI compliance.
  • Proven experience in auditing or consulting for Qualified Trust Service Providers (QTSP) under eIDAS Regulation (EU) or equivalent national legislation.
  • Working knowledge of English and proficiency in Romanian (written and spoken).

The attention of interested Consultants is drawn to Section III, paragraphs, 3.14, 3.16, and 3.17 of the World Bank’s “Procurement Regulations for IPF Borrowers” November 2020 (“Procurement Regulations”), setting forth the World Bank’s policy on conflict of interest. A Consultant will be selected in accordance with the „Consultant’s Qualification-based Selection” method set out in the Procurement Regulations.

Consultants may associate with other firms to enhance their qualifications; but should indicate clearly whether the association is in the form of a joint venture and/or a sub-consultancy. In the case of a joint venture, all the partners in the joint venture shall be jointly and severally liable for the entire contract, if selected.

The Expression of Interest shall clearly state the name of the Consultant (individual Firm, Joint Venture or sub-consultancy). The Consultant shall provide relevant references (assignment name, Client, time frame, the role of the firm (main Consultant/Partner in JV/sub-consultant, contract amount, tasks performed etc.) to confirm its experience and qualifications.

Further information can be obtained at the address below during office hours.

Expressions of interest must be delivered in a written form to the address below (in person, or by mail, or by e-mail) by March 30, 2026, COBD, indicating the assignment title in subject line.

Project Implementation Unit of the MSME Competitiveness Project 180, Stefan cel Mare Ave., office 815, MD-2004, Chisinau, Republic of Moldova Tel: + 373 22 296-723;
e-mail: piu@mded.gov.md with cc: procurementmgf@gmail.com , partnerships@egov.md
web: https://uipac.md/

Terms of Reference Preparation of the Moldova e-Governance Agency for the ISO/IEC 27001:2022 compliance certification audit

A. Background The Government of the Republic of Moldova (GoM) is pursuing a policy agenda to support export-led economic growth. In this regard, an improved business environment is essential to foster sustainable private sector growth. Significant regulatory and institutional weaknesses in the business environment have been identified by the recently conducted Investment Climate Assessment as major obstacles to the private sector’s ability to perform efficiently and grow, and they also negatively affect investor confidence. The presence of cumbersome regulations undermines the competitiveness of private Moldovan enterprises and prevents increased investment by increasing the cost of doing business, and ultimately providing fertile ground for corruption, favoritism, and the informal economy. The MSME’s project development objectives (PDO) are: (i) to reduce the regulatory burden, increase access to finance, increase the export competitiveness of Moldovan enterprises, and (ii) in case of an Eligible Crisis or Emergency, to respond promptly and effectively to it. The PDO will be achieved through a set of activities that aim to: (a) digitize government-to-business services and inspections, streamline permissive documents, and enhance national quality infrastructure to reduce the regulatory burden enterprises face; (b) support access to finance for enterprises through credit guarantees and enhance the capacity of CGF, and (c) support the development of MSMEs and enhance their export competitiveness; d) support project management; e) support the government's response in case of an emergency. B. Background of the assignment Implementation of the digitalization agenda of the Government relies on the Moldova e-Governance Agency (MEGA) who is responsible for the modernization of public services. Following the enactment of the Law no. 48/2023 on cybersecurity and Government Decision no. 562/2025, MEGA is designated as a service provider in critical sectors. Consequently, the institution is legally obliged to implement robust security measures proportional to the identified risks. Additionally, as a processor of sensitive citizen data, MEGA must ensure strict compliance with Law no. 133/2011 on personal data protection. MEGA currently operates an Information Security Management System (ISMS) and aims to fully align it with international standards to guarantee the confidentiality, integrity, and availability of data, as well as to prepare for formal accredited certification. C. Objectives of the Assignment

The primary objective of this assignment is to rigorously prepare MEGA for the ISO/IEC 27001:2022 certification audit, assess alignment with ISO/IEC 27701:2025 (Privacy Information Management), and confirm compliance with ETSI EN 319 401 (Trust Service Providers). In order to meet the objectives a comprehensive internal audit (gap analysis and compliance audit) to identify all non-conformities against reference standards and national legislation shall be performed. Following the audit findings, recommendations for improvement and facilitate knowledge transfer sessions to enable MEGA internal team to understand the root causes and independently plan the necessary remediation actions shall be provided.

D. Scope of Work The scope of work includes rendering consultancy services for an Integrated Internal Audit services covering Information Security (ISMS), Privacy Information (PIMS), and Trust Services (TSP) frameworks, aimed at assessing readiness for certification and regulatory compliance. The audit shall be conducted against the following reference standards in their latest valid version: • ISO/IEC 27001:2022 (Information security management systems - Requirements). • ISO/IEC 27701:2025 (Privacy information management systems - Requirements). • ETSI EN 319 401:2025 (General Policy Requirements for Trust Service Providers). Specific activities include: a) General ISMS Activities (ISO/IEC 27701:2022):

  • Documentation Review: Detailed analysis of existing policies, procedures, and records to ensure alignment with the standards.
  • Full Internal Audit: Execution of a comprehensive internal audit covering all controls listed in Annex A of ISO 27001 and relevant national legal requirements (Law 48/2023, GD 562/2025).
  • Knowledge Transfer & Workshop: Facilitation of targeted workshops (covering ISMS, Privacy, and ETSI) focused on interpreting audit findings and root cause analysis, empowering the internal team (process owners) to independently design effective corrective actions and ensure ISMS sustainability. b) Specific Activities for Privacy Information Management (ISO/IEC 27701:2025):
  • Privacy Compliance Audit: Assess MEGA’s PII processing activities, legal roles (Controller/Processor), and technical controls (Privacy by Design) to validate alignment with ISO/IEC 27701:2025 and Law No. 133/2011. Deliver a Privacy Assessment Report detailing current conformity levels, including a specific Strategic Gap Analysis to prepare MEGA for the requirements of the upcoming Law No. 195/2024 (effective from 23 august 2026). c) Specific Activities for Trust Service Providers (ETSI EN 319 401):
  • Trust Services Compliance Audit: Evaluate MEGA's Trust Service Practice Statement (TSPS), policies, and specific risk management methodology to validate alignment with ETSI EN 319 401 requirements. Deliver a detailed Readiness Assessment Report identifying gaps in Trust Service operations and providing specific recommendations to comply with ETSI standards. E. Deliverables During the implementation of the assignment, the Consultant is expected to develop and submit the following deliverables within the proposed delivery terms:

Deliverable Language Delivery Term D1. Internal Audit Plan & Methodology A detailed document outlining the audit scope, criteria, specific methodology for each standard (ISO 27001, ISO 27701, ETSI EN 319 401), audit schedule, and resource requirements. Romanian Week 2 from contract signing D2. Internal Audit Report (ISO 27001:2022) A comprehensive report identifying major and minor non-conformities against ISO 27001:2022 requirements. Romanian & English Week 6 from contract signing D3. Privacy Assessment Report (ISO 27701:2025) A comprehensive report detailing conformity levels against ISO/IEC 27701:2025 and Law No. 133/2011. It must include a distinct Strategic Gap Analysis section assessing readiness for the upcoming Law No. 195/2024. Romanian & English Week 8 from contract signing D4. ETSI Readiness Report (EN 319 401) A dedicated compliance report assessing Trust Service Provider requirements, specifically focusing on Trust Service Practice Statements (TSPS), TSP-specific risk assessments, and termination plans. Romanian & English Week 8 from contract signing D5. Practical Remediation Workshop At least 3 targeted workshops (one for each pillar: ISMS, Privacy, ETSI) for the internal team (process owners), based on the actual non-conformities found during the audit as case studies to demonstrate the methodology for designing and implementing effective corrective actions. Romanian Week 10 from contract signing D6. Final Audit Mission File A complete electronic archive containing all working papers, evidence collected, interview notes, and final versions of all reports. Evidence original language Week 12 from contract signing

All deliverables must be submitted in electronic format (editable MS Word/Excel and PDF). Final reports (Internal Audit Report, Privacy Assessment, ETSI Readiness) shall be provided in bilingual format (Romanian and English) to facilitate future international certification audits. Other operational documents and training materials shall be provided in Romanian.

D. Reporting Obligations The Consultant Firm will primarily report to the Information Security Service of MEGA and finally to the Director of MEGA. The final reports will be approved and signed by the Director of MEGA. Operationally, the Consultant’s experts shall collaborate directly with the designated Process Owners and Subject Matter Experts within the relevant Directorates (specifically the Information Security Service, Products and Digital Experience Directorate and the Services and Products Development Directorate), as dictated by the technical scope of each deliverable. The Information Security Service will act as the main operational interface for the Audit Team, facilitating access to evidence, scheduling interviews, and accompanying auditors during on-site inspections. All deliverables shall be technically validated by the respective operational leads to ensure factual accuracy. Following technical validation, the Director of MEGA will process the final administrative acceptance. The Internal Audit Service shall be formally provided with copies of the final audit reports and corrective action plans, to maintain the centralized record of audit engagements and to plan independent follow-up activities regarding the implementation of corrective actions. E. Duration of the Assignment The Internal Audit services must be delivered and completed by the end of Q2 2026. The level of effort shall be determined by the Consultant in strict compliance with the mandatory duration requirements of the applicable standards for management systems and trust services. The technical proposal must explicitly justify the audit days allocated to ensure full coverage of the integrated scope (ISO 27001, ISO 27701 and ETSI EN 319 401). F. Institutional Arrangements

MEGA will ensure the Consultant’s members have access to all relevant internal regulations, policies, procedure drafts, records, and key stakeholders necessary for the assignment (including IT, Legal, and HR departments). The implementation of the assignment requires in-country presence (Chisinau) for critical activities such as interviews, on-site physical security inspections, and workshops, to ensure smooth execution and effective communication. The Consultant is responsible for its own office equipment, software, and local transportation. MEGA may provide temporary workspace for the Consultant’s team during on-site missions. G. Qualification Requirements This assignment will require a Consulting Firm with experience in the field of implementation of the quality management systems according to ISO standards. Requirements for the consulting firm

  • Eligibility - Legal entity, legally authorized to provide information security consultancy and audit services.
  • General Experience: At least 3 years of experience in providing consulting and audit services in the field of information security governance. Previous experience with implementation of similar projects for public sector entities, critical infrastructure operators, and/or Trust Service Providers (TSP) will be considered an advantage
  • Specific Experience: The Consultant shall present a portfolio of at least 3 similar internal audit projects (ISO27001) of comparable complexity (critical IT infrastructures, sensitive data management) carried out during the last 3 years for public sector entities or organizations.
  • Independence (Conflict of Interest): To ensure objectivity, the Bidder must confirm that it has not provided conflicting services to MEGA (specifically, operational management of IT systems, direct implementation of ISMS controls, or other assignments that would result in reviewing their own work) within the last 24 months prior to this assignment. Qualification of Key Experts Key experts represent specific knowledge and/or expertise required for the successful project implementation. Although the Consultant Firm will form project implementation team at its discretion, the Consultant Firm shall provide at least following key experts:
  • Key expert 1: Project manager/Team Leader.
  • Key expert 2: ISMS Audit Lead (Focus on ISO 27001 & 27701).
  • Key expert 3: Technical Expert / Trust Services Auditor (Focus on ETSI). For proposed key experts the CVs need to be submitted, demonstrating the minimum qualifications requirements, as detailed below. Reallocation of competences among key experts and/or splitting of key expert competences is only allowed upon receipt of prior consent of the client. Minimum qualifications requirements for the key experts are: Key expert 1. Project manager/Team Lead Roles and Responsibilities:
  • Overall management of the project, quality assurance of deliverables, and primary liaison with MEGA management.
  • Providing guidance and coordinating team members to ensure integrated delivery across all three pillars (Security, Privacy, Trust Services) Qualification requirements:
  • Bachelor’s Degree in IT, Management, Engineering, or related fields.
  • Valid professional certification in Information Security Management or Audit (e.g., CISM, CISSP, CISA, CRISC, Lead Auditor ISO/IEC 27001, or equivalent).
  • Minimum 5 years of experience in information security consulting/auditing.
  • Proven experience in leading at least 3 projects of similar complexity (involving ISMS implementation or audit for public sector or critical infrastructure).
  • Fluent oral and written Romanian language skills.
    Key expert 2. ISMS Audit Lead (Focus on ISO 27001 & 27701) Roles and Responsibilities:
  • Execution of the internal audit and gap analysis against ISO 27001.
  • Conducting the Privacy Compliance Audit (ISO 27701) and legal role assessment. Qualification requirements:
  • Bachelor’s degree in computer science, IT, Telecommunications, or related fields.
  • Valid Lead Auditor ISO/IEC 27001 certificate issued by an accredited body.
  • Minimum 5 years of professional experience in auditing management systems.
  • Proven experience in auditing ISMS based on ISO/IEC 27001 (evidence: list of projects or specific role description).
  • Proven experience in auditing Privacy Information Management Systems (PIMS) based on ISO/IEC 27701 or GDPR compliance assessments. Professional certification in Privacy constitutes a distinct advantage (e.g., CIPM, Certified Lead Privacy Auditor or equivalent).
  • Working knowledge of English and proficiency in Romanian (written and spoken). Key expert 3: Technical Expert / Trust Services Auditor (Focus on ETSI) Roles and Responsibilities:
  • Conducting the specific compliance assessment for Trust Services products/solutions against ETSI EN 319 401 and technical controls. Qualification requirements:
  • Bachelor’s Degree in IT, Engineering, or related fields.
  • Relevant certification covering technical security audits (e.g., CISA, CISSP, CRISC or equivalent).
  • Minimum 3 years of experience in IT security audits with a specific focus on PKI (Public Key Infrastructure), digital signatures, or e-IDAS/ETSI compliance.
  • Proven experience in auditing or consulting for Qualified Trust Service Providers (QTSP) under eIDAS Regulation (EU) or equivalent national legislation.
  • Working knowledge of English and proficiency in Romanian (written and spoken).