1. Background
The Central Bank of Somalia (CBS) has completed its preparation for ISO 27001:2022
implementation, including establishing an Information Security Management System
(ISMS), conducting internal audits, and addressing identified nonconformities. CBS now
seeks the services of an internationally accredited certification body to perform an
independent certification audit of its ISMS, with the aim of achieving ISO 27001:2022
certification.
2. Objective
The objective of this assignment is to engage a reputable and accredited certification body
to conduct Stage 1 and Stage 2 audits for ISO 27001:2022, provide certification upon
successful completion, and perform subsequent surveillance audits as required under the
accreditation scheme.
3. Scope of Work
The selected certification body will be expected to:
• Review CBS’s ISMS documentation, policies, procedures, and records.
• Conduct Stage 1 (readiness review) to evaluate ISMS preparedness.
• Conduct Stage 2 (certification audit) to assess conformity with ISO 27001:2022
requirements.
• Issue ISO 27001:2022 certification upon successful completion.
• Conduct periodic surveillance audits during the three-year certification cycle.
• Conduct recertification audit at the end of the cycle.
• Provide formal audit reports detailing findings, nonconformities, and
recommendations.
The ISMS scope covers CBS’s critical operations, including IT infrastructure, data centers,
payment systems, ERP, and supporting business processes.
4. Deliverables
The certification body will be required to provide:
• Detailed audit plan for Stage 1 and Stage 2.
• Stage 1 audit report (readiness review).
• Stage 2 audit report, with details of compliance and any nonconformities.
• ISO 27001:2022 certificate (upon successful completion).
• Surveillance audit reports (annually for the duration of the certificate).
5. Qualification Requirements
Interested certification bodies must:
– Accreditations
• The firm must hold five (5) or more accreditations from internationally recognized
accreditation bodies (e.g., UKAS, ANAB, DAkkS, JAS-ANZ, SANAS, NABCB, or
equivalent).
– Experience of the Firm
• The firm must demonstrate over twenty (20) years of existence as a certification
body, with a proven track record of ISO/IEC 27001 certification services.
• The firm must demonstrate over twenty (20) years of operational and project
experience within the African market, with evidence of locally conducted audits.
– Sector-Specific Experience
• The firm must have successfully certified at least one (1) Central Bank in Africa
under ISO/IEC 27001.
• The firm must have conducted ISO/IEC 27001 certifications for at least five (5)
financial institutions in Africa (commercial banks, development banks, or
equivalent).
Proof of Compliance
• Bidders must provide valid documentation of accreditation(s), references, and
evidence of past projects, including contact details of the institutions certified, to
enable verification by CBS.
6. Proposal Submission Requirements
Interested firms must submit proposals that include:
• Company profile, including accreditation details.
• Evidence of relevant ISO 27001 certification experience (references, case studies).
• Audit methodology, approach, and timelines.
• Detailed financial proposal (all-inclusive fees).
• Curriculum vitae of proposed audit team members.
• Confirmation of ability to perform surveillance and recertification audits over the 3-
year cycle.
7. Evaluation Criteria
Proposals will be evaluated against the following criteria:
• Accreditation status and recognition of certifying body.
• Relevant sector experience and references.
• Proposed methodology and audit approach.
• Competence and qualifications of proposed auditors.
• Cost and value for money.
• Ability to provide long-term certification services (surveillance and recertification).
8. Timeline
• Date TOR issued: 28th September 2025
• Deadline for submission of proposals: 15th October 2025 EAT 5:00PM
• Expected commencement of Stage 1 audit: November 2025
9. Submission
Proposals should be submitted electronically to:
