Negotiated Procedure
Maximum budget: €45.000,00
ENISA is looking for a service provider that will support the Agency in its enterprise risk management activities, including IT security risk management, in order for the Agency to reduce the overall risk and to achieve its strategic objectives as they are set in the ENISA Single Programming Document (SPD) 2021-2023 (https://www.enisa.europa.eu/publications/corporate-documents/enisa-single-programming-document-2021-2023/).
The underlying premise of enterprise risk management is that every organizational entity exists to provide value to its stakeholders.
The project consists of two charters as described below:
1) Enterprise risk management The enterprise risk assessment work will be based on an existing ENISA’s enterprise risk management framework (based on the COSO methodology). This framework will be provided to the prospective contractor along with all the relevant details. The goal of this activity is to identify overall enterprise risks and how the risks are percolating in all the activities and areas of ENISA and provide adequate risk treatment plans. In the light of this effort the following tasks are foreseen: - defining risk rating criteria - establish the risk appetite of the internal entities. - conduct comprehensive risk assessment that include the key areas and activities of the organization by interviews with relevant stakeholders / surveys/workshops. - assist the Agency in developing adequate risk classification that will provide a common understanding throughout the Agency. - populating the specific risk registers. - providing guidance on mitigation strategies. - map controls to specific risks.
The final deliverables will be:
- Enterprise risk assessment report and risk treatment plan 2022
- Updated enterprise risk assessment framework (on the basis of findings during the risk assessment process)
2) IT security risk management The IT security risk assessment work will be based on an existing ENISA’s risk management framework (ISO27001 as a reference), which the prospective contractor will further formalise and enhance on the basis of ENISA’s IT strategic framework, relevant IT security assessments and policies and additional requirement (e.g. legal or regulatory) in the field. All relevant material will be provided by ENISA to the prospective contractor. The goal of this activity is to enhance the Agency’s IT security risk management framework, as well as to identify specific IT security risks and how the risks are percolating in all the activities and areas of ENISA and provide adequate risk treatment plans. The same tasks, as those under Enterprise risk management, are foreseen for this Charter, accordingly adjusted to the field of IT security.
The final deliverables will be:
- ENISA updated IT security risk assessment framework
- IT security risk assessment report and risk treatment plan 2022.
If you are interested in being invited to take part in this upcoming tender procedure, then please 'submit your interest' before the deadline, using the link below or via the eSubmission link.