Académique Documents
Professionnel Documents
Culture Documents
Management System
Development and
Implementation Dated 23 November 2015
STATEMENT OF WORK
Contents
1. Scope ............................................................................................................................................... 1
2. Applicable Documents..................................................................................................................... 2
3. Definitions, Acronyms, and Abbreviations ...................................................................................... 3
4. Requirements .................................................................................................................................. 3
5. Deliverable Data Items .................................................................................................................. 10
6. IAEA Responsibilities ..................................................................................................................... 11
Attachment 1......................................................................................................................................... 13
1. Scope
This Statement of Work (SOW) describes the requirements for the development,
documentation, and assistance with the implementation of an ISO 27000 series
compliant IAEA Information Security Management System (ISMS) framework,
governance structure, documentation and associated management processes that
may be either new or will revise, adapt, or replace current structures or processes.
The resulting ISMS will prepare the IAEA for obtaining and maintaining an ISO
27001:2013 certification.
The ISMS shall be based on the ISO/IEC 27000 series and shall take into
consideration the results and recommendations of an internal Audit of ISMS and of an
IAEA Information Security Risk Assessment and Five-Year Roadmap that was
commissioned by the Chief Information Officer and completed earlier in 2015. The
ISMS must enable the IAEA to further protect the information it creates and manages
and to more effectively adapt and respond to changes in information and security
technologies and threats to the IAEA in the years to come.
Page 1 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015
The IAEA has the same information security needs of any enterprise organization.
However, due to the unique and varied nature of the IAEAs missions, described on
the IAEA homepage (www.iaea.org), the information managed by the various IAEA
programmes has significantly differing requirements in terms of confidentiality,
integrity and availability. These include confidentiality requirements for some
information similar to national governments and intelligence organizations and for
some information similar to not-for-profit business environments. There are integrity
requirements that range from those of health, safety and research organizations to
that of an official public website as well as routine administrative information. The
IAEAs availability requirements are in line with that of archived records but also that
of Internet-based public safety information and emergency response providers. The
ISMS must effectively address all aspects of information and IT security at the IAEA.
It is critical to understand that this is not a clean slate environment with regards to
information and IT security. The IAEA currently has information security controls in
the form of policies, procedures, processes, technologies and systems and is actively
working on the creation and/or revision of other aspects of an ISMS. Policies,
procedures, processes, technologies and systems differ across various parts of the
IAEA on many aspects. The development of the IAEA ISMS shall create and
implement the new components required, and shall also take into consideration both
the existing and in-progress components and, as appropriate, adapt and integrate or
replace them.
2. Applicable Documents
The ISO/IEC 27000 series (current versions) documents shall be applicable for the
work to the extent specified hereinafter.
In the event of conflict between these documents and the content of this
Specification, the content of this Specification shall take precedence to the extent of
the conflict.
Additionally, the following resources are included as recommended references:
FedRAMP General Document Acceptance Criteria
(https://www.fedramp.gov/files/2015/07/FedRAMP-General-Document-
Acceptance-Criteria.pdf)
IAEA Security of Nuclear Information
(http://www-pub.iaea.org/MTCD/Publications/PDF/Pub1677web-32045715.pdf)
Internet Security Forum Best Practices
(https://www.securityforum.org/tools/sogp/)
Extensive documentation will be made available, such as relevant current and draft
policies and procedures, relevant audits and risk assessments, and long term
Page 2 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015
response plans. The audits and risk assessments are based on extensive and
substantive reviews of IAEA documentation (more than 300 policies, procedures and
audit, technical security assessment and incident reports), personal interviews with
management and technical staff, and technical verification testing. The risk
assessment reports provide detailed descriptions of the risks identified. This
information will also be made available, as deemed necessary.
4. Requirements
The Contractor and its staff(s) engaged on this account shall meet the requirements
and carry out the activities listed here below and provide the deliverables specified.
4.1. Schedule and Place
4.1.1. The initial kick-off of the engagement shall take place no more than two weeks
after the contract is signed. The current estimated date is mid-April 2016.
4.1.2. For the initial kick-off of the engagement, review of confidential information,
any needed stakeholder interviews, workshops or review meetings and
presentations, the Contractor shall work on-site at the IAEA Headquarters in
Vienna, Austria, with assistance from the IAEA Project Lead and the
Information Security Office.
Page 3 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015
4.1.3. For collaborative activities that do not involve sensitive IAEA information, per
classification policy, online resources such as Webex and SharePoint may be
utilised if effective and efficient;
4.1.4. The working hours for activities involving IAEA staff are the standard working
hours at the IAEA Headquarters, Vienna, Austria hours (08:00 18:00 GMT
+1).
4.2. Profile and Qualifications
4.2.1. The Contractor shall be ISO 27001 certified;
4.2.2. All staff engaged by the Contractor on this account, unless otherwise noted,
shall have/be:
4.2.2.1. Experience:
4.2.2.1.1. A minimum of 5 years working experience covering a majority
of the areas detailed in Section 4.3;
4.2.2.1.2. Extensive familiarity with the ISO 27000 series and in helping
organizations achieve ISO 27001 certification;
4.2.2.1.3. Experience working in high confidentiality environments and
relevant business sectors (such as national government,
banking, intelligence);
4.2.2.2. Personal qualities:
4.2.2.2.1. Strong business communication and facilitation skills; and
4.2.2.2.2. Fluency in English Both oral and written equivalent to
Cambridge English certification levels First, Advanced or
Proficiency or Common European Framework level C or similar
competency;
4.2.3. The Contractors Project Manager working on this account shall have/be:
4.2.3.1. The Single Point of Contact for the engagement;
4.2.3.2. A minimum of 10 years working experience covering a majority of the
areas detailed in Section 4.3;
4.2.3.3. Extensive and proven experience managing consulting engagements
of this nature (ISMS implementation) and magnitude for high-profile
clients;
4.2.3.4. Relevant certifications (Prince2 and/or equivalents, CISSP or other
relevant equivalents) in good standing;
4.2.4. The Contractors Subject matter expert (ISMS implementation) working on
this account shall have/be:
4.2.4.1. Extensive and proven experience developing and implementing ISO
27001 Information Security Management Systems of this magnitude;
4.2.4.2. Relevant certifications (CRISC, CISSP, IRCA ISMS auditor and/or
equivalents) in good standing;
4.2.5. The Contractors Subject matter expert (Risk management) working on this
account shall have/be:
Page 4 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015
Page 5 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015
Page 6 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015
Page 7 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015
Page 8 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015
Page 9 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015
4.3.5.8.1. Purpose;
4.3.5.8.2. Governance;
4.3.5.8.3. Policy and documentation: changes, structure, location;
4.3.5.8.4. Performance measurement;
4.3.5.8.5. ISMS portal;
4.3.5.9. The Contractor shall present the ISMS training at a one-time
series of live sessions to all current IAEA staff;
4.3.6. Certification preparation
4.3.6.1. The Contractor shall provide a test certification assessment template
that the IAEA can use for pre- ISO 27001:2013 certification self-
readiness assessment.
4.4. Quality assurance and monitoring of work deliverables
4.4.1. All work shall be monitored and assessed by the IAEA Project Lead and the
Information Security Office, who will act as the primary representatives of the
IAEA; and
4.4.2. The Contractor shall provide the IAEA with regular updates either via email,
Internet-supported or in-person meetings to provide updates and review
progress as required. Updates shall be provided biweekly or as requested by
the IAEA.
4.5. Formal acceptance of deliverables/specialist products
4.5.1. All interim drafts and final deliverables shall be provided in electronic format
(Microsoft Office 2013 Word for all documents, also in PDF for final); prior to
acceptance of the final versions of the deliverables, the Contractor shall
organise formal review meetings with the IAEA; and
4.5.2. The Contractor shall prepare and present (using PowerPoint) the descriptions
and explanations of the major deliverables (Information Security Strategy,
ISMS Policy, ISMS staffing resource plan, ISMS framework, overview of the
policy suite, performance monitoring approach) to the IAEA CISO, CIO and
Senior Management.
Page 10 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015
5.2. Preparation
5.2.1. ISMS Scope
5.2.2. IAEA Information Security Strategy
5.2.3. IAEA Information Security Control Objectives
5.2.4. ISMS Policy / Charter
5.3. Framework
5.3.1. Formal ISMS framework description
5.3.2. ISMS Governance mandate document
5.3.3. ISMS management staffing resource plan
5.3.4. ISMS Portal functional requirements recommendations
5.3.5. Information Security document management process and structure
descriptions, templates, general document acceptance criteria and procedures
5.3.6. ISMS performance management and improvement process descriptions
5.4. Documentation, process and integration
5.4.1. Three gap analysis reports (documentation and performance management)
5.4.2. Two documentation proposals (draft and final)
5.4.3. Performance management proposal (draft and final)
5.4.4. IAEA suite of policies, standards, procedures and guidance
5.4.5. Non-IAEA-wide policies or process designs and descriptions
5.4.6. Performance management process designs and descriptions (measurement,
metrics, reporting and review)
5.4.7. IAEA ITIL alignment strategy
5.4.8. ISMS training materials
5.5. Certification preparation
5.5.1. Assessment preparation documentation
6. IAEA Responsibilities
6.1. The IAEA will allocate a Project Lead who will be the focal point of contact within the
ISO for the duration of the engagement;
6.2. The IAEA will provide extensive documentation at the initiation of the project,
including:
6.2.1. IAEA information security risk assessment and planning documents;
6.2.2. IAEA Business Technology Strategic Plan [2015-2020];
6.2.3. IAEA legally binding agreements;
6.2.4. IAEA Information and IT security relevant policies, procedures and guidance
documents;
6.2.5. Relevant audit findings and recommendations;
6.3. The IAEA staff will provide assistance to the Contractor by;
6.3.1. Setting up stakeholder engagements (meetings, workshops etc.);
Page 11 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015
Page 12 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015
1.1. Information and communication systems are central to the IAEAs mission and
daily business activities, as they are utilised to routinely exchange information
among management and staff, with member states and other third parties in
the public and private sectors. This is accomplished through the normal
enterprise business and communications systems, restricted access and
public web and collaboration services and staff remote access systems that
are hosted both internally and in cloud-based systems. In addition to the
systems supporting daily business activities, the IAEA has information and
communications systems supporting the highly sensitive Nuclear Security and
Safeguards activities.
1.2. The information technology infrastructure supports ~3000 users (staff and
consultants) located at one primary location (Vienna International Centre) with
five additional permanent facilities located in Austria, Canada, Monaco and
Japan.
1.3. The IAEA has a partially centralised IT management structure with two
organizationally autonomous IT service organizations. Each centralised IT
management organization provides network, server, end point and security
operations planning and administration with well-defined technical inter-
connectivity. Both organizations provide software development and
maintenance. Additionally, there are staff members within divisions throughout
the IAEA providing software development, server-based applications
administration and local IT client support.
1.4. While all staff members have information security responsibilities, the IAEA has a
number of staff positions dedicated to security functions. These include:
Central Security Coordinator (responsible for all aspects of security except for
Information Security)
Chief Information Security Officer
Information Security Office
Safeguards Information Security Officer
Security operations groups, supporting
o Access control
o Threat management
o Incident response
o IT security engineering
Page 13 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015
1.5. The IAEA has a formal information security policy; however, the elements that
underlie the policy in terms of IAEA processes, procedures, standards and
guidelines are limited. There are also IAEA policies for various information
security related activities. Additionally, each Department may also issue
additional policies. For instance, the Department of Safeguards has policy and
procedures focused on protecting the confidentiality and integrity of the sensitive
information that is central to their mission. On an ongoing basis, both internal and
external audits and security assessments are performed.
The technology underlying these services that are administered by IAEA staff
includes;
800+ Servers, physical and virtualised (highly virtualised), Windows and Linux
(predominantly Windows);
3500+ Client computers (desktop and notebook, Windows, Macintosh and
Linux, predominantly Windows);
500+ Mobile devices (phones and tablets);
MS Active Directory, multiple forests/multiple domains and additional
standalone domains (such as for the DMZ);
IPv4 wired and wireless networks, supporting client and server environments
and Internet access;
Network security systems providing access control; threat identification and
blocking; centralised logging and Security Event and Incident Management;
Multiple inter-site network communications connections;
Multiple remote access systems;
On-site dedicated data centres and rooms;
Cloud-based and outsourced resources;
Centralised and local IT Service Desks;
Commercial and bespoke applications (client, client-server and web-based);
Specialised laboratory, remote monitoring and embedded systems;
Disaster recovery infrastructure;
1.6. Application and system development is provided by IAEA staff and consultants
for in-house and technology transfer projects, utilizing multiple platforms and
languages that include but are not limited to;
Page 14 of 15
IAEA Information Security IAEA Specification
Management System
Development and
Implementation Dated 23 November 2015
Various languages (C, C++, script, java) used with specialised and embedded
systems.
Page 15 of 15