GovBidAlerts
← My Opportunities
Request for Expression of Interestopen🌐 World BankOP00456646

CONSULTANCY SERVICES TO CONDUCT IT SECURITY ASSESSMENT FOR AFRICA UNION COMMISSION — Building Institutions And Systems to Harness And Realize Agenda 2063 Project

Africa Union Commission

Description

REQUEST FOR EXPRESSIONS OF INTEREST (CONSULTING SERVICES – FIRM SELECTION) Country: Ethiopia Name of Project: The Building Institutions and Systems to Harness and Realize Agenda (BIASHARA) 2063 Project Grant No : P180117 Assignment Title: Consultancy Services to Conduct IT Security Assessment for Africa Union Commission Reference No . ET-AUC-560866-CS-QCBS The African Union Commission has received financing from the World Bank toward the cost of The Building Institutions and Systems to Harness and Realize Agenda (BIASHARA) 2063 Project and intends to apply part of the proceeds for consulting services. The consulting services (“the Services”) include conducting a comprehensive penetration testing assessment of the African Union Commission’s ICT infrastructure. The engagement is designed to rigorously evaluate technical controls, identify vulnerabilities, and simulate realistic cyberattack scenarios. The detailed Terms of Reference (TOR) for the assignment are attached to this Request for Expressions of Interest. The African Union Commission now invites eligible consulting firms (“Consultants”) to indicate their interest in providing the Services. Interested Consultants should provide information demonstrating that they have the required qualifications and relevant experience to perform the Services. The shortlisting criteria are: Legally registered consulting firm with at least 7+ years of experience in cybersecurity and digital risk advisory. Demonstrated expertise in penetration testing, vulnerability assessment, and technical security evaluation for large, complex ICT environments. Ability to deliver actionable, evidence-based recommendations to strengthen ICT resilience and mitigate sophisticated cyber threats. Proven experience working with governmental, regulatory, or large enterprise environments. Experience in comparable geographic or sectoral contexts is an advantage. Capability to deliver strategic, actionable, and operationally relevant recommendations. Key Experts will not be evaluated at the shortlisting stage. The attention of interested Consultants is drawn to Section III, paragraphs, 3.14, 3.16, and 3.17 of the World Bank’s “Procurement Regulations for IPF Borrowers” July 2016, revised November 2020 (“Procurement Regulations”), setting forth the World Bank’s policy on conflict of interest. Consultants may associate with other firms to enhance their qualifications but should indicate clearly whether the association is in the form of a joint venture and/or a sub-consultancy. In the case of a joint venture, all the partners in the joint venture shall be jointly and severally liable for the entire contract, if selected. A Consultant will be selected in accordance with the Consultants’ Quality and Cost-based Selection method set out in the Procurement Regulations. Further information can be obtained at the address below during office hours 0900 to 1700 hours . Expressions of interest must be delivered in a written form to the address below (in person, or by mail, or by e-mail) by 29 July 2026 . African Union Commission, Head of Supply Chain Management Division Building C, 3rd Floor, P.O Box 3243, Roosevelt Street Addis Ababa, Ethiopia Tel: +251 (0) 11 551 7700 – Ext 4305 Fax: +251 (0) 11 551 0442; +251 11-551-0430 E-mail: Tender@africanunion.org TERMS OF REFERENCE CONSULTANCY SERVICES TO CONDUCT IT SECURITY ASSESSMENT FOR AFRICA UNION COMMISSION REF: ET-AUC-560866-CS-QCBS I. Background As the continental organization mandated to advance integration, peace, and sustainable development across Africa, the African Union Commission (AUC) increasingly relies on sophisticated Information and Communication Technology (ICT) systems to execute its mandate with efficiency, reliability, and accountability. The Commission’s ICT ecosystem, spanning headquarters and regional offices, integrates interconnected networks, mission-critical applications, and distributed services that are essential to achieving its operational and strategic priorities. While this digital transformation has significantly enhanced connectivity, efficiency, and service delivery, it has also introduced a complex and evolving landscape of cybersecurity risks. In the current threat environment, cyber risks are not solely technical challenges; they carry strategic implications for institutional integrity, governance, and stakeholder trust. Safeguarding the AUC’s ICT assets is therefore a matter of organizational resilience, credibility, and confidence — core enablers for the Commission to effectively deliver its continental mandate. The Management Information System Directorate (MISD), operating under the Cabinet of the Deputy Chairperson, is responsible for planning, deploying, and managing all ICT functions across the African Union. In its commitment to strengthening institutional cyber resilience, MISD recognizes the need for an independent, evidence-based Security Assessment of its ICT environment. This assessment will identify vulnerabilities, evaluate the effectiveness of existing safeguards, and provide actionable guidance to reinforce ICT security across all operational fields. Accordingly, the African Union Commission invites proposals from highly qualified cybersecurity firms to conduct a comprehensive Security Assessment, incorporating both external and internal penetration testing. The assessment will simulate realistic cyber-threat scenarios, evaluate technical and operational resilience, and deliver prioritized recommendations for remediation. The outcomes will provide the Commission with a clear, actionable, and strategic understanding of its cybersecurity posture, supporting informed decision-making, strengthened operational continuity, and sustained institutional trust. The main objectives of this Security Assessment will result in: Identify critical vulnerabilities and attack paths across external-facing and internal ICT infrastructure, including misconfigurations, weak authentication mechanisms, and privilege escalation opportunities. Strengthen organizational resilience to cyber threats by identifying exploitable vulnerabilities and simulating realistic attack scenarios, enabling the Commission to anticipate, withstand, respond to, and recover from potential incidents with minimal operational disruption. Enhance the effectiveness of technical security controls by systematically evaluating networks, systems, applications, and configurations against recognized standards and international best practices. Assess potential business and operational impacts of security breaches to provide leadership with clear insights into risk exposure and informed prioritization for remediation. Provide prioritized, actionable recommendations for remediation, ensuring that targeted measures effectively reduce exposure, mitigate risks, and strengthen defenses across the Commission’s ICT environment. Support continuous monitoring and improvement, delivering strategic insights that enable the MISD to maintain adaptive, resilient, and sustainable security measures over time. Build confidence among stakeholders by producing high quality, evidence-based reporting suitable for leadership, technical teams, and external partners, fostering transparency and trust in the Commission’s security posture. II. A Precise Statement of Objective or Purpose The consultancy will develop a structured, actionable IT Security Remediation Plan based on the findings of a comprehensive penetration testing assessment of the African Union Commission’s ICT infrastructure. The plan will be multiannual, operational, and include prioritized initiatives with clearly assigned accountable owners, fully aligned with the Commission’s ICT governance framework and operational priorities. It will integrate targeted remediation measures, evidence-based recommendations, and a detailed implementation roadmap to strengthen the resilience and protection of critical ICT systems and services. The firm will conduct a thorough penetration testing engagement, employing both external (black box) and internal (white box) methodologies. The assessment will systematically identify exploitable vulnerabilities, evaluate the effectiveness of existing technical controls, and simulate realistic threat scenarios across networks, servers, applications, and configurations. The outcomes will provide the Commission with actionable insights to guide the development and operationalization of a practical remediation plan. The Security Assessment aims to deliver actionable insights that will: Identify exploitable vulnerabilities across ICT systems including networks, servers, applications, and configurations revealing weaknesses that could be leveraged by malicious actors. Simulate realistic cyberattack scenarios reflecting both external and insider threats, providing a clear understanding of the Commission’s security posture under operational conditions. Evaluate the effectiveness of existing technical security controls, including detection, prevention, and response mechanisms. Determine potential business and operational impacts of successful exploitation, enabling leadership to prioritize risk mitigation based on strategic and operational importance. Provide prioritized, actionable recommendations for remediation, mitigation, and risk reduction, fully aligned with internationally recognized cybersecurity standards and best practices. Support organizational resilience and continuous improvement, enabling MISD to enhance monitoring, governance, and long-term cybersecurity maturity. III. Scope of Work or Service Under the leadership of the MISD Director, the consultancy will conduct a comprehensive penetration testing assessment of the African Union Commission’s ICT infrastructure. The engagement is designed to rigorously evaluate technical controls, identify vulnerabilities, and simulate realistic cyberattack scenarios. The assessment will be tailored to the Commission’s operational context, system architecture, regulatory environment, and threat landscape. At a minimum, the firm will prepare and execute the following: Planning and Scoping Phase Agree on rules of engagement (RoE), testing windows, and communication protocols Develop a penetration testing methodology consistent with recognized industry practices (e.g., OWASP, NIST, PTES, etc.) and tailored to AU requirements. Situational Assessment Review existing technical security controls, network architecture, and system configurations Identify critical ICT assets, systems, and services, including external-facing services and internal infrastructure Assess current detection, prevention, and response capabilities Perform a threat landscape analysis relevant to AU operations Identify technical or operational constraints that could impact assessment or remediation efforts Vulnerability and Risk Assessment Conduct a cyber risk assessment (qualitative and/or quantitative where feasible). Execute penetration testing (external black box and internal white box). Identify vulnerabilities, classify by severity (Critical/High/Medium/Low), and map exploitable attack paths. Evaluate systemic weaknesses and potential escalation paths. Assess risks related to third-party systems or supply chain dependencies. Review legal and regulatory compliance obligations. Determine potential business and operational impacts of successful exploitation. Testing and Evaluation Simulate realistic cyberattack scenarios reflecting external threats and insider risks. Evaluate the effectiveness of technical controls across networks, servers, applications, and configurations. Measure the resilience of critical systems and incident response mechanisms. Document all findings in a structured, evidence-based report. Recommendations and Remediation Roadmap Develop prioritized, actionable recommendations for remediation and risk reduction. Propose technical improvements, configuration changes, and monitoring enhancements. Deliver a detailed remediation roadmap with sequencing, dependencies, and assigned responsible owners. Provide indicative resource and budget estimates for critical remediation measures. Reporting and Stakeholder Engagement Prepare draft and final assessment reports, including executive summaries, technical findings, and visualizations. Conduct presentation/workshop sessions with MISD and leadership teams to review findings and recommendations. Incorporate stakeholder feedback to finalize the security assessment report. IV. Deliverables and Schedule for Completion of Tasks The estimated duration of this assignment is approximately 5 months , covering 15 weeks at the African Union Commission Headquarters and 2 weeks and 2 days at each of the three remote AU regional offices (selected by the MIS Directorate) . All deliverables shall be clear, well-structured, and actionable, supporting practical implementation and informed decision-making. Deliverables shall include visual elements such as vulnerability heat maps, dashboards, and executive summaries to enhance clarity and facilitate prioritization of mitigation measures. Each deliverable shall be submitted in both draft and final versions and presented in formats agreed with the African Union, including but not limited to Word and PowerPoint The firm will provide the following deliverables: Deliverables / reports Content of reports Timeline Inception report Detailed methodology, rules of engagement, testing windows, work plan, stakeholder map, communication plan, identification of dependencies, potential risks, and mitigation measures. Approved work plan will serve as the monitoring and coordination framework for the assignment. Within the first 10 business days after the start of the consultancy Penetration testing and risk assessment report A structured report detailing the results of the penetration testing assessment (external black box and internal white box). Includes identification of vulnerabilities classified by severity, technical and systemic weaknesses, potential escalation paths, third-party risks, and potential business or operational impacts. Within 30 business days after approval of the Inception Report Threat landscape and technical evaluation report Assessment of relevant cyber threats (external and insider risks), evaluation of existing technical controls, detection, prevention, and response capabilities, and identification of potential gaps affecting ICT resilience. Within 30 business days after approval of the Inception Report Draft remediation and action plan Prioritized, actionable recommendations for remediation and risk mitigation. Includes detailed remediation roadmap, sequencing, dependencies, responsible owners, and indicative resource/budget estimates for critical corrective actions. Within 25 business days after approval of the Penetration Testing and Risk Assessment Report Final security assessment and remediation plan Consolidated final report incorporating stakeholder feedback, including executive summary, detailed technical findings, and the finalized remediation RoadMap for operationalization. Within 10 business days after approval of the Draft Remediation and Action Plan Presentation to leadership / steering committee Executive-level presentation of key findings, insights, risk implications, and proposed remediation roadmap. Facilitation of discussions and alignment with MISD and leadership teams. After approval of the Final Security Assessment and Remediation Plan Technical Handover and Final Reporting Handover of all assessment outputs, including detailed technical findings, evidence of vulnerabilities, remediation recommendations, and practical guidance for the Commission’s ICT teams. Ensures the MISD can act on findings, monitor progress, and sustain improvements in ICT security posture. Within 15 business days after approval of the Final Security Assessment and Remediation Plan V. Data, Services, and facilities to be provided by the Client: The African Union Commission (AUC) will provide the following support to facilitate the consultancy: Access to Relevant Documentation and Information Access to Key Personnel and Stakeholders Reporting Requirements Report / Deliverable Format Number of Copies Recipients Inception Report Word / PDF 2 Hard Copies + 1 Electronic Senior Leadership, MIS Director, Cybersecurity Team Interim Progress Reports Word / PDF 1 Electronic MIS Director, Cybersecurity Team, IT Governance Team Penetration Testing and Risk Assessment Report Word / PDF 1 Electronic for each report MIS Director, Cybersecurity Team, IT Governance Team Threat Landscape and Technical Evaluation Report Word / PDF 1 Electronic MIS Director, Cybersecurity Team, IT Governance Team Draft Security Assessment and Remediation Plan Word / PDF 1 Electronic MIS Director, Cybersecurity Team, IT Governance Team Final Security Assessment and Remediation Plan Word / PDF 3 Hard Copies + 1 Electronic Senior Leadership, MIS Director, Cybersecurity Team Presentation of Findings PowerPoint / PDF 1 Electronic Senior Leadership, MIS Director, Cybersecurity Team, Relevant Stakeholders Knowledge Transfer and Handover Report Word / PDF 1 Electronic MIS Director, Cybersecurity Team, IT Governance Team Consultant’s Qualifications, Experience Requirements and Consultant’s Team Composition with Estimate of Key Experts Input. The successful consultancy firm must demonstrate a strong focus on cybersecurity strategy, risk management, and organizational value delivery, particularly within intergovernmental or large-scale institutional contexts. Firm Requirements: Legally registered consulting firm with at least 7+ years of experience in cybersecurity and digital risk advisory. Demonstrated expertise in penetration testing, vulnerability assessment, and technical security evaluation for large, complex ICT environments. Ability to deliver actionable, evidence-based recommendations to strengthen ICT resilience and mitigate sophisticated cyber threats. Proven experience working with governmental, regulatory, or large enterprise environments. Experience in comparable geographic or sectoral contexts is an advantage. Capability to deliver strategic, actionable, and operationally relevant recommendations. Consultancy Team Experience At least one team member with a BSc in Computer Science, Cybersecurity, Information Security, or a closely related discipline; advanced offensive security certifications (e.g., OSCP, CEH, GPEN) are a strong advantage. A minimum of five (5) to seven (7) years of relevant professional experience in penetration testing, ethical hacking, or offensive cybersecurity operations. Proven capability to conduct comprehensive penetration testing engagements across both external and internal enterprise-scale environments. Advanced technical expertise in assessing networks, systems, and applications, including identification, validation, and exploitation of security vulnerabilities. Demonstrated experience in mapping credible attack paths, including privilege escalation, lateral movement, and persistence within complex infrastructures. Experience in at least three (3) comparable assignments involving penetration testing or technical security assessments for large organizations, public institutions, or international entities. Ability to operate effectively in sensitive and high-security environments, maintaining strict adherence to rules of engagement, confidentiality, and operational safeguards. Strong leadership, collaboration, and communication skills to engage effectively with stakeholders. Experience in at least one government or international organization project in cybersecurity or digital transformation, including drafting or implementing strategies. The firm must have offices in an African Union member state. Client’s Assignment management arrangement: The MIS Directorate will oversee the assignment to ensure alignment with governance objectives, compliance, and timely completion. This includes reviewing reports, providing guidance, and approving deliverables. The Cybersecurity expert will supervise day-to-day consultancy activities. Reports should be submitted during the course of the project Per the deliverables and schedule for completion of tasks section above. Monthly activity updates The MIS Director will validate final reports. List Of Indicative Key Professional Positions Whose CVs And Experience Would Be Evaluated. S. No Key Position Area of Specific Expertise Required Minimum Qualification and Professional Expérience Indicative Key Staff Input (Person-Months) 1 Team Lead / Cybersecurity Assessment Expert Overall leadership of security assessment, governance, quality assurance, and coordination of penetration testing activities 10+ years in cybersecurity, including at least 4 years leading penetration testing or security assessment engagements in complex environments 5 months 2 Lead Penetration Tester / Red Team Specialist Advanced penetration testing, ethical hacking, exploitation techniques, attack simulation (external and internal) 7+ years in cybersecurity with at least 5 years of hands-on penetration testing experience across networks, systems, and applications 4–5 months (intensive during testing phases) 3 Cybersecurity Architect / Infrastructure Security Expert Review of network, server, cloud, and application security architecture; evaluation of technical controls and attack surfaces 7+ years in cybersecurity with strong experience in infrastructure security assessment and secure architecture design 5 months 4 Vulnerability Management and Risk Analyst Vulnerability identification, classification, risk scoring, exploitation impact analysis, and remediation prioritization 5+ years in vulnerability management, security assessment, or cyber risk analysis in enterprise environments 5 months 5 Project Manager / Engagement Coordinator Project planning, coordination, stakeholder engagement, reporting, and delivery tracking 5+ years in project management, preferably in cybersecurity or IT security assessment engagements 5 months 6 Change Management / Knowledge Transfer Expert Development of technical reports, remediation guidance, and knowledge transfer to ICT teams 5+ years in cybersecurity reporting, documentation, or technical advisory with experience in translating findings into actionable remediation plans 2–3 months Contract Type and Other Information: Contract Type - The contract will be Lumpsum with clearly defined deliverables and milestone-based payments. Firms will be expected to meet performance benchmarks, with payments linked to the successful completion of each project phase. Expected Duration - The assignment is expected to last approximately 5 months (21 weeks and 6 days), including 15 weeks at African Union (AU) headquarters and 2 weeks plus 2 days at each of the three AU regional offices, to be selected by the MIS Directorate. Extensions may be considered if required. Assignment Location - The selected firm will primarily work remotely. On-site may be considered for critical assessment, workshops, subject to approval and adherence to security protocols. Language - Fluency in English and/or French as well as a good working knowledge of the other working languages of the Africa Union is an advantage. Evaluation and award of the consultancy - Evaluation of the proposals and award of the contract (consultancy) will be based on educational background, peculiarity of required experience and technical competencies. African Union reserves the right to accept or reject any proposal received without offering any explanation. Intellectual Property Rights - Any reports, documents graphics, or other materials, prepared by the consultancy firm for this assignment shall belong to and remain the property of the African Union.

Details

Posted
Jul 14, 2026
Response deadline
Jul 29, 2026, 5:00 PM UTC (14d)
Type
Request for Expression of Interest
Category
Request for Expression of Interest
Procurement method
Quality And Cost-Based Selection
Status
open
Buyer
Africa Union Commission
Jurisdiction
World Bank
Reference #
OP00456646
Country
Eastern and Southern Africa
Notice Text
REQUEST FOR EXPRESSIONS OF INTEREST (CONSULTING SERVICES – FIRM SELECTION)   Country: Ethiopia Name of
Project Name
Building Institutions And Systems to Harness And Realize Agenda 2063 Project
Notice Status
Published
Bid Description
CONSULTANCY SERVICES TO CONDUCT IT SECURITY ASSESSMENT FOR AFRICA UNION COMMISSION
Contact Address
Africa Union HeadquartersP.O.BOX 3243Tel: 251-11-5-517700webmaster: webmaster@africa-union.orgAddis
Bid Reference No
ET-AUC-560866-CS-QCBS
Notice Lang Name
English
Contact Ctry Name
Ethiopia
Procurement Group
CS
Procurement Method Code
QCBS
Submission Deadline Time
17:00

Contact

Kaputo Chenga -Bwalya
Chenga-Bwalyak@AfricanUnion.org
+251982168552
Finding similar opportunities…

This listing is a summary from World Bank's open procurement data. We ingest every field the feed publishes; the full solicitation documents are on the source portal.