ISO 27001 for Government IT Tenders: Is Certification Required in Gauteng?

By Kabelo Molefe

Gauteng’s public-sector ICT spend is forecast to exceed R12 billion in the 2026/27 financial year, yet fewer than 18% of local small- and medium-sized IT firms ever reach award stage—largely because they misread security requirements. With cyber-crime costing the province an estimated R1,4 billion in 2025, National Treasury has tightened risk assessment criteria. For IT service providers, the single most misunderstood compliance item is ISO 27001. This guide clarifies when certification is compulsory, when an accredited auditor’s letter suffices, and how to remain eligible without incurring unnecessary cost.

The Regulatory Framework

The Preferential Procurement Policy Framework Act (PPPFA) 2022 Regulations, read with the BBBEE Act, empower Gauteng provincial departments and municipalities to award points for “specific security goals.” Treasury Instruction 12 of 2025 directs organs of state to treat ISO 27001 as a “threshold requirement” for any tender where the bidder will host, administrate, or have privileged access to government data. The Municipal Finance Management Act (MFMA) section 116 and Public Finance Management Act (PFMA) section 38 impose a fiduciary duty on accounting officers to ensure that all ICT contracts contain adequate security assurances. The Protection of Personal Information Act (POPIA) enforcement unit further recommends ISO 27001 as demonstrable evidence of “appropriate technical and organisational measures.”

What IT Suppliers in Gauteng Must Have in Place

Central Supplier Database (CSD): Register on https://secure.csd.gov.za

. A CSD number is valid for one year; lapses trigger automatic disqualification.
BBBEE Certificate or Sworn Affidavit: IT firms with annual revenue below R10 million may submit an affidavit on a standard SBD 6.2 form. The affidavit is valid for 12 months; after that, a new affidavit or SANAS-verified certificate is required.
SARS Tax Compliance Status (TCS): Download the PIN from https://www.sarsefiling.co.za

. TCS PINs expire 12 months from issue and must be refreshed before proposal submission.
CIPC Company Registration: Annual returns must be filed; failure places the enterprise in “deregistration” status and blocks CSD profiling.
COIDA Letter of Good Standing (if employing staff): Apply via the Department of Labour’s https://www.labour.gov.za

. Valid for 12 months; lapses incur penalties and tender disqualification.

Step-by-Step Compliance Approach

1. Pre-Qualify: Log into the CSD, update your commodity codes to include “ICT Security Services” and “Information Security Management.” This aligns your profile with ISO 27001-tagged tenders.
2. Verify Security Clause: Download the tender document and search for “ISO 27001,” “ISO 27k,” or “information-security management system.” If the clause reads “certification required,” plan for a six-month audit cycle; if it reads “compliance may be demonstrated by a letter from an accredited body,” book a gap analysis.
3. Budget Realistically: Certification through a SANAS-accredited body averages R180 k for a 50-person firm; a Stage-1 letter of conformity costs under R25 k. Add R35 k per year for surveillance audits.
4. Document Policies: Government evaluators want evidence—risk registers, incident-response plans, asset inventories, and access-control matrices. Have these ready before briefing sessions.
5. Final Check: Always read the full tender document before starting your submission. The most common failure is applicants who do not respond directly to every evaluation criterion—especially the SBD 6.5 security questionnaire.

The Most Common Compliance Failures

Expired CSD Profile: Over 40% of 2025 Gauteng ICT rejections were linked to outdated BBBEE affidavit uploads. The CSD does not auto-notify; set calendar reminders.
Wrong SBD Form: Using the old SBD 6.1 instead of the 2025 SBD 6.2 for BBBEE affidavit results in a non-responsive bid. Forms are updated quarterly on https://www.treasury.gov.za

.
Incomplete ISO 27001 Evidence: Submitting only the certificate without the scope statement. The scope must explicitly list “provision of cloud-hosting services to government” or similar wording.
Missing Compulsory Briefing: For National Treasury ICT tenders, attendance is recorded by ID number; sending a junior staff member without a signed proxy form invalidates the bid.
Tax Pin Mismatch: If the CSD still reflects an old TCS PIN, the e-procurement system auto-rejects—even when the bidder attaches a new PIN in the technical file.

2026 Context: What IT Suppliers Should Focus On

Gauteng’s 2026 ICT Policy Review prioritises “zero-trust architecture” and “sovereign cloud.” Expect every RFP above R5 million to reference ISO 27001:2022 controls A.5.7 (threat intelligence) and A.8.12 (data leakage prevention). Suppliers that hold both ISO 27001 and the newer ISO 27701 (privacy extension) earn additional 2–5 preference points under the revised PPPFA schedule. Looking ahead, the Office of the Chief Information Security Officer (OCISO) is piloting a “fast-track” certification grant—covering 50% of audit costs for firms that are 51% Black-owned and operate within Gauteng innovation hubs. Applications open 1 July 2026.

How Tenders-SA.org Helps

Our AI matching engine cross-references your CSD profile against live tender notices, flagging only those opportunities where your current BBBEE level, tax status, and ISO 27001 stage meet the security threshold. The built-in Company Profile Builder pre-maps your CSD data into a compliant PDF, cutting preparation time by 70%. Daily Tender Alerts arrive with a colour-coded readiness score—green for fully compliant, amber for missing documents—so you can act before closing time.

Ready to target government ICT work without over-spending on certification? Let Tenders-SA keep you informed, compliant, and first in line for Gauteng’s security-critical tenders.
Browse General tenders

---

ICT & Smart City Analyst specializing in digital transformation and security technology for South African municipalities.