Broad-Based Black Economic Empowerment Act (B-BBEE Act)
Act 53 of 2003
Provides the empowerment-compliance context often used in public-sector supplier evaluation.
Relevant because this is a South African public-sector procurement opportunity.
Issuing Organization
Passenger Rail Agency of South Africa (PRASA)Location
Gauteng
Closing Date
14 Jul 2026
Documents available on tender detail page
Tender Type
Request for Quotation
Delivery Location
30 WOLMARANS STREET - JOHANNESBURG - JOHANNESBURG - 2001
Organization Type
GOVERNMENT
Published
06 Jul 2026
OCDS Reference
ocds-9t57fa-161358
PRASA seeks a qualified service provider to deliver a comprehensive cybersecurity programme, including maturity assessments, security architecture reviews, vapt, ot/it integration testing, ot site assessments, strategy development, and an automated grc platform. The programme aims to strengthen prasa's cybersecurity posture across its critical rail infrastructure, ensuring compliance with international standards and south african regulations.
Date & Time
Tuesday, 14 July 2026 - 10:00
Venue
null
Categories
Request for Quotation
30 WOLMARANS STREET - JOHANNESBURG - JOHANNESBURG - 2001
06 Jul
2026
Tender Published
Tender was published
14 Jul
2026
Closing Date
Tender closing date
These references help suppliers understand the public-procurement framework around this opportunity. They are generated from the tender category, issuing organisation type and procurement context.
RFQ FOR CISO 10372224.docx
PRASA is seeking a qualified service provider to deliver a comprehensive cybersecurity program, including maturity assessments, security architecture reviews, VAPT, critical asset configuration reviews, IT/OT integration testing, OT site assessments, cybersecurity strategy and roadmap development, and implementation of an automated GRC platform. The project spans 12 months (6 months for core delivery + 6 months for handover/support) and requires adherence to frameworks like NIST CSF 2.0, ISO/IEC 27001:2022, IEC 62443, and South African regulations (POPIA, NCPF).
Median Estimate
R 1 054 335
Range
Based on 7 comparable awarded tenders. Companies with similar profiles typically bid near the median.
* Estimates are based on historical data and do not guarantee actual award values.
Learn how to submit a winning bid with these related articles
Limpopo is a mining powerhouse in South Africa. Learn how to identify and bid for mining support services tenders, understanding the role of major players like Anglo American, Exxaro, and the provincial government in creating supply chain opportunities.
A logistical guide to winning and managing multi-million rand contracts for laptop supply and ICT maintenance in Gauteng public schools.
Stop bidding blindly. Learn how to build a tender intelligence system using procurement data, historical award analysis, and competitor insights to make data-driven bid-no-bid decisions that win more contracts.
In 2026, General contractors operating in the Eastern Cape must prioritize compliance with COIDA (Compensation for Occupational Injuries and Diseases Act) registration and Letters of Good Standing. With the Department of Employment and Labour intensifying enforcement, and government tenders increasingly scrutinizing workforce-related compliance, failure to maintain valid documentation can disqualify bids before evaluation even begins. As public sector procurement in the province continues to demand higher standards of legal and financial integrity, suppliers must treat these requirements as non-negotiable gateways to participation.
💡 Want more tendering tips and strategies?
Explore Our BlogTenders in this industry often require registration with these bodies.
Recommended Certifications
Having these can improve your winning chances: APSO Membership, Services SETA Accreditation
AI Document Analysis Stages
We refine every tender document through these stages so you can brief your team and prepare your bid with confidence. Anything marked as "in progress" will be upgraded automatically — no action required from you.
Description
Source: SCOPE OF WORK - CISO_ 10372224.pdfPRASA seeks a service provider to deliver a comprehensive cybersecurity programme for its critical rail infrastructure. The scope includes: Enterprise Cybersecurity Maturity Assessment (NIST CSF 2.0), Security Architecture Review (SABSA, Zero Trust), Vulnerability Assessment and Penetration Testing (VAPT), Critical Asset Configuration Review, IT/OT Integration Testing, OT Site Assessments (3 sites), Cybersecurity Strategy and Roadmap (3-year), CISO Execution Support, and an Automated GRC Platform. The programme addresses risks from IT/OT convergence, legacy systems, and emerging threats (e.g., ransomware) while ensuring compliance with POPIA, Cybercrimes Act, and NCPF. The goal is to establish a robust, evidence-based cybersecurity capability aligned to rail operations and OT environments.
Important Dates
Source: SCOPE OF WORK - CISO_ 10372224.pdf (RFQ)Closing date: 14 July 2026 at 10:00 AM. Key milestones: Contract signature and kick-off (Week 1), Inception Report and PMP accepted (End of Week 2), Rules of Engagement signed (End of Week 3), Maturity assessment evidence collection complete (End of Week 6), Active testing complete (End of Week 10), OT Site Assessments complete (End of Week 11), Draft Strategy and Roadmap issued (End of Week 13), Final Strategy and Roadmap accepted (End of Week 15), Board presentation delivered (Week 16), Programme close-out accepted (Week 16).
Submission Guidelines
Source: SCOPE OF WORK - CISO_ 10372224.pdf (RFQ)Submit all required documents as specified in the RFQ. Ensure all declarations and Standard Bidding Documents (SBDs) are duly completed and signed where required. Follow the formal deliverable acceptance process: (i) issue deliverables in draft, (ii) PRASA reviews and provides feedback within 10 business days, (iii) submit revised version addressing feedback, (iv) PRASA accepts in writing or escalates to the Cybersecurity Steering Committee. Failure to achieve acceptance within two revision cycles triggers an issue under the contract's Issue Management process.
Evaluation Criteria
Source: SCOPE OF WORK - CISO_ 10372224.pdf (RFQ)Mandatory Personnel
Role
Engagement Director
Experience
18 years in cybersecurity, 8 years leading critical infrastructure programs
Credentials
CISSP + (CISM or CRISC)
Role
Lead Consultant – Strategy & Maturity
Experience
15 years in cyber advisory, lead author on 3+ NIST CSF assessments
Technical Specifications
Source: SCOPE OF WORK - CISO_ 10372224.pdf (RFQ)Scope includes nine mandatory workstreams: 1) Enterprise Cybersecurity Maturity Assessment (NIST CSF 2.0, ISO/IEC 27001:2022, COBIT 2019), 2) Security Architecture Assessment (SABSA, Zero Trust, Purdue Enterprise Reference Architecture), 3) Vulnerability Assessment and Penetration Testing (VAPT) across external/internal networks, web/mobile/API applications (CREST, OWASP methodologies), 4) Critical Asset Configuration Review (CIS Benchmarks, NIST SP 800-53, CSA CCM v4), 5) IT/OT Secure Integration Test (Purdue, IEC 62443, NIST SP 800-82), 6) OT Cybersecurity Assessment (3 sites, IEC 62443, passive techniques), 7) Cybersecurity Strategy and Roadmap (3-year strategy, 18-36 month roadmap), 8) CISO Execution Support (governance instruments, 90/180-day plans), 9) Automated GRC Platform (multi-framework compliance, risk registers, FAIR quantification). Out of scope: implementation of security tools (except GRC platform), SOC/MDR operations, red teaming, active testing on safety-critical OT systems.
Methodology
Source: SCOPE OF WORK - CISO_ 10372224.pdfBidder must respond to all nine workstreams with clear methodologies, named teams, indicative effort, and expected deliverables. Key methodologies: Workstream 1 (NIST CSF 2.0 maturity scoring 0–5 scale, evidence under chain-of-custody); Workstream 2 (SABSA, NIST SP 800-207 Zero Trust, Purdue Enterprise Reference Architecture); Workstream 3 (CREST, OWASP WSTG v4.2, MASVS/MASTG, API Security Top 10 2023, MITRE ATT&CK); Workstream 4 (CIS Benchmarks, NIST SP 800-53/171/207, CSA CCM v4); Workstream 5 (Purdue, IEC 62443-3-2/3-3, NIST SP 800-82); Workstream 6 (IEC 62443-2-1/3-2, passive traffic analysis, Permit-to-Work). All work must be traceable to international standards and South African regulations.
Experience & Qualifications
Source: SCOPE OF WORK - CISO_ 10372224.pdfMandatory key personnel and minimum credentials: Engagement Director (18 years cyber, 8 years client-facing, CISSP + CISM/CRISC, led multisite critical infrastructure programmes); Lead Consultant - Strategy & Maturity (15 years cyber advisory, CISSP/CISM, lead-author on ≥3 NIST CSF assessments, degree in Computer Science/Engineering/Information Systems, SSA Vetted); Penetration Testing Lead (12 years offensive security, CREST CCT App/Inf or OSCE3/OSCP+OSWE/OSEP, led large-scale VAPT programmes); OT/ICS Cybersecurity Lead (12 years industrial environments, 6 years OT cyber, GICSP/IEC 62443 Cybersecurity Expert, ≥2 operational OT assessments in rail/energy/oil & gas/utilities/transport); Security Architecture Lead (12 years, SABSA Chartered SCF/SCP or TOGAF, CCSP/hyperscaler Security Specialty, Zero Trust experience); Cloud Security Lead (10 years cyber, 5 years cloud, CCSK/CCSP, AWS Security Specialty, Microsoft SC-100/AZ-500, CIS/CSA CCM experience); GRC & Compliance Lead (12 years GRC/audit, CISA + CRISC/ISO 27001 Lead Implementer/Auditor, POPIA/King IV/NIST CSF alignment); Project Manager (10 years, PMP/PRINCE2 Practitioner, critical infrastructure cyber programme delivery, full-time allocation).
Quality Management
Source: SCOPE OF WORK - CISO_ 10372224.pdfBidder must operate a documented quality management approach: named Quality Assurance Lead (independent of delivery team) reviews all external deliverables; compliance with ISO 9001:2015; defined acceptance criteria per deliverable; internal peer review and sign-off before submission; lessons-learned capture at each phase gate. Deliverable acceptance process: draft submission → PRASA feedback (10 business days) → revised submission → formal acceptance. Failure to achieve acceptance within two revision cycles triggers an issue under the contract.
Pricing Schedule
Source: SCOPE OF WORK - CISO_ 10372224.pdfPricing structure: Stage 3 evaluation (Price 80 points, Specific Goals 20 points). Bid must include: detailed cost breakdown for all nine workstreams; CapEx/OpEx envelopes by year; indicative investment plan with sensitivity analysis; quick-wins package (90-day initiatives); Year-One Execution Plan costs. Optional components (e.g., Breach and Attack Simulation) must be separately priced. Payment milestones: tied to deliverable acceptance (e.g., Inception Report, PMP, RoE, Strategy/Roadmap, GRC platform handover). Final payment contingent on operational handover and training completion (e.g., GRC platform administrator readiness).
Financial Requirements
Source: SCOPE OF WORK - CISO_ 10372224.pdf (RFQ)Pricing evaluation: Price (80 points), Specific Goals (20 points). Bid must include indicative costs for all workstreams, with CapEx/OpEx breakdowns, sensitivity analysis, and financial envelopes by year. Payment is contingent on deliverable acceptance and operational handover (e.g., GRC platform training completion).
Compliance Requirements
Source: SCOPE OF WORK - CISO_ 10372224.pdf (RFQ)Mandatory compliance: ISO/IEC 27001:2022 certification for handling PRASA data, IEC 62443/OT cybersecurity capability (e.g., GICSP, ISA/IEC 62443 certifications). Regulatory alignment: POPIA, Cybercrimes Act, National Cybersecurity Policy Framework (NCPF), King IV, NIST CSF 2.0, ISO/IEC 27001:2022. Data protection: POPIA compliance, AES-256 encryption at rest, TLS 1.2+ in transit, data residency in South Africa, secure destruction of data post-engagement. Safety: ISO 45001:2018 OH&S management system, Permit-to-Work, PPE, Occupational Health and Safety Act compliance.
Health & Safety
Source: SCOPE OF WORK - CISO_ 10372224.pdfAll on-site work (Workstreams 5, 6, or physical visits) must comply with PRASA's SHEQ regime. Requirements: documented OH&S management system aligned to ISO 45001:2018; valid Public Liability and Professional Indemnity insurance; PPE (high-visibility clothing, safety footwear, eye protection); Permit-to-Work, Site Induction, and Safety Briefing compliance; adherence to Occupational Health and Safety Act. Safety-critical constraint: No active/intrusive testing on safety-critical OT systems (signalling, traction, brake, train protection) without explicit written authorisation from Group COO, Engineering Executive, OEM, and CISO. Assessment limited to passive observation, design/configuration review, and procedural review under Permit-to-Work.
Environmental
Source: SCOPE OF WORK - CISO_ 10372224.pdfEnvironmental considerations are implicit in PRASA's operational context. Bidder must ensure: data residency compliance (certain data classes may be required to remain in South Africa); secure handling of evidence and findings (AES-256 encryption at rest, TLS 1.2+ in transit); minimal disruption to operations during testing; adherence to PRASA's SHEQ requirements for on-site work. No explicit environmental deliverables are specified, but sustainability and risk mitigation are embedded in the guiding principles (e.g., safety-first, evidence-driven).
Contractual Terms
Source: SCOPE OF WORK - CISO_ 10372224.pdfContract duration: 12 months (6 months core delivery + 6 months handholding). Governance structure: Tier 1 (Executive Sponsorship: Group CEO, GCIO), Tier 2 (Cybersecurity Steering Committee: chaired by GCIO, bi-weekly/weekly meetings), Tier 3 (Programme Delivery Forum: weekly, daily stand-ups during testing). RACI: PRASA CIO accountable for scope confirmation, RoE approval; bidder responsible for methodology, evidence collection, deliverable production. Intellectual property: PRASA owns all deliverables; bidder retains rights to generic methodologies. Confidentiality: POPIA compliance, NDAs, encrypted repositories (AES-256), data residency in South Africa. Risk management: Programme Risk Register and Issue Log maintained; critical risks notified within 4 hours.
Section
Source: SCOPE OF WORK - CISO_ 10372224.pdfEvaluation is multi-stage: Stage 1A (Mandatory Compliance - Substantive Responsiveness), Stage 1B (Basic Compliance - Administrative Responsiveness), Stage 2 (Technical/Functionality), Stage 3 (Pricing 80 points, Specific Goals 20 points). Mandatory requirements: completed RFQ documentation, ISO/IEC 27001:2022 certification, OT cybersecurity capability (IEC 62443/GICSP). Technical evaluation assesses alignment with guiding principles: standards-led (NIST, ISO, IEC), risk-based prioritisation, evidence-driven findings, safety-first (SHEQ compliance), minimal disruption, knowledge transfer, and defensible execution. Out of scope: tool implementation (except GRC), SOC/MDR operations, red teaming, active testing on safety-critical OT systems.
These rules commonly apply to South African public-sector procurement.
Act 53 of 2003
Provides the empowerment-compliance context often used in public-sector supplier evaluation.
Relevant because this is a South African public-sector procurement opportunity.
Act 108 of 1996 (s217)
Sets the constitutional standard for fair, equitable, transparent, competitive and cost-effective public procurement.
Relevant because this is a South African public-sector procurement opportunity.
Act 5 of 2000
Covers preferential procurement and preference-point systems used in public tenders.
Relevant because this is a South African public-sector procurement opportunity.
Act 12 of 2004
Supports anti-corruption controls and supplier integrity in procurement processes.
Relevant because this is a South African public-sector procurement opportunity.
Act 28 of 2024
Provides the national framework for public procurement across government.
Relevant because this is a South African public-sector procurement opportunity.
Act 2 of 2000
Supports access to tender records, award decisions and public-sector procurement information.
Relevant because this is a South African public-sector procurement opportunity.
Act 3 of 2000
Supports lawful, reasonable and procedurally fair administrative tender decisions.
Relevant because this is a South African public-sector procurement opportunity.
This is general procurement context, not legal advice. Always verify requirements in the official tender documents and issuing authority notices.
SCOPE OF WORK - CISO_ 10372224.pdf
PRASA seeks a qualified service provider to deliver a comprehensive cybersecurity program, including maturity assessments, security architecture reviews, VAPT, critical asset reviews, IT/OT integration testing, OT site assessments, cybersecurity strategy/roadmap, CISO support, and an automated GRC platform. The project aims to strengthen PRASA's cybersecurity posture across IT and OT environments, with a focus on critical infrastructure protection, compliance, and long-term governance.
To download these documents and access AI-powered analysis, visit the main tender page.
Organization
Passenger Rail Agency of South Africa (PRASA)Contact Person
Annah Hlaele
Phone
011-013-0411
[email protected]
Address
30 WOLMARANS STREET - JOHANNESBURG - JOHANNESBURG - 2001
Source confidence
High source confidence
Official source
eTenders.gov.za
Documents found
2
Last checked
06 Jul 2026
AI status
Enhanced
This tender has strong source evidence, including source metadata and supporting tender information synced from the government tender portal.
Tenders SA is not the issuing authority. All tenders are automatically synced from the official government tender portal. Always confirm final submission details, closing dates, briefing sessions, eligibility requirements, and documents on the official government portal before applying.
PRASA manages and operates South Africa's passenger rail and long-distance bus services.
Key Personnel
Credentials
CISSP or CISM; SSA Vetting required
Role
Penetration Testing Lead
Experience
12 years in offensive security
Credentials
CREST CCT App/Inf (or OSCE3/OSCP + OSWE/OSEP)
Role
OT/ICS Cybersecurity Lead
Experience
12 years in industrial environments, 6 years in OT assessments (rail/energy/transport)
Credentials
GICSP or IEC 62443 Cybersecurity Expert
Role
Security Architecture Lead
Experience
12 years in architecture roles
Credentials
SABSA Chartered (SCF/SCP) or TOGAF + CCSP/hyperscaler Security Specialty
Role
Cloud Security Lead
Experience
10 years in cyber, 5 years in cloud
Credentials
CCSK/CCSP + AWS/Azure Security Specialty
Role
GRC & Compliance Lead
Experience
12 years in GRC/compliance/audit
Credentials
CISA + (CRISC or ISO 27001 Lead Implementer/Auditor)
Role
Project Manager
Experience
10 years in program delivery, preferably in critical infrastructure
Credentials
PMP or PRINCE2 Practitioner
General
Description
Source: RFQ FOR CISO 10372224.docxImportant Dates
Source: RFQ FOR CISO 10372224.docx (unknown)Contact Information
Source: RFQ FOR CISO 10372224.docx (unknown)Submission Guidelines
Source: RFQ FOR CISO 10372224.docx (unknown)Evaluation Criteria
Source: RFQ FOR CISO 10372224.docx (unknown)Mandatory
Preferential
Disqualification
Technical Specifications
Source: RFQ FOR CISO 10372224.docx (unknown)Financial Requirements
Source: RFQ FOR CISO 10372224.docx (unknown)Compliance Requirements
Source: RFQ FOR CISO 10372224.docx (unknown)Data conflicts
None detected
Get deep intelligence on Administrative and support activities. Unlock full pricing strategies, bid frequency, and historical win rates.