Egmont Group Secretariat launches tender for independent external security audit of its Microsoft Entra ID, Microsoft 365 and Azure IT system

The Egmont Group Secretariat has issued a request for proposals for an independent external security audit of the Egmont Group IT system, aimed at assessing compliance with its security, confidentiality and access-control requirements. The platform uses Microsoft Entra ID, Microsoft 365 and Microsoft Azure to support secure communications, controlled access and encrypted data storage. The scope includes manual testing, including external penetration testing aligned with Microsoft Cloud Penetration Testing Rules of Engagement, technical configuration and automated security assessments, and threat risk analysis covering malware, viruses and phishing. The audit will examine identity and access management (including audit trails), key generation and management, virtual machine access controls, end-to-end encryption and secure data storage, and Hardware Security Module hardening, alongside a compliance gap analysis against NIST, ISO/IEC 27001 and other applicable standards. A stated requirement is that only designated users may access system data, with administrators, third parties and service providers not permitted to access it; deliverables must include documented findings, recommendations and a proposed Plan of Action. The final report must be completed within three weeks of project kick-off, with at least two draft review rounds. Proposals are due by 13 March 2026 and must include a scope and project plan, fees and payment terms, evidence of relevant experience and certifications, proof of appropriate security clearance, and confirmation that all audit staff are directly employed by the vendor.