Extension to Request for Proposal (RFP)
for IT Managed Service
www.globalrightscompliance.com
Stichting “Global Rights Compliance Foundation”, Prinses Margrietplantsoen 33, 2595 AM Gravenhage Nederland Kvk number 70 048436, RSIN number 85811884.
To : Offerors
From : Global Rights Compliance Foundation (www.globalrightscompliance.com)
Subject : Request for Proposal (RFP) No: P26-015 IT Managed Service
RFP Issue Date : 16.03.2026
RFP Closing Date : 26.03.2026
RFP Extended Closing Date: 10.04.2026
RFP Closing Time : 17:00 CET Time
The successful firm will be notified via e-mail.
Enclosed is a Request for Proposal (RFP) for a IT Managed Service. Global Rights Compliance Foundation invites qualified firms and organisations to submit a best-price proposal for the mentioned service. The issuance of a subcontract is subject to availability of funds, successful negotiation of the subcontract budget and terms, and receiving client consent, if required. The Contract resulting from this award will be a single firm fixed price purchase order.
General Background
Global Rights Compliance is an international human rights legal practice based in the UK and the Netherlands, specialising in international human rights, criminal, and humanitarian law. We have a dedicated Business and Human Rights Unit focused on providing advice to businesses, public sector institutions, civil society organisations, and investors on both the legal and practical aspects of human rights due diligence, responsible business conduct, as well as heightened human rights due diligence in conflict-affected and high-risk areas.
Purpose and Objective of the Service
Global Rights Compliance currently operates a multi-project environment that relies heavily on secure and reliable IT infrastructure to support operational delivery, communication, and data protection. As the organization continues to grow in operational complexity and technology dependency, maintaining strong IT governance and security practices has become increasingly critical.
A recent internal technical review highlighted several areas where strengthening IT operational management would significantly improve the organization’s security posture, operational resilience, and compliance with internationally recognized security standards, including alignment with Cyber Essentials baseline controls.
The review indicated that while specialist cybersecurity tools and services are valuable, foundational IT management practices—such as consistent patch management, endpoint configuration control, access management, and asset inventory—are essential to maintaining a strong security posture and meeting compliance expectations.
Several operational risks were identified that may require structured and scalable IT management support, including:
- Inconsistent device patching and update management
- Limited centralized endpoint configuration management
- Growing vulnerability exposure as vulnerability scanning capabilities expand
- Limited internal capacity to remediate identified vulnerabilities at scale
- Lack of standardized privileged access management practices
- Potential gaps in asset inventory and device lifecycle management
- Increasing operational demand on the internal IT function
In addition, as the organization continues the rollout of vulnerability management capabilities through tools such as Qualys, it is expected that a greater number of vulnerabilities will be identified across endpoints and systems. Without a structured remediation and patch management process, there is a risk that vulnerabilities may accumulate faster than they can be addressed.
To strengthen IT operational management, enhance endpoint security controls, and support compliance with security standards, Global Rights Compliance is seeking to engage a qualified Managed Service Provider to deliver comprehensive IT managed services.
The Managed Service Provider will work alongside the internal IT function to improve operational efficiency, strengthen endpoint management practices, and support the implementation and enforcement of security baselines aligned with Cyber Essentials requirements.
Objectives
The objective of this assignment is to engage a Managed Service Provider capable of delivering structured, scalable, and proactive IT management services to support the organization’s operational needs and improve its security and compliance posture.
Specific objectives include:
- Strengthening endpoint configuration and device management practices
- Implementing structured and consistent patch management processes
- Supporting vulnerability remediation and risk reduction
- Enhancing asset visibility and lifecycle management
- Enforcing appropriate privileged access and account separation controls
- Improving responsiveness and efficiency of IT support services
- Supporting alignment with Cyber Essentials security requirements
Scope of the Service
The selected service provider will be expected to deliver a range of IT managed services designed to support the organization’s IT infrastructure, users, and security practices.
The scope of services may include, but is not limited to, the following areas:
Endpoint and Device Management
The service provider shall provide centralized management of organizational devices to ensure consistent configuration and security baseline enforcement.
This includes:
- Endpoint configuration management
- Standard device baseline implementation
- Monitoring device health and performance
- Endpoint security policy enforcement
- Support for both office-based and remote devices
Patch and Update Management
The service provider shall establish and maintain structured processes for operating system and application patch management.
This includes:
- Monitoring available security updates
- Deploying operating system patches in a timely manner
- Managing updates for third-party applications
- Ensuring compliance with defined patching timelines for security vulnerabilities
- Reporting patch status and compliance levels
- Vulnerability Management Support
- The service provider shall support the organization’s vulnerability management processes, including integration with existing vulnerability scanning platforms such as Qualys.
- Responsibilities may include:
- Reviewing vulnerability scan results
- Supporting prioritization of remediation activities
- Implementing vulnerability remediation actions
- Monitoring vulnerability remediation progress
- Providing reporting on vulnerability status and risk exposure
Privileged Access and Account Management
The service provider shall support implementation of best practices relating to user access management and administrative privilege controls.
This may include:
- Implementing separation between administrative and standard user accounts
- Supporting least-privilege access principles
- Monitoring privileged account usage
- Supporting secure credential and access management practices
IT Asset Management
The service provider shall support the establishment and maintenance of an accurate and comprehensive IT asset inventory.
This includes:
- Tracking organizational devices and systems
- Maintaining asset lifecycle information
- Supporting onboarding and decommissioning of devices
- Maintaining configuration records for managed endpoints
- 6 Helpdesk and User Support Services
- The service provider shall provide responsive IT support services to organizational staff.
- Services may include:
- IT helpdesk support
- Incident response and troubleshooting
- Remote support for users
- Issue resolution tracking and reporting
Compliance and Security Baseline Support
The service provider shall support the organization in maintaining security practices aligned with Cyber Essentials control requirements and other relevant organizational policies.
This may include:
- Supporting implementation of secure configuration baselines
- Assisting with compliance monitoring
- Providing recommendations for security improvements
- Supporting audit readiness where applicable
Expected Outcomes
Through the engagement of a Managed Service Provider, the organization expects to achieve:
- Improved endpoint configuration and security management
- Reduced vulnerability exposure through structured patch management
- Improved visibility of IT assets and device lifecycle management
- Stronger enforcement of security controls and access management
- Faster resolution of IT issues impacting staff productivity
- Strengthened alignment with Cyber Essentials security requirements
- Enhanced operational resilience and IT governance
To be considered, Offerors should submit a complete proposal no later than the closing date and time indicated above. Offerors should ensure that the proposals are well written in English, easy to read, follow the instructions provided and contain only requested information.
Any questions should be submitted in writing and emailed to aydineksi@globalrightscompliance.co.uk , procurement@grcompliance.org no later than 8 days from the issue date of this RFP. The solicitation number should be stated in the subject line.
Proposals must be divided into two parts: Technical Proposal and Cost/Business proposal. The email subject line should be RFP for IT Manage Service and sent to aydineksi@globalrightscompliance.co.uk , procurement@grcompliance.org
Please treat the information contained within this RFP with professional confidentiality. The successful company will be asked to sign a Non-Disclosure Agreement or Confidentiality Agreement prior to commencing with the work.
Sincerely,
GRC Procurement Department
Attachments: Link
Questionnaires: Link
Attachment I :Instructions to Offerors
Attachment II :Evaluation Criteria
Attachment III :Cover Letter
The full package can be accessed here