port254

Form CMCA 6

The prescribed NC4 audit template for designated CII owners. Seven sections covering everything the auditor examines, from network configuration to physical security to regulatory compliance. This is what you need to be ready for.

Authority

Form CMCA 6 [r.49(4)] is the prescribed audit template under the Computer Misuse and Cybercrimes (CII and Cybercrime Management) Regulations. The Director of NC4 (the National Computer and Cybercrimes Co-ordination Committee) is the enforcement authority.

Notice

Under Regulation 46, NC4 can require a designated CII owner to undergo a compliance audit. Auditors may enter premises and require production of documents. You have 30 days from the audit notice to be ready.

What We Do

We run pre-audit readiness assessments against this exact template, finding gaps before auditors do. Each section below maps to a specific port254 service. CII Compliance Audit Readiness →

Section 1 Contact & Demographic Information
1.1:Details of the Auditor
Name of Auditor
Organisational Affiliation
Telephone / Email
Date Audited
1.2:Details of the Organisation Audited
Name of Organisation
Address
Name of CISO (Chief Information Security Officer)
CISO Phone / Email
Point of Contact (Phone / Email)

Type of Organisation

Government of Kenya
Critical Information Infrastructure
Private Sector

CISO is mandatory. Under Regulation 32, every designated CII owner must appoint a named CISO:a Kenyan citizen with a master's degree in Information Security, Computer Science, or IT, and at least five years' experience in CII protection. If your CISO is not formally designated, this section of the audit cannot be completed satisfactorily.

Section 2 Introduction
  • 2.1Purpose of the Audit:The auditor states the objective: assessing compliance with the Computer Misuse and Cybercrimes Act and the CII Regulations.
  • 2.2Scope of the Audit:Auditors define which systems, sites, and functions are in scope. Your asset inventory (Reg 31(2)(a)) is the document they work from.
  • 2.3Methodology:How the auditor will conduct the review: document inspection, interviews, technical testing, site visits.

Asset inventory is the foundation. If you cannot produce a complete, classified asset register at the start of the audit, the scope cannot be properly agreed, and auditors will note the absence. Asset identification and cataloguing is a mandatory obligation under Regulation 31(2)(a).

Section 3 Audit Findings

The core of the audit. Auditors examine five domains and record findings under each. Every item is a point of evidence:you either have documented controls and can produce them, or you don't.

3.1:Network Security
  • 3.1.1Firewall configuration and rules
  • 3.1.2Intrusion Detection and Prevention Systems (IDPS)
  • 3.1.3Network Access Control
  • 3.1.4Wireless network security
  • 3.1.5VLAN (Virtual Local Area Network) segmentation
3.2:System Security
  • 3.2.1Operating system patching and updates
  • 3.2.2Antivirus and endpoint security
  • 3.2.3Secure configuration of servers and endpoints
  • 3.2.4Access control to critical systems
3.3:Data Security
  • 3.3.1Data classification and handling procedures
  • 3.3.2Data encryption at rest and in transit
  • 3.3.3Data backup and disaster recovery
3.4:Application Security
  • 3.4.1Secure coding practices
  • 3.4.2Web application security
  • 3.4.3Application authentication and authorisation
3.5:Physical Security
  • 3.5.1Access control to data centres and server rooms
  • 3.5.2Surveillance and monitoring

OT environments need separate treatment. The audit template addresses IT security domains. For designated CII owners running SCADA (Supervisory Control and Data Acquisition) systems, industrial control systems, or energy management systems:the same domains apply, but the controls, tools, and constraints are fundamentally different. Standard IT security tools cannot be applied to live operational technology without risk to operations. IEC 62443 provides the correct technical framework for sections 3.1–3.3 in OT environments.

Section 4 Risk Assessment
  • 4.1Identified Risks:The auditor documents risks found across the organisation's CII environment.
  • 4.2Risk Analysis / Posture:Assessment of likelihood, consequence, and current risk posture. This is compared against your own risk register.
  • 4.3Risk Mitigation Recommendations:Auditor's recommendations for closing identified gaps.

Your annual risk assessment (Reg 17) is the primary input here. Auditors will compare your own risk register against what they observe. If you have no documented risk assessment, or the last one was conducted more than 12 months ago, Section 4 becomes an immediate finding. The 12-month deadline from commencement of the Regulations fell in February 2025.

Section 5 Compliance Assessment
  • 5.1Regulatory Compliance:Direct assessment against the Computer Misuse and Cybercrimes Act and the CII Regulations (Legal Notice 44 of 2024). Every mandatory obligation is checked.
  • 5.2Industry Standards:The template references ISO 27001 and NIST as benchmark standards. Compliance with recognised standards supports your overall posture.

IEC 62443 is not explicitly listed in the template, but it is the right standard for OT environments. ISO 27001 and NIST were designed for IT security. For energy, water, and transport CII operators running industrial control systems, IEC 62443 is the internationally recognised best practice. Under Regulation 71(3), CII owners may identify and adopt global best practices on their own initiative. IEC 62443 is the defensible standard to present in Section 5.2 for operational technology environments.

Section 6 Conclusion
  • 6.1Summary of Findings:Overall assessment of the organisation's cybersecurity posture across all domains.
  • 6.2Strengths and Weaknesses:What you do well, and where material gaps exist. These findings are recorded formally.
  • 6.3Recommendations:Required remedial actions. Under Regulation 50, the Director may issue a compliance order requiring you to act on these within a specified period.

A compliance order has legal force. Under Regulation 50, if the audit finds material non-compliance, the Director of NC4 can issue a formal compliance order specifying what must be done and by when. Failure to comply is an offence under the Act.

Section 7 Appendices
  • 7.1Detailed Audit Methodology:The procedures the auditor followed: document review, interviews, technical testing, site inspection.
  • 7.2Glossary of Terms
  • 7.3References
For OT / ICS Operators

Standard IT Audit Controls Don't Apply to Industrial Systems

The CMCA 6 template was written for IT security environments. For designated CII owners running SCADA, distributed control systems (DCS), or energy management systems:network segmentation, patching, access control, and endpoint security all work differently. You cannot patch a running turbine on the same cycle as a corporate server. You cannot run endpoint security agents on a programmable logic controller. The approach must be adapted to operational constraints without weakening the compliance position. IEC 62443 provides that adaptation:it is the only international standard purpose-built for this environment, and under Regulation 71(3) it is the appropriate framework to present alongside the CMCA 6 findings.

We Prepare You For Every Section of This Template

Our CII Compliance Audit Readiness service runs a pre-audit gap assessment against Form CMCA 6, finding and closing weaknesses before NC4 auditors arrive. We also prepare the compliance documentation your CISO needs to present at each section.

View Services Start a Conversation