Services

Service 01

CII Risk Assessment & Risk Register

Reg 17:Annual Risk Assessment Reg 31(2)(j)(l):Risk Register

Annual cybersecurity risk assessment is mandatory for all designated CII owners. The 12-month deadline from commencement fell in February 2025. Most operators are already in breach. We deliver a structured assessment that satisfies the Director's compliance reporting requirements and gives your Chief Information Security Officer (CISO) a defensible risk posture.

Threat and vulnerability assessment across your CII environment
Consequence and likelihood analysis
Risk register creation and maintenance
Prioritised remediation roadmap and compliance-ready documentation

Service 02

IEC 62443 Gap Assessment

Reg 31:Baseline Security Reg 71(3):Best Practice Standards

Regulation 71(3) permits CII owners to adopt global best practices on their own initiative. IEC 62443 is the only international standard purpose-built for SCADA (Supervisory Control and Data Acquisition) systems and industrial control systems:the kind running Kenya's energy grids, water treatment plants, and transport networks. We hold all four ISA/IEC 62443 Expert certificates and map your operational environment against the standard to produce an actionable remediation programme.

Asset identification, zone and conduit modelling
Target Security Level (SL-T) assessment
Gap report against Foundational Requirements
Vendor security requirement development

View IEC 62443 credentials →

Service 03

CII Compliance Audit Readiness

Reg 31(2)(k):Annual Internal Audit Reg 46–50:Audit & Reporting

Under Regulations 44–50, designated CII owners are subject to formal compliance audits by the Director of NC4:the National Computer and Cybercrimes Co-ordination Committee, Kenya's CII enforcement authority. Auditors can enter your premises with 30 days' notice and require production of documents. They work from Form CMCA 6, a prescribed audit template covering network, system, data, application, and physical security. We conduct pre-audit readiness assessments against this exact template so gaps are found before the auditors arrive.

Pre-audit gap assessment (CMCA 6 structure)
Network, system and data security review
Physical security assessment
Compliance report drafting (Reg 46) and audit support

Service 04

Penetration Testing

Reg 39(d):Security Audits & Pentest Reg 29(2)(b):Access Limitation

Regulation 39(d) explicitly requires regular security audits and penetration testing for critical information infrastructure. We hold OSCP and OSEP certifications. Testing is designed for operational environments:identifying vulnerabilities in SCADA, ICS (Industrial Control Systems), and IT/OT boundary systems without disrupting live processes.

Industrial control system and SCADA network penetration testing
IT/operational technology boundary and Active Directory assessment
Remote and virtual access path testing (Reg 39)
Remediation guidance and re-test

Service 05

CISO Advisory & Policy Development

Reg 32–33:CISO Designation Reg 34:Mandatory Policies Reg 30:Awareness Programme

Every designated CII owner must appoint a CISO:Kenyan citizen, master's degree, five years' CII experience. Mandatory policies under Regulation 34 were due August 2024. We design the CISO function, develop the required policies and procedures, and provide ongoing technical advisory behind a locally-credentialed appointment.

CISO role design and designation support
Mandatory policy and procedures development (Reg 34)
Cybersecurity awareness programme (Reg 30)
Ongoing CISO advisory and technical support

Service 06

Incident Response & Business Continuity

Reg 65:Incident Reporting (24 hrs) Reg 42:Disaster Recovery Site Reg 31(2)(i)(m):BC/DR & Exercises

CII owners must report all cybersecurity incidents to the Sectoral Cybersecurity Operations Centre (COC) within 24 hours. Regulation 42 requires a geographically separate disaster recovery site. Without tested IR plans and a Business Continuity/Disaster Recovery (BC/DR) programme, most organisations cannot meet either obligation.