Services

Service 01

CII Risk Assessment & Risk Register

Reg 17 — Annual Risk Assessment Reg 31(2)(j)(l) — Risk Register

Annual cybersecurity risk assessment is mandatory for all designated CII owners. The 12-month deadline from commencement fell in February 2025 — most operators are already in breach. We deliver a structured assessment that satisfies NC4 compliance requirements and gives your CISO a defensible risk posture.

Threat and vulnerability assessment across your CII environment
Consequence and likelihood analysis
Risk register creation and maintenance
Prioritised remediation roadmap and NC4-ready documentation

Service 02

IEC 62443 Gap Assessment

Reg 31 — Baseline Security Reg 71(3) — Best Practice Standards

Regulation 71(3) permits CII owners to adopt global best practices on their own initiative. IEC 62443 is the only international standard purpose-built for SCADA, DCS, EMS, and industrial control systems. We hold all four ISA/IEC 62443 Expert certificates and map your OT environment against the standard to produce an actionable remediation programme.

Asset identification, zone and conduit modelling
Target Security Level (SL-T) assessment
Gap report against Foundational Requirements
Vendor security requirement development

View IEC 62443 credentials →

Service 03

CII Compliance Audit Readiness

Reg 31(2)(k) — Annual Internal Audit Reg 46–50 — Audit & Reporting

NC4 auditors follow Form CMCA 6 — a structured template covering network, system, data, application, and physical security. We conduct pre-audit readiness assessments against this template, identify gaps before the auditors do, and help produce a compliant compliance report under Regulation 46.

Pre-audit gap assessment (CMCA 6 structure)
Network, system and data security review
Physical security assessment
Compliance report drafting and NC4 audit support

Service 04

Penetration Testing

Reg 39(d) — Security Audits & Pentest Reg 29(2)(b) — Access Limitation

Regulation 39(d) explicitly requires regular security audits and penetration testing for critical information infrastructure. We hold OSCP and OSEP certifications. Testing is designed for operational environments — identifying vulnerabilities in SCADA, ICS, and IT/OT boundary systems without disrupting live processes.

OT/ICS network and SCADA penetration testing
IT/OT boundary and Active Directory assessment
Remote and virtual access path testing (Reg 39)
Remediation guidance and re-test

Service 05

CISO Advisory & Policy Development

Reg 32–33 — CISO Designation Reg 34 — Mandatory Policies Reg 30 — Awareness Programme

Every designated CII owner must appoint a CISO — Kenyan citizen, master's degree, five years' CII experience. Mandatory policies under Regulation 34 were due August 2024. We design the CISO function, develop the required policies and procedures, and provide ongoing technical advisory behind a locally-credentialed appointment.

CISO role design and designation support
Mandatory policy and procedures development (Reg 34)
Cybersecurity awareness programme (Reg 30)
Ongoing CISO advisory and technical support

Service 06

Incident Response & Business Continuity

Reg 65 — Incident Reporting (24 hrs) Reg 42 — Disaster Recovery Site Reg 31(2)(i)(m) — BC/DR & Exercises

CII owners must report all cybersecurity incidents to the Sectoral COC within 24 hours. Regulation 42 requires a geographically separate disaster recovery site. Without tested IR plans and a BC/DR programme, most organisations cannot meet either obligation.