CSA || Licensing and Accreditation

LICENSING OF CYBERSECURITY SERVICE PROVIDERS (CSPs), ACCREDITATION OF CYBERSECURITY ESTABLISHMENTS (CEs) AND CYBERSECURITY PROFESSIONALS (CPs)

The Cyber Security Authority (CSA) has been established by the Cybersecurity Act, 2020 (Act 1038) to regulate cybersecurity activities in the country. Pursuant to sections 4(k), 49, 50, 51, 57 and 59 of the Cybersecurity Act, 2020, the Authority hereby announces the commencement of the process of licensing Cybersecurity Service Providers (CSPs), and accreditation of Cybersecurity Establishments (CEs) and Cybersecurity Professionals (CPs).

The Licensing of CSPs and the accreditation of CEs and CPs is to ensure

Regulatory compliance with the Cybersecurity Act, 2020 (Act 1038)
CSPs, CEs, and CPs offer their services in accordance with approved standards and procedures in line with domestic requirements and industry best practices

All enquiries may be directed to compliance@csa.gov.gh. You can also refer to the Frequently Asked Questions

Licensing of Cybersecurity Service Providers

Accreditation of Cybersecurity Establishments

Accreditation of Cybersecurity Professionals

Click to Register or Login

S/N	REGULATORY ACTIVITY	DESCRIPTION	SERVICES/APPLICABILITY	COMMENCEMENT DATE
1	Licensing of Cybersecurity Service Providers	This licensing regime applies to existing and new CSPs. A CSP is an entity licensed under Act 1038 to provide a cybersecurity service. A cybersecurity service is a service for reward that is intended primarily for or aimed at ensuring or safeguarding the cybersecurity of a computer or computer system belonging to a person, and includes the services enumerated in the First Schedule of Act 1038. page 62-63	Under this regulatory activity, licensing will consider service providers implementing the following responsibilities: 1. Vulnerability Assessment and Penetration Testing: Services that assess, test, or evaluate the cybersecurity of a computer or computer system by searching for vulnerabilities in a computer system and probing the computer or computer system through the identified vulnerabilities to determine the best mitigation technique. 2. Digital Forensics Services: Services that focus on the identification, acquisition, preservation, processing, analysis and reporting on data stored in electronic format or evidence to support legal proceedings (corporate, administrative, or criminal proceedings). 3. Managed Cybersecurity Services: Managed Cybersecurity Services entail the provision of security services, including threat monitoring, detection, prevention, mitigation, response, and security advisory. Computer Emergency Response Teams (CERT) and Security Operation Centre (SOC) are considered Managed Security Services. 4. Cybersecurity Governance, Risk and Compliance: Cybersecurity Governance, Risk and Compliance services entail services which address cybersecurity governance issues, cybersecurity risk management advisory as well as compliance related management practices. 5. Cybersecurity Training: This service entails training in any of the areas specified under the First Schedule of Act 1038.page 62-63	March 1, 2023
2	Accreditation of Cybersecurity Establishments	The accreditation regime applies to existing and new CEs. CEs include digital forensic laboratories and managed cybersecurity service facilities established to investigate cybercrimes and mitigate cybersecurity incidents	Under this category, accreditation will take into cognizance the following: 1. Digital Forensics Facility: A facility established and equipped with the requisite technology and standard operating procedures for the identification, acquisition, preservation, processing, analysis and reporting on data stored in electronic format or evidence to support legal proceedings (corporate, administrative, or criminal proceedings). 2. Managed Cybersecurity Service Facility: A facility established and equipped with the requisite technology and standard operating procedures for the provision of security services including threat monitoring, detection, prevention, mitigation, response, and security advisory. Computer Emergency Response Teams (CERT) and Security Operation Centres (SOC) are considered Managed Security Service Facilities.	March 8, 2023
3	Accreditation of Cybersecurity Professionals	This accreditation applies to all CPs and provide the general and specific accreditation procedures and requirements for CPs in Ghana. This aims to ensure that persons who hold themselves out as CPs are, first of all, fit and proper to render such services, given the sensitive nature of cybersecurity. Further, this is to ensure that these CPs have the requisite skillset and competence; and meet the set standards for offering sufficient protection of the computer systems and networks in our digital ecosystem.	Under this category, accreditation applies to professionals with requisite qualification and experience in the following services: 1. Vulnerability Assessment and Penetration Testing 2. Digital Forensics Services 3. Managed Cybersecurity Services 4. Cybersecurity Governance, Risk and Compliance	March 15, 2023

S/N

REGULATORY ACTIVITY

DESCRIPTION

SERVICES/APPLICABILITY

COMMENCEMENT DATE

1

Licensing of Cybersecurity Service Providers

This licensing regime applies to existing and new CSPs. A CSP is an entity licensed under Act 1038 to provide a cybersecurity service. A cybersecurity service is a service for reward that is intended primarily for or aimed at ensuring or safeguarding the cybersecurity of a computer or computer system belonging to a person, and includes the services enumerated in the First Schedule of Act 1038. page 62-63

Under this regulatory activity, licensing will consider service providers implementing the following responsibilities:

1. Vulnerability Assessment and Penetration Testing: Services that assess, test, or evaluate the cybersecurity of a computer or computer system by searching for vulnerabilities in a computer system and probing the computer or computer system through the identified vulnerabilities to determine the best mitigation technique.

2. Digital Forensics Services: Services that focus on the identification, acquisition, preservation, processing, analysis and reporting on data stored in electronic format or evidence to support legal proceedings (corporate, administrative, or criminal proceedings).

3. Managed Cybersecurity Services: Managed Cybersecurity Services entail the provision of security services, including threat monitoring, detection, prevention, mitigation, response, and security advisory. Computer Emergency Response Teams (CERT) and Security Operation Centre (SOC) are considered Managed Security Services.

4. Cybersecurity Governance, Risk and Compliance: Cybersecurity Governance, Risk and Compliance services entail services which address cybersecurity governance issues, cybersecurity risk management advisory as well as compliance related management practices.

5. Cybersecurity Training: This service entails training in any of the areas specified under the First Schedule of Act 1038.page 62-63

March 1, 2023

2

Accreditation of Cybersecurity Establishments

The accreditation regime applies to existing and new CEs. CEs include digital forensic laboratories and managed cybersecurity service facilities established to investigate cybercrimes and mitigate cybersecurity incidents

Under this category, accreditation will take into cognizance the following:

1. Digital Forensics Facility: A facility established and equipped with the requisite technology and standard operating procedures for the identification, acquisition, preservation, processing, analysis and reporting on data stored in electronic format or evidence to support legal proceedings (corporate, administrative, or criminal proceedings).

2. Managed Cybersecurity Service Facility: A facility established and equipped with the requisite technology and standard operating procedures for the provision of security services including threat monitoring, detection, prevention, mitigation, response, and security advisory. Computer Emergency Response Teams (CERT) and Security Operation Centres (SOC) are considered Managed Security Service Facilities.

March 8, 2023

3

Accreditation of Cybersecurity Professionals

This accreditation applies to all CPs and provide the general and specific accreditation procedures and requirements for CPs in Ghana. This aims to ensure that persons who hold themselves out as CPs are, first of all, fit and proper to render such services, given the sensitive nature of cybersecurity. Further, this is to ensure that these CPs have the requisite skillset and competence; and meet the set standards for offering sufficient protection of the computer systems and networks in our digital ecosystem.

Under this category, accreditation applies to professionals with requisite qualification and experience in the following services:

1. Vulnerability Assessment and Penetration Testing
2. Digital Forensics Services
3. Managed Cybersecurity Services
4. Cybersecurity Governance, Risk and Compliance

March 15, 2023