The Cyber Security Authority (CSA) has announced the commencement of the process to license Cybersecurity Service Providers (CSPs), accreditation of Cybersecurity Establishments (CEs) and Cybersecurity Professionals (CPs).
The licensing and accreditation regime which will take effect from March 1, 2023, will apply to existing and new CSPs, CEs and CPs.
This is pursuant to the Cybersecurity Act, 2020 (Act 1038), sections 4(k), 49, 50, 51, 57 and 59, which mandates the Authority to regulate the above activities.
Ensuring regulatory compliance
Announcing the impending exercise in a statement to the B&FT, the CSA said the intent of the regime was to ensure regulatory compliance with the Cybersecurity Act, 2020 (Act 1038).
It was also to certify that CSPs, CEs and CPs offer their services in accordance with approved standards and procedures “in line with domestic requirements and industry best practices,” explained the Authority.
The CSA would start licensing Cybersecurity Service Providers in five key areas, namely; Vulnerability Assessment and Penetration Testing (VAPT), Digital Forensics Services, Managed Cybersecurity Services, Cybersecurity Governance, Risk and Compliance (GRC) and Cybersecurity Training.
“Cybersecurity professionals who have the relevant qualifications, demonstrable competence and industry experience shall also be accredited in the above areas as part of the regulations,” the Authority said.
The accreditation of Cybersecurity Establishments would also apply to Digital Forensics facilities and Managed Cybersecurity Service facilities operating in the country.
Licensing and Accreditation Regime
Prior to the promulgation of the Cybersecurity Act, 2020 (Act 1038) and the establishment of the Cyber Security Authority (CSA), no government institution had the mandate to regulate cybersecurity service providers (CSP), cybersecurity establishments (CEs) and cybersecurity professionals (CPs) and the sector was generally not regulated.
It has become necessary that the industry is regulated by the CSA, to control cybersecurity risks and to protect the interests and safety of the Public, Children, Businesses, and Government.
And, with the increasing rate of cybercrimes, CSPs, CEs and CPs have become critical components for mitigating cybersecurity threats and vulnerabilities within Ghana’s fast-developing digital ecosystem in line with the Cybersecurity Act, 2020 (Act 1038).
Furthermore, national security considerations are driving regulations in the sector to ensure only persons and institutions which are qualified and in good standing undertake these critical services.
Regulating cyberspace provides tangible opportunities
Commenting on the move in an earlier B&FT report, the Acting Director General of the CSA, Albert Antwi-Boasiako, stated beyond the primary goal of protecting and securing the digital ecosystem, regulating the cybersecurity space would provide professionals within that environment with employment opportunities.
According to him, specific areas within the Authority’s framework would require professionals with specific skill sets to execute.
“If you look at the CSA directives on what is referred to as Critical Information Infrastructure, you will find that there are certain positions outlined. For instance, you have the top officer who will definitely be someone who acts as the chief information security officer.
“Within that office, there is one holding the managerial position, so you have to employ at least another five people in addition,” he said during a forum on Ghana’s cybersecurity regulations and opportunities for industry players and professionals,” he stated.