CSA, stakeholders to engage over accreditation regime

Cyber Security Authority is poised to ensure a secure and resilient digital Ghana - DG
National Cyber Security Advisor, Dr. Albert Antwi-Boasiako

The Cyber Security Authority (CSA) is expected to further engage players and stakeholders in the country’s cybersecurity ecosystem to address challenges associated with the implementation of its accreditation and licencing regime.

The authority earlier this year announced plans to licence Cybersecurity Service Providers (CSPs) and give accreditation to Cybersecurity Establishments (CEs) and Cybersecurity Professionals (CPs).

The licencing and accreditation regime – which was to take effect from March 1, 2023 – will apply to existing and new CSPs, CEs and CPs. This is according to the Cybersecurity Act, 2020 (Act 1038), sections 4(k), 49, 50, 51, 57 and 59, which mandate the authority to regulate the above activities.

Speaking exclusively to the B&FT, CSA’s acting Director in-charge of capacity building and awareness creation, Alex Oppong, said the engagements will court the needed industry support for the accreditation and licencing regime.

“We believe in as much as we have that mandate to regulate….we still need to collaborate will all these parties to ensure we all have a good understanding of why we are doing this and how we want it done, to ensure that going forward we have the resilient and secure digital system we are trying to build,” he stated.

He said implementing the accreditation and the licencing regime will ensure the providers of cybersecurity services in the country are competent and experienced persons, and organisations with integrity “because the services involved are very intrusive”.

“So, the licencing and accreditation regime takes all of these things into account; and we want to make sure we have ethical professionals within the ecosystem which allow Ghana’s cyberspace to be as safe as possible,” he stated.

Number of CSPs, CEs and CPs not encouraging

Answering a question on how many CSPs, CEs and CPs have been licenced and accredited by the Authority since start of the exercise on March 1, 2023, Mr. Oppong responded without equivocation that “the numbers aren’t the most encouraging at the moment”.

“That’s the reason we at the Cyber Security Authority believe our constituents need more hand-holding. That’s why we are engaging organisations like ISACA [Accra Chapter] which have several members that fall under the umbrella of cybersecurity professionals… speak to them, listen to them and resolve where the challenges are in terms of the process,” he explained.

Cracking the whip

Jennifer Mensah, who is the CSA’s lead on legal and compliance issues, added that even though implementation of the licencing and accreditation regime is in its early days, the authority may be forced to crack the whip if apathy toward the exercise lingers after extensive engagements.

“It’s mandatory for cybersecurity service providers to obtain a licence per section 49 of the Cyber Security Act; and if you are in violation of the law there are administrative penalties. But since we just started….we are giving a grace period from March up until September to give opportunity for all entities to comply; so, we won’t start cracking the whip today,” she said.


Meanwhile, some aggrieved cybersecurity professionals have warned that the Authority’s “intrusive” requirements for securing licence and accreditation could lead to the nascent industry’s death.

According to them, the long list of requirements to be met – including a background check and three recommendation letters before one can secure a licence and accreditation – could stifle the industry’s growth and expose the country to cyber-attacks.

“It shouldn’t always be about revenue mobilisation, licencing and all that. It should be about how to increase the cybersecurity knowledge here. A lot of us belong to ISACA and other organisations, and the volume of knowledge that we get from our local chapter and international mother organisations is what we are using to protect our cyberspace,” said Bambakia Christian, who is a senior Information Technology Information Services Auditor at the Ghana Ports and Harbours Authority, during the 3rd IT Audit, Cyber Security and Risk conference organised by ISACA Accra Chapter last week.

Leave a Reply