Cybersecurity Policy (Kenya)

A Cybersecurity Policy in Kenya records the organisation's binding rules on the matter it addresses.

The National Computer and Cybercrimes Coordination Committee (NC4), established under Section 53 of the Computer Misuse and Cybercrimes Act No. 5 of 2018, coordinates Kenya's national cybersecurity response and provides guidance to both public and private sector organisations on minimum cybersecurity standards. The Communications Authority of Kenya (CA), established under the Kenya Information and Communications Act No. 2 of 1998, is the sector regulator for telecommunications and digital infrastructure and has published Cybersecurity Guidelines for Internet Service Providers, financial institutions, and critical information infrastructure operators in Kenya.

The Data Protection Act No. 24 of 2019, enforced by the Office of the Data Protection Commissioner (ODPC), requires every data controller and data processor in Kenya to implement appropriate technical and organisational security measures under Section 41 to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. A Cybersecurity Policy is the foundational organisational measure satisfying this requirement — it documents the security framework, assigns responsibilities, and creates an auditable record of the organisation's security posture for ODPC inspections under Section 30 of the Data Protection (General) Regulations 2021.

Financial institutions in Kenya operate under additional cybersecurity obligations. The Central Bank of Kenya (CBK) issued the Guidance on Cybersecurity for Payment Service Providers in 2021, requiring banks, payment service providers, and mobile money operators licensed under the National Payment System Act No. 39 of 2011 to maintain a documented cybersecurity policy reviewed at least annually. The Capital Markets Authority (CMA) issued cybersecurity guidance to licensed market intermediaries in 2020, requiring capital markets licensees to implement documented cybersecurity frameworks aligned with international standards.

A Kenya Cybersecurity Policy differs from a Data Breach Notification Template — which addresses the response steps after an incident has occurred — and from an Acceptable Use Policy — which governs how employees and users may use the organisation's information systems. A complete cybersecurity compliance framework requires all three instruments working together, supplemented by a Data Processing Agreement for third-party processors and a Data Subject Consent Form for personal data collection. Together these documents demonstrate to the ODPC, the NC4, and the Communications Authority of Kenya that the organisation has taken a systematic, documented approach to cyber risk management in compliance with Kenya's 2018 and 2019 digital laws.

The Kenya National Cybersecurity Strategy 2022–2027, published by the Ministry of Information, Communications and the Digital Economy, sets national targets for cybersecurity capacity building across Kenya's public and private sectors and references the Computer Misuse and Cybercrimes Act No. 5 of 2018 as the primary enforcement instrument. Organisations that suffer a material cyberattack without a documented Cybersecurity Policy face regulatory scrutiny from multiple Kenyan authorities simultaneously — the ODPC, the Communications Authority, the CBK (for financial institutions), and potentially the Directorate of Criminal Investigations (DCI) Cybercrime Unit if criminal activity is involved.

A Kenya Cybersecurity Policy is required for any organisation that operates information systems, holds personal data, or processes financial transactions — and several Kenyan regulatory frameworks make a documented policy mandatory rather than merely advisable.

A Cybersecurity Policy is required for every data controller and data processor registered with the Office of the Data Protection Commissioner (ODPC) under Section 17 of the Data Protection Act No. 24 of 2019. The Data Protection (General) Regulations 2021 require controllers and processors to maintain documented records of their technical and organisational security measures, and an ODPC audit or investigation routinely requests the organisation's Cybersecurity Policy as the primary evidence of security governance.

A Cybersecurity Policy is needed when a financial institution — bank, microfinance institution, payment service provider, or mobile money operator — applies for or renews a licence with the Central Bank of Kenya (CBK) under the Banking Act (Cap. 488) or the National Payment System Act No. 39 of 2011. The CBK's licensing requirements include documentation of the applicant's information security framework, and the annual CBK supervisory review assesses whether the policy has been updated to address new threats.

A Cybersecurity Policy is required when an organisation applies for a licence with the Communications Authority of Kenya (CA) as an internet service provider, telecommunications provider, or content service provider under the Kenya Information and Communications Act No. 2 of 1998. The CA's Type Approval and Licensing Conditions require licensees to maintain documented cybersecurity procedures.

A Cybersecurity Policy is needed when a company tenders for government contracts in Kenya under the Public Procurement and Asset Disposal Act No. 33 of 2015. National Treasury procurement guidelines increasingly require bidders for ICT and data-handling contracts to demonstrate documented cybersecurity compliance, particularly for contracts with security-sensitive government entities.

A Cybersecurity Policy is required when an organisation onboards enterprise customers who conduct vendor due diligence before sharing commercially sensitive data. Large Kenyan corporates, multinational companies operating in Kenya, and development finance institutions such as the International Finance Corporation (IFC) routinely require suppliers and service providers to produce their Cybersecurity Policy as part of third-party risk assessments.

A Cybersecurity Policy is needed when a school, university, hospital, or NGO in Kenya handles sensitive personal data — student records, health data, or beneficiary information — and must demonstrate to donors, regulators, and accreditation bodies that personal data is protected in accordance with the Data Protection Act No. 24 of 2019 and international data governance standards.

A Kenya Cybersecurity Policy under the Computer Misuse and Cybercrimes Act No. 5 of 2018 and the Data Protection Act No. 24 of 2019 must contain the following essential elements to satisfy both regulatory requirements and practical security governance needs.

Scope and Purpose: A clear statement of the policy's scope — which systems, networks, data, employees, contractors, and third-party users it covers — and the policy's purpose by reference to the Computer Misuse and Cybercrimes Act No. 5 of 2018 and the Data Protection Act No. 24 of 2019. The policy must state that it applies to all users of the organisation's information systems, including permanent staff, temporary staff, interns, contractors, and third-party service providers.

Information Assets Inventory: A classification of the organisation's information assets — including hardware, software, data, network infrastructure, and cloud services — by sensitivity level (for example: public, internal, confidential, restricted). Kenya Revenue Authority (KRA) tax records, ODPC-registered personal data, CBK-regulated financial data, and confidential business information all require different levels of protection, and the policy must map asset classifications to the corresponding security controls.

Access Control: Rules governing who may access specific information assets, including: user authentication requirements (password standards, multi-factor authentication); role-based access control principles; procedures for granting, reviewing, and revoking access rights; and the requirement for a unique user ID for each person with system access. The policy must prohibit sharing of login credentials, consistent with the Computer Misuse and Cybercrimes Act No. 5 of 2018 prohibition on unauthorised access under Section 3.

Network and Endpoint Security: Requirements for firewall deployment and configuration; use of encryption for data in transit (TLS) and data at rest; endpoint protection software on all organisation-managed devices; patch management and vulnerability assessment schedules; and controls on the use of personal devices and removable media in connection with organisational systems.

Incident Detection and Response: Procedures for detecting, reporting, and responding to cybersecurity incidents — including suspected malware infections, phishing attacks, unauthorised access events, and ransomware. The policy must designate a cybersecurity incident response team and specify escalation paths. Where a cybersecurity incident constitutes a personal data breach, the policy must trigger the Data Protection Act No. 24 of 2019 breach notification procedure, including notification to the ODPC within 72 hours under Section 43(6).

Employee Training and Awareness: Mandatory cybersecurity training for all staff on joining the organisation and at regular intervals thereafter, covering phishing awareness, password hygiene, safe internet use, physical security of devices, and reporting suspected incidents. The Computer Misuse and Cybercrimes Act No. 5 of 2018 makes employees who knowingly support cyberoffences criminally liable under Section 39 (aiding and abetting), creating personal liability for staff who ignore security obligations.

Third-Party and Supplier Security: Requirements that all third-party suppliers, contractors, and cloud service providers who access the organisation's systems or data sign contractual security obligations — typically in a Data Processing Agreement under Section 43 of the Data Protection Act No. 24 of 2019 — and meet minimum security standards equivalent to those imposed on the organisation's own staff. The forms-legal.com Cybersecurity Policy template includes a supplier security assessment checklist aligned with the ODPC's vendor management guidance.

Business Continuity and Disaster Recovery: Backup procedures and schedules for all critical data and systems; recovery time objectives (RTOs) and recovery point objectives (RPOs); testing schedules for backup restoration; and procedures for maintaining operations during a cybersecurity incident or system outage. The Communications Authority of Kenya's Cybersecurity Guidelines recommend annual disaster recovery testing for organisations operating critical information infrastructure.

Policy Review and Governance: The policy must be reviewed and updated at least annually, or whenever a material change in the organisation's systems, operations, or the threat environment occurs. A named officer — typically the Chief Information Security Officer (CISO), Chief Technology Officer (CTO), or Data Protection Officer (DPO) registered with the ODPC — is responsible for policy maintenance and compliance monitoring. The board of directors or senior management must formally approve the policy.

Governing Law and Enforcement: Kenya law governs the policy, and compliance is enforced internally through the organisation's disciplinary procedures under the Employment Act No. 11 of 2007, and externally by the ODPC, the Communications Authority of Kenya, and the National Computer and Cybercrimes Coordination Committee (NC4) under the Computer Misuse and Cybercrimes Act No. 5 of 2018.