Service

Security Advisory
& Strategic
Consulting

Strong cybersecurity is not just a technical problem — it is a business strategy. Citadel Africa's advisory practice helps Kenyan enterprises build security programmes that are proportionate to their risk, aligned to their operations, and compliant with the regulations that govern them.

Request an Advisory What We Offer ↓

ISO 27001 Advisory

POPIA Compliance Aligned

vCISO Available On-Demand

Security Maturity Assessment March 2026 — Confidential

Overall Maturity Score

Developing — Attention Required

7 priority gaps identified across 5 domains

Identity & Access

Network Security

Endpoint Protection

Security Operations

Compliance & GRC

Top Priority Recommendations

Implement MFA across all privileged accounts

Establish formal incident response plan

Define data classification & handling policy

Conduct annual security awareness training

What It Is

Security Strategy for the Real World

Most Kenyan enterprises know they need better cybersecurity. The challenge is knowing where to start, what to prioritise, and how to build a programme that works within real budget and resource constraints — without leaving critical gaps.

Citadel Africa's security advisory practice bridges the gap between technical security requirements and business reality. We assess your current posture, identify your most critical risks, and build a practical roadmap that your team can actually execute.

Whether you need a one-time risk assessment, ongoing vCISO support, or help achieving ISO 27001 certification — we deliver advisory that is grounded in Kenya's regulatory environment, threat landscape, and operational context.

Not Checkbox Compliance

We build security programmes that actually reduce risk — not just documentation that satisfies auditors. Compliance is the outcome, not the goal.

Kenya-Specific Guidance

Advisory grounded in Kenyan regulation, the Data Protection Act, CBK cybersecurity guidelines, and the realities of operating in East Africa's digital economy.

Threat-Informed Decision Making

Our advisory is informed by live threat intelligence — we prioritise the controls that defend against the threats actually targeting your sector, not theoretical risks.

Practical for Your Budget

We work within your real constraints. Our roadmaps prioritise high-impact, lower-cost controls first — delivering the most security improvement per shilling spent.

Advisory Services

What We Deliver

From a one-day risk assessment to a year-long vCISO engagement — our advisory services scale to your needs and budget.

Security Risk Assessment

A structured evaluation of your current security posture against industry frameworks — identifying gaps, prioritising risks, and producing an actionable remediation roadmap.

Asset inventory & threat modelling

Control gap analysis (ISO 27001 / NIST)

Risk register & scoring

Prioritised remediation roadmap

ISO 27001 Advisory

End-to-end support for ISO 27001 certification — from gap analysis and ISMS design through to audit readiness and certification support. We make the process manageable.

Gap analysis against ISO 27001:2022

ISMS policy & procedure development

Statement of Applicability (SoA)

Audit readiness & certification support

Compliance Advisory

Navigate Kenya's regulatory landscape with confidence. We translate complex requirements into practical controls your team can implement — covering data protection, financial sector, and sector-specific mandates.

Kenya Data Protection Act compliance

CBK Cybersecurity Guidelines

POPIA alignment (cross-border operations)

PCI DSS advisory for payment environments

Security Architecture Review

An expert review of your network architecture, cloud environment, and security controls — identifying structural weaknesses and recommending improvements that reduce your attack surface.

Network & cloud architecture analysis

Zero Trust readiness assessment

Security tooling gap analysis

Target architecture recommendations

Security Policy Development

Comprehensive, plain-language security policies that your employees will actually understand and follow — tailored to your organisation's size, sector, and operations.

Information security policy suite

Acceptable use & BYOD policies

Incident response & BCP policies

Data classification & handling policy

Security Awareness Training

Your people are your most targeted attack vector. We design and deliver training programmes that build a security-conscious culture — from phishing awareness to executive cyber briefings.

Phishing simulation campaigns

Staff security awareness workshops

Executive cyber risk briefings

Bespoke e-learning module design

Regulatory Landscape

Frameworks & Regulations We Work With

Kenya's regulatory environment for cybersecurity is maturing rapidly. The Data Protection Act 2019, CBK Cybersecurity Guidelines, and sector-specific mandates from the CA, IRA, and CMA are creating compliance obligations that most organisations are not yet fully meeting.

We help you navigate this landscape practically — understanding what each regulation actually requires, prioritising the controls that satisfy multiple frameworks simultaneously, and building a compliance programme that is sustainable, not burdensome.

🇰🇪

Kenya Data Protection Act

Data protection obligations for organisations processing personal data of Kenyan residents.

Local Regulation

🏦

CBK Cybersecurity Guidelines

Central Bank of Kenya cybersecurity requirements for regulated financial institutions.

Financial Sector

📋

ISO/IEC 27001:2022

International standard for information security management systems — certification advisory.

International

🛡️

NIST Cybersecurity Framework

Identify, Protect, Detect, Respond, Recover — the gold standard for security programme design.

Framework

💳

PCI DSS v4.0

Payment card industry data security standards for organisations handling card transactions.

Payment Sector

⚖️

POPIA

Protection of Personal Information Act — for organisations with South African operations or clients.

Cross-Border

How We Engage

Our Advisory Process

Every advisory engagement follows a structured process — ensuring we understand your business before making a single recommendation.

Step 01

Understand Your Business

We start with your business — not your technology. Understanding your revenue model, regulatory obligations, critical assets, and risk appetite before touching a single control.

Week 1

Step 02

Assess Current State

Structured interviews, document reviews, and technical assessments to establish your current security posture — mapped against the relevant frameworks and benchmarked against your sector.

Weeks 2–3

Step 03

Gap Analysis & Risk Rating

Every identified gap is assessed for likelihood and business impact — producing a prioritised risk register that tells you exactly which problems need solving first and why.

Week 3–4

Step 04

Roadmap & Implementation Support

A practical, phased security improvement roadmap with clear owners, timelines, and success criteria — plus ongoing advisory support as your team executes against it.

Ongoing

Virtual CISO

Senior Security Leadership Without the Full-Time Cost

Most Kenyan SMEs and mid-market companies cannot justify the cost of a full-time Chief Information Security Officer. A vCISO gives you the strategic security leadership you need — at a fraction of the cost.

Board & Executive Communication

We translate technical risk into business language — presenting to your board, audit committee, and senior leadership on security posture, incidents, and investment priorities.

Security Programme Ownership

Your vCISO owns and drives your security programme — overseeing vendors, policies, assessments, and compliance activities with the authority and accountability of a full-time hire.

Audit & Regulatory Interface

We represent your security function in audits, regulatory examinations, and compliance reviews — preparing your evidence, handling examiner questions, and managing findings.

vCISO Value Comparison

What You Get vs. What It Costs

Full-time CISO hire High annual cost

Recruitment time 3–6 months

Single perspective One person's view

Citadel vCISO Fraction of the cost

Time to activate Within 2 weeks

Breadth of expertise Full team behind you

Our vCISO service gives you access to Citadel Africa's full analyst team — not just one person. Your organisation benefits from collective expertise across pentesting, forensics, threat intelligence, and compliance.

What You Get

Advisory Deliverables

Security Maturity Assessment Report

A scored evaluation of your security posture across all key domains — with a maturity level, gap analysis, and domain-by-domain findings that give you an honest picture of where you stand.

Risk Register & Priority Matrix

A structured register of all identified risks, scored by likelihood and business impact — giving your leadership team a clear, prioritised view of what needs attention and in what order.

Security Improvement Roadmap

A phased, 12–24 month roadmap with specific initiatives, owners, timelines, and estimated effort — designed to be achievable within your budget and team capacity.

Policy & Procedure Documentation

A complete suite of information security policies — drafted in plain language, tailored to your organisation, and ready for board approval and staff communication.

Board-Ready Executive Presentation

A concise, non-technical presentation of your security posture, key risks, and recommended investment priorities — designed for a board or senior leadership audience.

Compliance Gap Report

A structured mapping of your current controls against each applicable regulation or standard — showing exactly what you have, what you are missing, and what you need to do to close each gap.

Why Citadel Africa

Advisory You Can Act On

Practitioners, Not Paper Consultants

Our advisors are active security practitioners — they also respond to incidents, conduct penetration tests, and analyse forensic evidence. Our advisory is grounded in what actually happens when security fails, not just what frameworks say should happen.

Kenya-First Regulatory Knowledge

We know Kenyan regulation — the Data Protection Act, CBK guidelines, CA requirements, and sector-specific mandates — because we operate in this environment daily. You get advice that is immediately applicable, not adapted from a different jurisdiction.

Integrated with Our Technical Services

Our advisory practice works hand-in-hand with our penetration testing, forensics, and threat intelligence teams. When your roadmap calls for a penetration test or threat assessment, the same firm delivers it — ensuring continuity and accountability.

Get Started

Ready to Build a Stronger Security Programme?

Start with a security maturity assessment. In two weeks we'll give you a clear picture of where you stand, what your biggest risks are, and exactly what to do about them.

Request an Advisory View All Services

Security Advisory& StrategicConsulting