Bank of GhanaCyber & Information Security DirectiveMarch 2026

BoG Directive 2026

Cyber and information security is now a leadership obligation. This page is designed to help executives see what must be owned, where exposure is likely to concentrate, and what evidence management should already be able to produce.

What Leadership Must Own

This directive requires governance, visible controls, managed exposure, and provable assurance.

The Bank of Ghana directive places direct obligations on the board, senior management, the CISO, internal audit, technology operations, and third-party oversight functions. It extends beyond internal IT into channels, cloud, vendors, privacy, AI, facilities, and recurring testing.

Executive takeIf management cannot show ownership, current testing, and evidence on demand, the institution is not ready for serious scrutiny.
Immediate Next Actions

What an executive team should do next

1

Confirm that the board, senior management, and the CISO have clearly defined authority and reporting lines.

2

Demand a current view of critical systems, external dependencies, cloud exposure, and digital channels.

3

Review whether required testing cadence, incident reporting, and evidence readiness are actually being met.

Likely Blind Spots

Cloud and vendor risk is growing faster than contractual control.

Testing happens, but evidence is fragmented or outdated.

Leadership receives technical updates without clear decision framing.

Questions to Test Management

Do we have a formally empowered CISO with sufficient authority and visibility?

Has the board approved a cyber and information security policy and budget aligned to risk?

Do we know which systems, channels, vendors, and facilities create the greatest exposure?

What You Should Be Able To See

Named owners for governance, controls, channels, cloud, and assurance.

A current testing cadence matched to the institution's tier.

Evidence packs that are current, reviewable, and tied to real controls.

Keyrios Lens

Keyrios uses four pillars to simplify the directive for executive navigation.

They are not the directive's official chapter structure. The Bank of Ghana directive remains organized by Parts, Sections, and Annexures. This model is a practical Keyrios operating view designed to make leadership responsibilities, control domains, exposure points, and assurance obligations easier to follow.

Operating Lenses

Four executive responsibilities anchor the directive

Leadership must understand who governs cyber risk, how controls are run, where exposure concentrates, and how resilience is validated.

CMD

Command

Authority, governance, ownership, policy, and leadership structure that direct the institution's cyber program.

Starts withBoard
CTL

Control Systems

The internal security machinery that identifies risk, hardens systems, enforces access, and drives monitoring and response.

Starts withRisk Management
EXP

Exposure Surfaces

The external and operational environments where customers, staff, vendors, systems, and facilities create exposure.

Starts withCommunication Channels
ASR

Assurance

Validation, testing, auditability, reporting, and evidence that prove controls are working and obligations are being met.

Starts withTesting Regime
Sub-details

Command

Leadership directs. Ownership is assigned. Budget and policy are approved.

5 nodesPillar 1 of 4
Part II, Section 5

Board

Board Chair / Board Risk Committee
CommandOfficial Ref: Part II, Section 54 owner groups
BoardSenior ManagementCISOAudit / Assurance
Operational Meaning

The Board provides oversight, approves policy and budget, and treats cyber and information security as a strategic institutional risk.

Implementation Actions

Approve annual cyber and information security strategy and budget.

Receive recurring reporting on incidents, risk posture, and remediation progress.

Challenge management on resilience, third-party exposure, AI use, and privacy risk.

Evidence Required

Board-approved policy

Board minutes

Cyber budget approval

Quarterly board cyber pack

Annexure H

Assurance cadence by institution tier

The directive sets different testing obligations based on institutional tier. Map your institution to understand what testing is required and at what frequency.

Vulnerability assessment: quarterly automated, semi-annual manual validation

DAST / SAST: quarterly for critical applications, semi-annual for others

Penetration testing: annually, internal and external

Red team exercise: every 2 years