The challenge
BCEAO expectations on IS security sharpen with every supervisory cycle: formalized governance, tested continuity, reported incidents, controlled outsourcing. A security policy never turned into measurable controls, or a DRP never exercised, will not survive an inspection.
What we deliver
Full gap assessment against the BCEAO framework with a prioritized compliance plan
Security policy turned into measurable controls with a tracking dashboard
Documented and tested BCP/DRP with exercise reports usable during inspections
Incident management and supervisory reporting process
Inspection file: organized evidence, prepared answers, interview rehearsal
Our method
Mapping of the current state and gap scoring against each requirement.
Remediation in waves: governance, technical, continuity — quick wins first.
Real BCP/DRP exercises with dated minutes.
Dry-run review before the inspection: your teams answer, we challenge.
Who it's for
Banks, payment institutions, microfinance and financial companies supervised by BCEAO and the WAMU Banking Commission.
Frequently asked questions
What does the Banking Commission check during an IS inspection?
Governance (security policy, committees, roles), technical risk control (patching, access, logging), continuity (tested BCP/DRP) and outsourcing management — each backed by dated evidence.
Our security policy exists but isn't applied: do we start from scratch?
Rarely. The point is to turn it into concrete, measured, assigned controls. We keep what is solid and close gaps by risk priority.
Are payment institutions and microfinance companies in scope?
Yes: security and continuity requirements apply to every licensed institution, proportionate to its size and risk profile — that calibration is exactly what we help you defend.
