Africa-Press – Kenya. NCBA Bank Kenya and NCBA Bank Uganda have achieved dual ISO certification from the British Standards Institution (BSI), becoming the first banks in East and Central Africa to attain ISO/IEC 27701 certification on data privacy.
The bank secured both ISO/IEC 27001 (Information Security Management System) and ISO/IEC 27701 (Privacy Information Management System) certifications, reinforcing its framework for managing and safeguarding sensitive data belonging to customers, employees and third parties.
NCBA said the milestone strengthens its approach to information security, regulatory compliance and privacy governance across its Kenya and Uganda operations.
The ISO/IEC 27701 certification positions NCBA as the first bank in the region to implement a certified Privacy Information Management System aligned to global standards.
The certification complements ISO/IEC 27001, which provides a structured and risk-based framework for protecting the confidentiality, integrity and availability of information assets.
The bank noted that the dual certification aligns its security and privacy controls with international best practice and supports compliance with the Kenya Data Protection Act and the Uganda Data Protection and Privacy Act.
Speaking on the achievement, NCBA Group Director for Technology and Operations, Isaac Owilla, said the certification marks a significant step in strengthening the bank’s information security systems.
“Attaining these dual ISO certifications is a significant milestone in our continuous journey to strengthen information security within our operations. Our customers can be assured that we uphold the highest standards in security, service management and regulatory compliance,” Owilla said.
He added that compliance is an ongoing process and that the bank remains committed to delivering secure, efficient and high-quality services.
The certification initiative was driven by NCBA’s expanding digital footprint, cross-border operations and increased reliance on technology and third-party service providers.
Phase one of the programme focused on Kenya and Uganda, with Kenya prioritised because it delivers approximately 80 per cent of the Group’s information security and technology functions.
Phase two of the programme is expected to extend certification to Loop DFS, Tanzania and Rwanda, building on the governance framework and controls established during the first phase.
According to Owilla, the bank is investing in staff training, system improvements and continuous enhancement of compliance practices to maintain high standards of operational excellence.
“NCBA is committed to maintaining high standards by ensuring its staff are well-trained in compliance and best practices and by fostering a culture of continuous improvement,” he said.
Owilla noted that as banks increase their digital services and data-driven operations, internationally accredited security frameworks are becoming critical in mitigating cyber risks and protecting personal information.
With the new certifications, NCBA reinforces its position as a regional banking leader focused on innovation, regulatory assurance and the protection of customer data.
