Morocco: Issued DGSSI Reference Framework of Requirements relating to the Qualification of Information Systems Security Audit Providers (Version 2.0) outlining security and operational requirements

On 1 February 2024, the General Directorate of Information Systems Security (DGSSI) issued the Reference Framework of Requirements relating to the Qualification of Information Systems Security Audit Providers (Version 2.0). The framework establishes requirements for entities involved in critical information infrastructures (CIIs) and specifies that providers must demonstrate capabilities in organisational and physical security, penetration testing, configuration audits, architecture reviews, and industrial systems' security audits. Entities must contract qualified audit providers who comply with skill requirements, ethical standards, and legal obligations, adhering to national cybersecurity regulations such as Law No. 05.20 and Decree No. 2.21.406. Audit execution requirements include establishing audit contracts, systematic planning, execution, and reporting, alongside maintaining compliance with ISO standards and data protection protocols. Providers must implement robust information and physical security measures, segment critical systems, and ensure the confidentiality of sensitive data. The framework also mandates regular qualification reviews by the DGSSI, with non-compliance resulting in possible suspension or disqualification.