The Lesotho Communications Authority (LCA) released Version 1 of its Cybersecurity Regulatory Guidelines in March 2025, setting a sector-wide baseline for Mobile Network Operators (MNOs), Infrastructure Network Providers, Internet Service Providers (ISPs), and other licensees. The document aligns local compliance with ISO/IEC 27001 and the NIST Cybersecurity Framework, and it requires a formal implementation plan, continuous monitoring, and periodic audits. In short: treat cybersecurity as a regulated obligation, not just a best practice.
Who must comply and what “good” looks like
The Guidelines apply across Lesotho’s communications sector and expect boards and executives to own cybersecurity outcomes. Licensees must adopt a written cybersecurity policy, perform regular risk assessments, establish governance (e.g., a security steering committee), maintain tested business-continuity and disaster-recovery arrangements, assign accountable roles (including segregation of duties), and manage vendor risk contractually and through ongoing oversight.
Incident management and threat intelligence
Every licensee needs a live, tested Incident Response Plan detailing detection, containment, recovery, and internal and external communications. Report material incidents promptly to designated authorities such as the sectoral or national CSIRT and participate in information-sharing communities to stay ahead of emerging threats. Build routine tabletop exercises into your calendar and record lessons learned.
Physical and logical access controls
Secure data centres, server rooms, and network operations centres with surveillance, alarms, and controlled entry. Monitor facilities continuously and handle any physical breach as a cybersecurity incident. On the logical side, enforce least privilege and role-based access control, and use multi-factor authentication for privileged and sensitive systems, this is explicitly expected by the Guidelines.
Operational security and monitoring
Deploy and maintain firewalls, IDS/IPS, and endpoint protection; patch systems on schedule and verify with vulnerability scans. Monitor networks and systems in near real-time using SIEM or equivalent tooling, maintain auditable logs, and run a documented change-management process so that risky updates never slip into production unnoticed.
Data protection requirements
Keep services available with resilient architectures and reliable backups, encrypt sensitive data at rest and in transit, and implement data-loss prevention to stop unauthorised sharing. Test recovery so you can restore quickly after an incident, and separate backup environments from production to limit blast radius.
Asset management and network security
Maintain a current inventory of hardware, software, and critical data, and classify assets by sensitivity and criticality so protection measures can be prioritised. Segment networks to contain attacks and prevent lateral movement; position IDS/IPS at key choke points; and document your architecture so auditors can see exactly how traffic is controlled.
Audit, assurance, and continuous compliance
Plan for a two-layered assurance model: regular internal audits, penetration tests, and vulnerability assessments, followed by annual external security audits by a qualified third party. Track findings, assign owners, and evidence closure. Compliance monitoring is ongoing, not annual; expect to demonstrate control performance throughout the year.
People: awareness, training, and accountable leadership
Provide routine awareness training to all staff, including directors, covering phishing, social engineering, and safe use of systems. Educate customers on online safety and privacy. Invest in technical upskilling for your security team and encourage recognised certifications such as CISSP, CISM, and CEH. The Guidelines also contemplate appointment of a CISO (or equivalent) and the establishment of a dedicated security team.
Implementation expectations and updates
LCA expects a phased implementation starting with critical infrastructure and expanding scope over time. Each licensee must submit an implementation plan to the Authority and keep improving as threats evolve, with LCA updating the Guidelines periodically. Build a governance rhythm (quarterly reviews, metrics, and board reporting) so progress is demonstrable.
The evidence you will need to show auditors
The Guidelines include a Security Measures & Evidence Table mapping controls to ISO 27001 and NIST CSF 2.0. Be prepared to produce artefacts such as approved policies, risk registers, BCP test results, RBAC matrices, third-party due-diligence packs, incident logs, SIEM dashboards, backup schedules and restore tests, encryption key-management procedures, network diagrams, VLAN and firewall configs, audit reports, remediation plans, training records, and certification evidence. Using this table as your audit-prep checklist will save time and reduce rework.
A 90-day starter plan (actionable and audit-ready)
- Appoint an executive owner and name an acting CISO; stand up a cross-functional security steering committee.
- Approve an ISO/NIST-aligned cybersecurity policy and a risk assessment covering operational and regulatory risks.
- Inventory and classify assets; enforce MFA for all admin and remote access; close critical vulnerabilities.
- Finalise and test the Incident Response Plan; define CSIRT notification thresholds and contact lists.
- Implement centralised logging and alerting; define use-cases for detection and incident triage.
- Review key third-party contracts; add security clauses and ongoing assurance requirements.
- Update BCP/DR playbooks; run a restore test; document RTO/RPO.
- Launch staff and customer awareness campaigns; schedule technical training for the security team.
- Draft and submit the implementation plan to LCA; lock in dates for internal and external audits.
Bottom line: The 2025 Guidelines make cybersecurity a board-level compliance duty for Lesotho’s communications sector. Align with ISO 27001 and NIST CSF, prove it with evidence, and maintain a living programme that can withstand regulatory scrutiny and real-world attacks. If you operate as an MNO, ISP, or network provider in Lesotho, start with governance, asset visibility, MFA, incident readiness, and an audit-ready plan to the LCA, then build outward.