Private security compliance in Kenya, the operator's overview

If you run a security firm in Kenya, you operate under the Private Security Regulatory Act (PSRA). The Authority registers firms, licenses guards, and audits operational practice. Their inspections are increasing year over year. The good news, the requirements are mostly operational hygiene — the same things a well-run firm already does. The annoying news, most of the evidence the inspector wants is information you are already capturing, just not in a form you can show.

This is the short map.

Firm registration and renewal

Annual licence, renewed before expiry. The Authority does not chase you, you chase them.
Director KYC and tax compliance kept current. The KRA PIN, CR12, and tax compliance certificate sit in one folder.
A registered office address, not a P.O. box.

This is the table-stakes paperwork. If this is not in order, nothing else matters.

Guards

Each guard is individually licensed by the Authority.
Background checks on file — Good Conduct Certificate plus identity verification.
Uniform standard matching the Authority's specification.
Training records — initial training plus refreshers. The Authority is increasingly specific about minimum hours and topics.

The guard's individual licence is the key. An unlicensed guard at one of your sites is a finding against the firm, not just the guard.

Operations on site

A logbook at every site, kept current. The Authority does not care whether it is paper or digital, as long as it is contemporaneous and tamper-evident.
Shift records — who was on, when, where.
Incident records — what happened, when, response, outcome.
Client contracts in writing — terms, scope, duration, fees, data protection clauses.

The inspector will pull a random site, ask to see the last 30 days of logs, and check that they reconcile with the shift records they have for that period.

Reporting up

Material incidents reported to the Authority within the timeframe specified in your operating conditions.
Annual operational return summarising sites, headcount, incidents.

Forget the timeframe on incident reporting, and the next inspection becomes adversarial.

Data protection (the DPA overlap)

PSRA inspections increasingly check that the firm is also DPA-compliant — visitor data retention, breach response plan, ODPC registration. A firm that holds names and IDs across multiple sites is processing real volumes of personal data. See our DPA post for the practical view.

What an inspection looks like in practice

The inspector arrives at the head office. They ask for:

The current PSRA licence.
The list of all guards currently deployed, by site.
For three randomly-chosen sites, the last 30 days of guard logs, shift records, incident reports.
Evidence of the most recent training cycle.
The data protection register if you handle visitor personal data.

If you can hand over the first three from a single dashboard in under five minutes, the visit is short and pleasant. If you spend the next hour finding the books, the inspector starts thinking about what else you cannot find quickly.

The compliance bonus of a digital baseline

Guard rota, attendance, and shift records are the same data, presented as a report.
Site logs are searchable, exportable, time-stamped, tamper-evident.
Incident reports come with photos, severity, and response timestamps.
DPA retention rules execute themselves.
The annual operational return is mostly a summary the system already has.

The firms we see passing inspections with the least friction are not the ones with the thickest binders. They are the ones whose day-to-day operations produce the inspection evidence as a byproduct.

The next twelve months

The Authority is moving toward more regular spot-checks and quicker enforcement. Operators who can produce records on demand have an easier path. Operators who cannot are gambling that the inspector will not pick their site.

Compliance is cheaper than the alternative, and the gap is closing fast.