Frequently asked questions

What is CyberSecure Canada?

CyberSecure Canada is Canada's only cyber certification program.

Why was CyberSecure Canada created?

Industry stakeholders and Canadians voiced concerns over Canada's cybersecurity resilience. The CyberSecure Canada program aims to promote trust in Canada's digital economy, both domestic and foreign.

What does it mean to be certified?

A certified organization implemented the security controls in the National Standard CAN/CIOSC 104:2021 Baseline cyber security controls for small and medium organizations.

Is certification mandatory?

No, certification is voluntary. However, certification will help improve an organization's level of cybersecurity.

Who can become certified?

All organizations in Canada are eligible for the certification program.

How can my organization become certified?

Secure your organization by implementing certification requirements; request your audit by an accredited certification body; get certified for two years.

How long will it take for my organization to become certified?

This will vary depending on your organization's current level of cybersecurity readiness, as well as its ability to implement the security controls.

How long is my certification valid?

Certification is valid for two years.

How much will the certification cost?

Accredited certification bodies set the certification price. To learn more, contact the accredited certification bodies directly.

How will Canadians know my organization is certified?

Certified organizations can choose to display a digital and/or decal certification mark. Certified organizations can also choose to be included in our certified organizations database.

What is an accredited certification body?

Accredited certification bodies are both public and private organizations accredited by the Standards Council of Canada. These accredited bodies evaluate a business's implementation of the program's certification requirements.

What are security control areas?

The security control areas list the requirements for certification.

The National Standard distinguishes between Level 1 and Level 2 security control requirements. Which one do I need to do in order to get certified?

The program requires organizations to implement both Level 1 and Level 2 security controls in order to be certified.

I am already certified against the baseline security controls. Will this impact my certification?

Certifications remain valid until the expiry date. Organizations re-certifying after January 1, 2023 will need to adhere to the new National Standard.

What is an audit?

An audit is an assessment of your organization's implementation of the certification requirements.

Who can perform my audit and how can I request one?

An accredited certification body must complete the audit. To request an audit, you must implement the certification requirements and then register in the CyberSecure Canada portal. You will then choose your accredited certification body to perform the audit.

Are my audit results made public? Does the Government of Canada see my results?

No, the results of your audit and the documentation provided to your accredited certification body are not made public. If your organization chooses, you can display the certification mark and choose to be included in the certified organizations database.

What do I do if I am involved in a cyber incident?

If you have been involved in a cyber incident, you should follow the direction of the Canadian Centre for Cyber Security.

How do I contact CyberSecure Canada?

Contact us.