Frequently asked questions

What is CyberSecure Canada?

CyberSecure Canada is Canada's only cyber certification program.

Why was CyberSecure Canada created?

Industry stakeholders and Canadians voiced concerns over Canada's cybersecurity resilience. The CyberSecure Canada program aims to promote trust in Canada's digital economy, both domestic and foreign.

What does it mean to be certified?

A certified organization has put in place the certification requirements of the 13 security control areas developed by the Canadian Centre for Cyber Security, Canada's cybersecurity experts.

Is certification mandatory?

No, certification is voluntary. However, certification will help improve an organization's level of cybersecurity.

Who can become certified?

All organizations in Canada are eligible for the certification program.

How can my organization become certified?

Secure your organization by implementing certification requirements; request your audit by an accredited certification body; get certified for two years.

How long will it take for my organization to become certified?

This will vary depending on your organization's current level of cybersecurity readiness, as well as its ability to implement the security controls.

How long is my certification valid?

Certification is valid for two years.

How much will the certification cost?

Accredited certification bodies set the certification price. To learn more, contact the accredited certification bodies directly.

How will Canadians know my organization is certified?

Certified organizations can choose to display a digital and/or decal certification mark. Certified organizations can also choose to be included in our certified organizations database.

What is an accredited certification body?

Accredited certification bodies are both public and private organizations accredited by the Standards Council of Canada. These accredited bodies evaluate a business's implementation of the program's certification requirements.

What are security control areas?

The security control areas list the requirements for certification. Each of the 13 security control areas include anywhere from one to eight certification requirements that are based on cybersecurity best practices.

What is an audit?

An audit is an assessment of your organization's implementation of the certification requirements.

Who can perform my audit and how can I request one?

An accredited certification body must complete the audit. To request an audit, you must implement the certification requirements and then register in the CyberSecure Canada portal. You will then choose your accredited certification body to perform the audit.

Are my audit results made public? Does the Government of Canada see my results?

No, the results of your audit and the documentation provided to your accredited certification body are not made public. If your organization chooses, you can display the certification mark and choose to be included in the certified organizations database.

What do I do if I am involved in a cyber incident?

If you have been involved in a cyber incident, you should follow the direction of the Canadian Centre for Cyber Security.

What should I expect if I am a Cyber Essentials Certified company?

If you are already a Cyber Essentials Certified company, please contact CyberNB.

How do I contact CyberSecure Canada?

Contact us.

CyberSecure Program Alignment to CAN/CIOSC 104:2021 Baseline cyber security controls for small and medium-sized organizations

What new standards will the CyberSecure Canada be adopting in January 2023?

The CyberSecure Canada program will adopt the National Standard (CAN/CIOSC 104:2021 Baseline cyber security controls for small and medium organizations) cybersecurity controls intended for small and medium-sized organizations (SMOs). The National Standard was developed by the CIO Strategy Council, an accredited standard development organization and was released in November 2021 after consultations with SMOs, cyber security experts, industry leaders and government representatives. The National Standard is intended to help SMOs with varying sizes and business models in Canada improve their cybersecurity posture.

Why is the CyberSecure Canada program aligning to the National Standard?

With the changing cyber threat landscape, the CyberSecure Canada Program is evolving to ensure the necessary cybersecurity best practices are used. The National Standard draws on the Baseline Cyber Security Controls for Small and Medium Organizations as well as international standards such as ISO's Information Security Management (ISO/IEC 27001).

How does the National Standard differ from the current certification requirements?

The National Standard contains 18 security control areas that are organized into two groups: organizational, and baseline control areas. It has retained the current 13 CyberSecure Canada security controls and introduces 5 new controls. These include 3 new organizational controls (leadership, accountability and cyber security risk assessment) and 2 new baselines: control computer security log management and point of sale and financial systems.

The National Standard distinguishes between Level 1 and Level 2 security control requirements. Which one do I need to do in order to get certified?

The program requires organizations to implement both Level 1 and Level 2 security controls in order to be certified.

When does the change take effect?

The program is adopting the National Standard on January 1, 2023.

Will the change in the program affect the cost of certification?

Certification costs are set by the Accredited Certification Bodies. To learn more, contact the accredited certification bodies directly.

What does the "transition period" mean?

During the transition, the program will be updating the eLearning series and other resources to align with the national standard.

Can I still enroll in the program before January 1st?

Yes, the program remains open for enrollment and certification. If you enroll in the program before January 1, 2023, certification will be assessed on the implementation of the 13 security controls established by the Canadian Centre for Cyber Security.

I am already certified. Will this change impact my certification?

No, certifications will remain valid until the expiry date. Organizations recertifying after January 1, 2023 will need to adhere to the new National Standard.