Updated CyberSecure Canada program requirements

Cybersecurity plays an integral role in building trust with consumers and keeping Canadian businesses competitive. The CyberSecure Canada program is committed to helping small and medium-sized organizations (SMO) confidently operate in the digital economy. With cyber attacks on the rise, the program is evolving to ensure its certification requirements reflect cybersecurity best practices that help businesses secure their systems and data.

On January 1, 2023, the CyberSecure Canada program will be updating its certification requirements to align with National Standard CAN/CIOSC 104:2021 Baseline cyber security controls for small and medium organizations.

About the National Standard

The National Standard was developed by the CIO Strategy Council to help SMOs in Canada improve their cybersecurity. It received support from the Standards Council of Canada and input from SMOs, leaders and experts in cybersecurity, and representatives from Innovation, Science and Economic Development Canada and the Canadian Centre for Cyber Security. The standard draws on the Baseline Cyber Security Controls for Small and Medium Organizations as well as international standards such as ISO’s Information Security Management (ISO/IEC 27001).

What will CyberSecure Canada’s security controls and certification requirements be as of January 1, 2023?

The National Standard includes the 13 cybersecurity controls areas outlined in the Canadian Centre for Cyber Security baseline cybersecurity controls. It also introduces 3 new organizational controls and 2 new baseline controls.   

Organizational controls

  • Leadership (new)
  • Accountability (new)
  • Cybersecurity risk assessment (new)
  • Cybersecurity / employee awareness training

Baseline controls

  • Develop an incident response plan
  • Automatically patch operating systems and applications
  • Enable security software
  • Securely configure devices
  • Use strong user authentication
  • Back up and encrypt data
  • Establish basic parameter defenses
  • Implement access control and authorization
  • Secure mobility
  • Secure cloud and outsourced IT services
  • Secure websites
  • Secure portable media
  • Point of sale and financial systems (new)
  • Computer security log management (new)

Who will be impacted by the program changes?

SMOs seeking certification or re-certification on or after January 1, 2023, will be required to implement the 18 National Standard security controls to receive certification. Certification will be valid for two years.

There is no change for SMOs that have achieved certification or started working with a certification body before January 1, 2023, to achieve certification.  

Learn more

During the transition period, we will be updating our eLearning series, certification tools (templates and how-to guides), program information sheets and frequently asked questions webpage to align with the National Standard. Feel free to contact us if you have any questions.