Updated May 28, 2026

What is CyberSecure Canada?

CyberSecure Canada is the federal government’s cybersecurity certification program for small and medium organizations. It is built around the Baseline Cyber Security Controls for Small and Medium Organizations published by the Canadian Centre for Cyber Security (CCCS), part of the Communications Security Establishment (CSE). The Standards Council of Canada accredits the certification bodies that assess and certify organizations.

Who it is for

The program is designed for organizations with roughly 1 to 499 employees — the SMB segment that holds valuable data but rarely has an enterprise security team. Certification is voluntary, but it is increasingly valuable when bidding for government and enterprise contracts, applying for cyber insurance, or simply demonstrating diligence to customers.

The 13 baseline controls

Certification is assessed against 13 baseline control areas, including: an incident response plan, automatic patching, security configuration, strong user authentication (including MFA), employee awareness training, backups and recovery, secure mobility, perimeter defences, malware protection, secure cloud and outsourced IT, secure websites, access control, and secure portable media handling. Our readiness matrix breaks each one down with required evidence.

How certification works

The path is straightforward in shape: (1) implement the 13 baseline controls; (2) engage an accredited certification body; (3) undergo assessment of your controls and evidence; (4) on success, you are certified and may display the CyberSecure Canada certification mark. Certification is valid for two years, after which you re-certify — which keeps the program honest as your environment and the threat landscape change.

What it costs — and what it returns

The largest cost is usually not the assessment fee but the work of closing control gaps before you apply. For most SMBs the highest-effort items are tested backups, organization-wide MFA, a real incident response plan, and consistent patching. The return is concrete: a recognized federal mark, smoother cyber-insurance underwriting, and a credible answer to the security questionnaires that now accompany most B2B and government deals.

How to get certified: a roadmap

1. Self-assess. Run the readiness matrix against the 13 controls and mark each red/yellow/green.
2. Close the gaps. Prioritize MFA, backups, patching, and an incident response plan.
3. Gather evidence. Certification is evidence-based — screenshots, policies, logs, and test results.
4. Engage an accredited certification body and complete the assessment.
5. Maintain it. Keep controls current and re-certify before the two-year mark.

CyberSecure Canada in context

CyberSecure Canada is the most accessible on-ramp to a recognized security posture for an SMB, and it maps cleanly onto CIS Controls v8.1. Organizations in regulated sectors will layer it with sector rules — PHIPA for health, OSFI B-13 for federally regulated finance — but the baseline controls are the common foundation underneath all of them.

About this guide

This guide is maintained by Mike Pearlstein, CISSP, Founder and CEO of Fusion Computing Limited, a Canadian managed IT and cybersecurity provider and Microsoft Solutions Partner. It is reviewed as legislation and program requirements change. Definitions are written for business leaders, not lawyers — for a legal opinion on your specific obligations, consult qualified counsel.

Related: Cybersecurity services  |  Cybersecurity assessment  |  CyberSecure Canada in the glossary