Updated
In one paragraph
CyberSecure Canada is the federal cyber-certification program for Canadian small and medium businesses, operated by the Canadian Centre for Cyber Security (CCCS), part of the Communications Security Establishment (CSE). It targets businesses with 1 to 499 employees and certifies against 13 baseline controls drawn from the CCCS Baseline Cyber Security Controls for Small and Medium Organizations. Certification involves a self-assessment, evidence package, and third-party audit conducted by an accredited certification body. This matrix maps each of the 13 controls to CIS Controls v8.1, lists the evidence the auditor will request, and flags the controls SMBs most often fail at first attempt.
📚 New here? Start with CyberSecure Canada Certification: The Complete Guide for the plain-language overview, then use this matrix to audit your controls.
What CyberSecure Canada is
CyberSecure Canada is the federal Government of Canada cyber-certification program. It was launched in 2019 and refreshed in 2024 to align with the CCCS Baseline Cyber Security Controls for Small and Medium Organizations (Baseline Controls v1.2). The program is voluntary but is increasingly required or preferred in:
- Federal government procurement — included in evaluation criteria for many federal IT and professional services tenders.
- Provincial and municipal procurement — adopted by some procurement offices as a baseline trust signal.
- Supply-chain assurance — large Canadian enterprises increasingly require it of SMB vendors.
- Cyber-insurance underwriting — some carriers use it as evidence of baseline maturity (premium discount).
Certification is issued by accredited Certification Bodies (CBs) — not by CCCS directly. The audit process is documented in the CCCS Certification Roadmap.
Who CyberSecure Canada applies to
CyberSecure Canada is scoped to small and medium organizations:
- Small organizations — fewer than 100 employees.
- Medium organizations — 100 to 499 employees.
Federal Crown corporations, federal departments, and organizations with 500+ employees are outside the program scope and align instead to ITSG-33 or to sector-specific guidance (OSFI B-13, ITSG, etc.).
The 13 baseline controls
The 13 control areas map directly to the CCCS Baseline Cyber Security Controls v1.2 sections. The matrix below adds CIS Controls v8.1 alignment, the evidence the auditor will request, and the typical first-audit failure mode.
| # | Baseline control | CCCS reference | CIS v8.1 | Evidence requested |
|---|---|---|---|---|
| 1 | Incident response plan | 3.1 | 17.1, 17.4 | Written IRP + tabletop report |
| 2 | Automatic patching | 3.2 | 7.3, 7.4 | Patch policy + RMM compliance export |
| 3 | Backup and encryption | 3.3 | 11.1, 11.4, 3.6 | Backup policy + restore-test evidence |
| 4 | Strong authentication (MFA) | 3.4 | 6.3, 6.5 | Conditional Access policy export |
| 5 | Employee training | 3.5 | 14.1-14.3 | Training records + phishing dashboard |
| 6 | Basic perimeter defences | 3.6 | 12.2, 13.10 | Firewall config + DNS-filter logs |
| 7 | Secure mobility | 3.7 | 4.1, 4.7 | MDM compliance report |
| 8 | Cloud / outsourced IT | 3.8 | 15.1-15.7 | Vendor inventory + attestation packet |
| 9 | Secure portable media | 3.9 | 10.6, 3.10 | USB control policy + encryption report |
| 10 | Secure websites | 3.10 | 2.7, 16.7 | TLS + WAF + dependency scan reports |
| 11 | Access control & authorization | 3.11 | 5.4, 6.7, 6.8 | PAM policy + quarterly access review |
| 12 | Secure configuration of devices | 3.12 | 4.1, 4.2, 4.6 | Baseline image / Intune profile export |
| 13 | Anti-malware on devices | 3.13 | 10.1, 10.6, 10.7 | EDR/AV coverage report |
The five controls SMBs most often fail at first audit
- Incident response plan (control 1). An IRP without a documented tabletop exercise in the past 12 months reads as theoretical to the auditor.
- Backup and encryption (control 3). Backups exist but no documented restore test inside the last 6 months.
- Employee training (control 5). Training records that don’t link individual employees to completion dates, or no phishing simulation evidence.
- Cloud / outsourced IT vendor management (control 8). No vendor inventory, no SOC 2 / equivalent attestations collected for material vendors.
- Access control (control 11). Privileged accounts exist but quarterly review evidence does not.
The CyberSecure Canada certification process
- Self-assessment against the 13 baseline controls. CCCS publishes the questionnaire.
- Evidence package assembly — written policies, technical configuration evidence, training records.
- Engage an accredited Certification Body. CCCS publishes the list. Pricing typically $5,000-$15,000 for an SMB, depending on size.
- Audit — typically remote or hybrid, lasting 1-3 days.
- Certification — valid for two years. Annual maintenance attestation required.
- Renewal — re-audit at 24 months.
How this fits with CIS Controls and ISO 27001
CyberSecure Canada is a baseline. Organizations that need a stronger trust signal — federal critical infrastructure suppliers, FRFI vendors, larger enterprises — typically progress to one of:
- CIS Controls v8.1 IG2 / IG3 for SMBs that want defensible technical maturity without a formal cert.
- ISO 27001 for organizations that need an internationally recognized ISMS certification.
- SOC 2 Type II for SaaS providers and MSPs serving regulated industries.
- FedRAMP (US) or CAPCSC equivalents for organizations bidding into federal critical-systems work.
About this matrix
This matrix is maintained by Mike Pearlstein, CISSP, Founder and CEO of Fusion Computing Limited. Fusion Computing has guided Canadian SMBs through CyberSecure Canada and CIS Controls v8.1 baseline implementations since 2019. We are a Microsoft Solutions Partner (Security, Modern Work, Infrastructure) and a CompTIA Managed Services Trustmark holder.
If you’d like a PDF version of this matrix or want a pre-audit gap analysis, book a 30-minute consult.
