Cybersecurity Assessment Checklist for Canadian SMBs (2026 Edition)
Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
A cybersecurity assessment checklist for a Canadian SMB is a control-by-control review that proves protections are enforced, owned, and recoverable. The point is not a binder. The point is producing evidence that the basics hold before a cyber insurer, a procurement reviewer, or a ransomware operator finds the gap first.
Key Takeaways
- The 2026 FC checklist scores 8 categories against Canadian Centre for Cyber Security baseline controls, CIS v8.1 IG1, and NIST CSF 2.0.
- Identity, endpoint, and backup gaps drive most Canadian SMB incidents and most cyber insurance loss ratios.
- Score Pass, Partial, or Fail per control with named evidence; no evidence within 10 minutes downgrades the score.
- The 6-step FC workflow runs scope, evidence pull, control test, scoring, report, and remediation roadmap inside two weeks.
- PIPEDA, Bill C-8, and OSFI E-21 reviewers weigh documented control evidence over stated policy intent.
Book Your Free IT Business Consultation
What is a cybersecurity assessment, and why every Canadian SMB needs one
Copilot section of the checklist: if your tenant is licensing Copilot, add the Pre-Copilot SharePoint Audit to the assessment scope before deployment.
A cybersecurity assessment maps each control to evidence that proves it is live, current, and assigned. It scales for Canadian businesses between 10 and 200 users, and aligns with the Canadian Centre for Cyber Security baseline controls, CIS Controls v8.1 IG1, and NIST CSF 2.0.
The 2025 IBM Cost of a Data Breach Report places the average Canadian breach at CA$6.98M, with stolen credentials the leading initial access vector. The Insurance Bureau of Canada now treats documented MFA, EDR, and tested backups as underwriting prerequisites on most cyber policies issued in 2026.
The deliverable is a working tool, not a policy artifact. Each row asks: can this control be proven right now. If the answer needs a meeting, the control is weaker than the policy claims. See cybersecurity services.
The 8 categories of the FC assessment checklist
The FC checklist organizes controls into 8 categories. Each pairs a category goal with the pass criteria a Canadian SMB should be able to evidence on demand.
| Category | Control Focus | Pass Criteria | Primary Tool |
|---|---|---|---|
| 1. Identity and access | MFA, PAM, conditional access, offboarding | 100% MFA, named admins, conditional access enforced | Microsoft Entra ID |
| 2. Endpoint and EDR | EDR coverage, patch state, disk encryption | 100% device coverage, 14-day patch SLA, BitLocker on | Microsoft Defender XDR or SentinelOne |
| 3. Email security | Phishing defence, DMARC, banner rules, training | DMARC enforced, quarterly simulation under 10% click | Microsoft Defender for Office 365 |
| 4. Backup and DR | Immutable backup, restore tests, RTO and RPO | Immutable copy, 90-day restore test, RTO documented | Veeam |
| 5. Data protection | Classification, DLP, encryption at rest and in transit | Sensitive data labelled, DLP active, TLS enforced | Microsoft Purview |
| 6. Detection and response | SIEM, alert routing, dwell-time monitoring | 90-day log retention, 24×7 alert routing | Microsoft Sentinel |
| 7. Policies and IR plan | Acceptable use, IR runbook, tabletop exercise | IR plan signed, tabletop run inside 12 months | NinjaOne policy library |
| 8. Compliance posture | PIPEDA, Bill C-8, OSFI E-21, vendor risk | Breach playbook current, vendor register live | Microsoft Purview Compliance Manager |
The categories are scored independently, then summed into a composite. Identity, endpoint, and backup carry the heaviest risk weight, since a failure in any one of those usually decides whether an incident becomes a recoverable inconvenience or a board-level event.
Identity and access (MFA, PAM, conditional access)
Identity is the first category for a reason. Microsoft telemetry shows MFA blocks the overwhelming majority of identity-based attacks, and the Office of the Privacy Commissioner of Canada records PIPEDA breach reports dominated by credential compromise. A SMB that cannot prove 100% MFA coverage with conditional access is already behind its insurer.
Pass criteria are concrete. Every account, including service accounts and break-glass admins, requires MFA with no legacy authentication bypass. Privileged access uses named admin identities in Microsoft Entra ID with just-in-time elevation. Conditional access blocks risky sign-ins and enforces compliant device posture. Offboarding revokes access on day one with a sampled three-user audit.
Endpoint and EDR coverage
Endpoint coverage is the second pillar. Every active device, including BYOD laptops with corporate data and any on-prem server, needs an EDR or XDR agent reporting into a managed console. A spreadsheet of installed agents is not coverage. A live console at 100% of inventoried assets with current signatures is.
FC standardizes on Microsoft Defender XDR for Microsoft-aligned tenants and SentinelOne where Linux density argues for it. Patch state runs through NinjaOne with a 14-day SLA on critical CVEs and 30-day on high. BitLocker stays enforced on every Windows endpoint, FileVault on Mac, with recovery keys escrowed in Entra ID.
Email security and phishing defence
Email is still the front door. The pass bar starts at DMARC enforcement on every sending domain, SPF and DKIM aligned, and external sender banners on. Defender for Office 365 handles attachment detonation, URL rewriting, and impersonation protection, with quarantine reviewed weekly.
Awareness training sits in the same category. Quarterly phishing simulations run on a published cadence with completion tracked, and the rolling click rate should trend under 10% inside 12 months. A program that lives only in the policy folder fails this control.
Backup and disaster recovery
Backups are graded on three things: immutability, recovery testing, and documented objectives. Immutable copies, ideally air-gapped or object-locked, defeat the ransomware operator playbook of encrypting the backup tier first. Veeam is the FC default, paired with object-lock storage and a documented retention policy that survives an admin compromise.
Restore tests run on at least a 90-day cadence on the workloads that matter most, with the recovery time observed and recorded. RTO and RPO must be written down, tied to specific systems, and signed off by the business owner. A backup job report alone is not evidence of recoverability.
Documented policies and IR plan
Policies and the incident response plan are scored together because they share the same failure mode: the document exists, no one has rehearsed it, and the named owner left two roles ago. The pass bar is a current acceptable use policy, a data-handling policy, and an IR runbook with named primary and secondary responders, insurer contact, and legal counsel.
A tabletop exercise inside the last 12 months is non-negotiable. The exercise does not need to be elaborate. A 90-minute walk-through of a ransomware scenario and a credential-theft scenario, with the IR plan open and a notes capture, is enough to surface stale phone numbers, missing approvals, and unclear authority.
Run the FC Consultation on Your Stack
Compliance posture (PIPEDA / Bill C-8 / OSFI E-21)
Compliance is the eighth category, not the first, because compliance follows controls. Once identity, endpoint, backup, and IR are evidenced, mapping into PIPEDA, Bill C-8, and OSFI E-21 is bookkeeping. The pass bar is a current breach playbook with notification timelines, a live vendor register with named, time-bound third-party access, and a written record of how each statutory obligation maps to a tested control.
For federally regulated entities, OSFI Guideline E-21 expects documented operational resilience, third-party risk management, and tested recovery. For most other Canadian SMBs, PIPEDA breach-of-security-safeguards reporting and the forthcoming Bill C-8 obligations on critical cyber systems set the floor. See PIPEDA compliance for small business in Canada for the reporting workflow.
The 6-step assessment workflow FC runs
FC runs every assessment through the same 6-step workflow. The cadence is two weeks from kickoff to remediation roadmap, with a CISSP leading scoping and report sign-off.
| Step | What Happens | Output |
|---|---|---|
| 1. Scope | Confirm entities, sites, regulated data, and evidence owners | Signed scope memo, named owner per category |
| 2. Evidence pull | Collect Entra ID, Defender or SentinelOne, NinjaOne, Veeam, Purview exports | Evidence folder timestamped at intake |
| 3. Control test | Validate each control against pass criteria, sample three users per identity row | Per-control test notes with screenshots |
| 4. Scoring | Score Pass, Partial, Fail per control; weight by category risk | Composite score with category heatmap |
| 5. Report | CISSP review, executive summary, mapped findings to PIPEDA, Bill C-8, OSFI E-21 | Signed assessment report |
| 6. Roadmap | Remediation grouped 30-day, 90-day, 6-to-12-month with named owners | Sequenced roadmap, insurer-ready evidence pack |
Field Note from Mike Pearlstein, CISSP
On a recent Hamilton manufacturer assessment, the policy folder claimed quarterly phishing simulations and a 6% click rate. The Defender for Office 365 console said otherwise: two simulations in 14 months, with a quarter of staff never receiving one. The policy was real. The enforcement evidence was not. We rebuilt the cadence in 30 days; the next run hit 9% with full coverage.
Common assessment mistakes
The same mistakes recur across first-time assessments. Treating policies as evidence is the largest. A signed acceptable use policy is not proof that MFA is enforced, that backups restore, or that EDR sits on every device. Reviewers want the live console, not the binder.
Skipping the restore test is the second. A green job report shows the job ran, not that data is recoverable. The third is mistaking compliance mapping for control work, where teams colour-code PIPEDA clauses without testing whether a privileged session opens without MFA. Start with controls, then map.
FAQ
What is a cybersecurity assessment checklist for Canadian SMBs?
It is a structured review that pairs each control with collected evidence and a named owner, scaled for organizations between 10 and 200 users. The 2026 FC checklist covers 8 categories and maps directly to Canadian Centre for Cyber Security baseline controls, CIS Controls v8.1 IG1, and NIST CSF 2.0.
How often should a Canadian SMB run the assessment?
Run a lightweight pass quarterly and a full assessment annually, plus a fresh review after any infrastructure change, insurance renewal, M&A event, or security incident. Annual cadence is the floor most insurers and procurement reviewers expect.
Which framework should the checklist map to?
Use NIST CSF 2.0 for the function-level structure, CIS Controls v8.1 IG1 for the technical control set, and Canadian Centre for Cyber Security baseline controls for Canada-specific obligations. The three overlap by design and align with PIPEDA, Bill C-8, and OSFI E-21.
What evidence proves a control is real?
A recent dashboard export, configuration screenshot, log sample, signed policy, restore test result, or training completion report. A control without recent evidence scores Partial at best, whatever the policy claims, and Fail if the evidence cannot be produced inside 10 minutes.
How does the FC checklist handle PIPEDA and Bill C-8?
Compliance is the eighth category. Once identity, endpoint, backup, and IR controls are evidenced, the FC report maps each finding back to PIPEDA breach-of-security-safeguards obligations, Bill C-8 critical cyber system requirements where applicable, and OSFI E-21 for federally regulated entities.
Who should run the assessment internally?
An IT lead, operations manager, or owner with administrative access can complete the first pass. If the business is regulated, multi-site, preparing for cyber insurance renewal, or unable to produce evidence in a working day, a CISSP-led external assessor is the better path.
What tools support the controls in the FC checklist?
The FC stack pairs Microsoft Entra ID for identity, Microsoft Defender XDR or SentinelOne for endpoint, Microsoft Purview for data protection and DLP, NinjaOne for patch and policy hygiene, Veeam for immutable backup, and Microsoft Sentinel for SIEM and detection.
What is the difference between a checklist and a full assessment?
A checklist is a control-by-control proof exercise an internal team can complete. A full assessment adds independent testing, threat modelling, control-design review, and a sequenced remediation roadmap, with a CISSP signing the report. The 2-week FC workflow above is the full version.
What does a good remediation roadmap look like?
A short list with three columns: finding, named owner, target date. Group items into 30-day, 90-day, and 6-to-12-month tiers by composite score and category weight. Anything Fail in identity, endpoint, or backup goes in the 30-day tier with weekly status reporting.
