Canadian Center for Cyber Security

Make sure evryone in your orghanziation folowing all this rules

This document is for small and medium organizations seeking to improve their resiliency through investment in cyber
security. This is part of the response to the need expressed in the National Cyber Security Strategy [2] for the Government of
Canada to support small and medium organizations by making cyber security more accessible.
As stated in the National Cyber Threat Assessment [3], small and medium organizations are most likely to face cyber threat
activity in the form of cybercrime that often has immediate financial or privacy implications. Cyber threat actors target
Canadian businesses for their data about customers, partners and suppliers, financial information and payment systems,
and proprietary information. Cyber security incidents can also result in reputational damage, productivity loss, intellectual
property theft, operational disruptions, and recovery expenses.
We recommend Annex 4A – Profile 1 of Information Technology (IT) Security Risk Management (ITSG-33) [4] to organizations
seeking to reduce their risk to cyber security incidents. This profile is the Canadian specification of controls equivalent to
that of the NIST Cyber Security Framework [5] or ISO/IEC 27001:2013 [6]. The reality, however, is that this profile is
expensive to implement, beyond the financial and/or human resources means of most small and medium organizations in
We believe that organizations can mitigate most cyber threats through awareness and best practices in cyber security and
business continuity. As such, we believe we can successfully apply the 80/20 rule (achieve 80% of the benefit from 20% of
the effort) in the domain of cyber security and achieve concrete gains for the cyber security of Canadians. This document
presents a condensed set of advice, guidance, and security controls on how organizations can get the most out of their
cyber security investments. We call these baseline cyber security controls (hereafter baseline controls).
We encourage organizations to implement as many of these baseline controls as possible, and we understand that not every
organization can implement every control. If the majority of Canadian organizations implement these controls, however,
Canada will be more resilient and cyber-secure. For additional advice, please visit