Canadian Center for Cyber Security

Make sure everyone in your organization is following all these rules

This document is for small and medium organizations seeking to improve their resiliency through investment in cyber
security. This is part of the response to the need expressed in the National Cyber Security Strategy [2] for the Government of Canada to support small and medium organizations by making cyber security more accessible.
As stated in the National Cyber Threat Assessment [3], small and medium organizations are most likely to face cyber threat activity in the form of cybercrime that often has immediate financial or privacy implications. Cyber threat actors target Canadian businesses for their data about customers, partners and suppliers, financial information and payment systems, and proprietary information. Cyber security incidents can also result in reputational damage, productivity loss, intellectual property theft, operational disruptions, and recovery expenses.

We recommend Annex 4A – Profile 1 of Information Technology (IT) Security Risk Management (ITSG-33) [4] to organizations seeking to reduce their risk to cyber security incidents. This profile is the Canadian specification of controls equivalent to that of the NIST Cyber Security Framework [5] or ISO/IEC 27001:2013 [6]. The reality, however, is that this profile is expensive to implement, beyond the financial and/or human resources means of most small and medium organizations in Canada.

We believe that organizations can mitigate most cyber threats through awareness and best practices in cyber security and
business continuity. As such, we believe we can successfully apply the 80/20 rule (achieve 80% of the benefit from 20% of the effort) in the domain of cyber security and achieve concrete gains for the cyber security of Canadians. This document presents a condensed set of advice, guidance, and security controls on how organizations can get the most out of their cyber security investments. We call these baseline cyber security controls (hereafter baseline controls).

We encourage organizations to implement as many of these baseline controls as possible, and we understand that not every organization can implement every control. If the majority of Canadian organizations implement these controls, however, Canada will be more resilient and cyber-secure. For additional advice, please visit

How Can We Help You?