Implement Foundational Controls

The CyberSecure Canada baseline controls are a set of mandatory technical and organizational safeguards outlined in Sections 5 and 6 of the CAN/DGSI 104 standard. They include fundamental practices like incident response planning, automatic patching, strong user authentication, and basic perimeter defenses.

Organizations must implement all core Section 5 baseline cybersecurity controls. For Section 6 controls, applicability depends on your infrastructure; you must adopt the baseline security controls based on business environment factors, such as whether you use mobile devices, cloud services, or point-of-sale systems.

CyberSecure Canada control 4.4.3.8 requires that, regardless of the findings from an internal risk assessment, an organization must comprehensively implement all applicable foundational cybersecurity controls for SMEs specified in the standard to achieve certification.

Organizations should perform a formal gap analysis using a CyberSecure Canada baseline controls checklist to compare their current IT configurations, documented policies, and security tools against the explicit requirements of CAN/DGSI 104 Sections 5 and 6. Tools like WatchDog Security's Compliance Center can help structure the gap analysis by control, assign owners, and centralize evidence as items are remediated.

Auditors reviewing CyberSecure Canada certification baseline controls audit evidence will look for approved policies, system configuration screenshots, access logs, risk treatment plans, and a Statement of Applicability confirming that each relevant control is active and effective. Tools like WatchDog Security's Compliance Center can organize evidence by control, and WatchDog Security's Trust Center can help share selected evidence securely with auditors or customers.

You must implement all applicable controls. However, to determine which baseline cybersecurity controls are required for CyberSecure Canada, you evaluate your environment. If a specific technology is not used (e.g., your business has no point-of-sale system), that specific Section 6 control can be marked as not applicable with a documented business justification.

To fully implement foundational controls for cybersecurity certification, an SME typically takes between three to six months. This timeline heavily depends on their existing security maturity, resource availability, and the complexity of their IT infrastructure.

Common gaps when figuring out how to implement CyberSecure Canada baseline controls include a lack of formalized incident response plans, incomplete multi-factor authentication coverage, undocumented secure configurations, and unmonitored vendor risks in cloud environments.

While organizations must conduct a formal risk assessment to identify specific operational threats, the baseline cyber security controls Canada small business standard mandates must be implemented as a universal foundation, acting as a mandatory floor for risk treatment regardless of the assessment's specific outcomes.

Organizations should review their controls and test their effectiveness at least annually. They should also update the CAN/DGSI 104 baseline controls whenever significant changes occur to their business environment, IT architecture, or the external threat landscape.

Implementing baseline controls usually fails on tracking: what applies to each environment, who owns it, and where evidence lives. Tools like WatchDog Security's Compliance Center can map baseline controls to your environments, track implementation status, and link evidence, while WatchDog Security's Asset Inventory and Risk Register help keep system scope and risk treatment aligned to what is actually in use.

Baseline controls can drift as systems change (new cloud resources, config changes, missed patches), so point-in-time checks may miss regressions. Tools like WatchDog Security's Posture Management and Vulnerability Management can help detect misconfigurations and weaknesses continuously and feed results into a remediation workflow with evidence of closure.