Provide Workforce Documentation

CyberSecure Canada Section 4.4.3.10 requires organizations to provide documentation attesting to the total number of employees, part-time employees, and contractors that may have access to the organization's data. This evidence of workforce with data access CyberSecure Canada is crucial for passing the certification audit.

You can generate a user population report for security audits directly from your HR Information System (HRIS) or Identity and Access Management (IAM) directory. Ensure you filter the report for active users with logical access permissions.

Yes, the standard explicitly requires documentation for both part-time employees and external contractors. Proper contractor data access reporting ensures no temporary or third-party worker is overlooked in your access control environment.

Organizations typically use their core Identity Provider (IdP), Active Directory, or HRIS platform to pull an accurate employee and contractor data access list. These systems serve as the single source of truth for active users.

While the formal CyberSecure Canada audit requires this documentation annually, access control audit evidence should be updated dynamically or reviewed at least quarterly to ensure accuracy during employee onboarding and offboarding.

A template for workforce access inventory should include the user's name, role, employment type (full-time, part-time, contractor), and confirmation of their active status within your data environments.

Implement strict contractor access management by assigning expiration dates to their accounts in your identity system and maintaining a segmented access roster for auditors employees contractors.

The best way to demonstrate how to document users with data access for compliance is to provide a point-in-time export from your central directory that clearly tallies the number of internal and external users, supplemented by a summary cover sheet.

Service accounts should be tracked separately in your asset or system inventories and tied back to a human owner. When focusing on how to count employees with system access, only individual human users should be included in the primary workforce documentation.

CyberSecure Canada workforce documentation requirements specify that you must attest to the 'total number', so providing a summary count broken down by employment type alongside the detailed user access list is necessary.

Keeping an accurate workforce access roster is easiest when HR and identity data stay consistent over time, because manual spreadsheets quickly drift as people join, change roles, or leave. Tools like WatchDog Security's Compliance Center can help teams map this control to required evidence, track collection status, and store point-in-time roster exports so the organization can reproduce counts and supporting documentation during an audit.

A practical approach is to compare HR headcount by employment type (FTE, part-time, contractor) against active accounts in the identity directory and investigate mismatches (e.g., stale contractor accounts or duplicate identities). Tools like WatchDog Security's Asset Inventory can help centralize identity mapping and maintain a consistent inventory view that supports reliable headcount and access population reporting.