Back to Resources

The Ultimate Guide to CyberSecure Canada: What is CyberSecure Canada (CSC) and How to Get Certified

The Ultimate Guide to CyberSecure Canada: What is CyberSecure Canada (CSC) and How to Get Certified

The Ultimate Guide to CyberSecure Canada: What is CyberSecure Canada (CSC) and How to Get Certified

Cybersecurity is a pressing concern for businesses, especially Startups and Small and Medium Businesses (SMBs), which attackers increasingly target due to their traditionally lax approach to security. However, there is a proactive solution. The Government of Canada’s CyberSecure Canada Program empowers Canadian SMEs to assess and demonstrate their security. This program focuses on forming and solidifying a baseline of essential security controls, and this guide will help you understand how to effectively meet these requirements and how WatchDog can simplify the process.

Importance of CyberSecure Canada

While CyberSecure Canada is not a silver bullet that guarantees your organization will never experience a cyber attack again, aligning with this framework is a great way to protect your organization from common cyber threats. It brings with it many benefits, such as:

  1. Increases Customer Trust: In a consumer survey from PingIdentity, 81% of people stopped engaging with a company following a data breach. Customer trust is paramount; having an CyberSecure Canada certification can help your organization protect itself from breaches and win customer trust.
  2. Stand Out from Competitors: Security is a marketing proposition, and businesses need to change their perspective. When you have security-conscious customers, they are not just evaluating a product category for the best features but also which is the most secure. Leveraging your CyberSecure Canada badge on your website can give you a competitive edge and help you stand out from similar competitors.
  3. Increase investor confidence: With the average cost of a data breach exceeding 4.88 million (Cost of a Data Breach Report 2024), investors have never been more skeptical when investing in businesses. After all, why cut a check for a business that will get hacked and lose trust and customers? CyberSecure Canadacompliance can help increase investor confidence by showing them that you not only follow a set of cybersecurity standards but have also been audited by a third party, which verifies the fact.
  4. Improved operational efficiency: Achieving and implementing CyberSecure Canada streamlines security and operational procedures, making it easier to build upon them to implement further security strategies. Having the processes in place to continuously evaluate needs, CyberSecure Canada makes your security operations more efficient and productive.

Get Compliance, Trust + Security in One Affordable Platform.

Monitor everything – not just what’s “in scope” – with coverage across cloud, SaaS, devices, and people, and an all-inclusive library of frameworks: GDPR, ISO 27001, HIPAA, SOC 2, and 15+ more. Get Started For Free View Pricing

The 13 Security Control Areas

CyberSecure Canada outlines 13 security controls that organizations must implement to achieve certification. This diagram represents the 13 baseline security controls. We will explore each one and delve into examples; for a complete breakdown of WatchDog Security capabilities and each control’s clauses, refer to the following detailed guide.

Access Control

Requirement: Implement measures to ensure only authorized individuals can access systems and data. This involves using strong passwords, multi-factor authentication, and role-based access controls. Industry Specific Examples

  • Healthcare: Ensuring only authorized medical staff have access to patient records through Role Based Access Control (RBAC) and Multi-Factor Authentication (MFA)
  • Finance: Role-based access control to restrict access to financial systems to only those employees who need it.
  • Retail: Limiting administrative access to point-of-sale systems to managers only.

- What Auditors Are Looking For

  • Documentation of access control policies.
  • Evidence of role-based access implementation.
  • Records of access reviews and monitoring.

Awareness Training

Requirement: Provide regular cybersecurity training to all employees to ensure they are aware of common threats and best practices for maintaining security. Industry Specific Examples

  • Education: Conducting regular training sessions for teachers and administrative staff on phishing and other cyber threats.
  • Manufacturing: Training factory floor employees on secure usage of IoT devices and machinery connected to the network.
  • Technology: Ongoing security workshops for developers on secure coding practices and threat awareness.

What Auditors Are Looking For

  • Training schedules and materials.
  • Records of employee participation in training.
  • Evidence of updated training programs based on new threats.

Data Security

Requirement: Protect sensitive data both in transit and at rest using encryption and other data protection measures. Industry Specific Examples

  • Healthcare: Encrypting endpoints that process or store electronic health records (EHR) to protect patient information.
  • E-commerce: Securing customer payment information through encrypted transactions and secure third party payment providers (e.g. Stripe)
  • Legal: Ensure that any data sent regarding client communication, cases, or otherwise is sent over an encrypted format and not over plaintext email; this can include sharing the file using SharePoint or Google Drive.

What Auditors Are Looking For

  • Encryption policies and procedures.
  • Evidence of data encryption in use.
  • Data loss prevention (DLP) measures and monitoring.

Incident Response

Requirement: Develop and implement a plan to respond to cybersecurity incidents, including identifying, managing, and recovering from incidents. Industry Specific Examples

  • Transportation: Establishing protocols to quickly respond to disruptions in transportation management systems caused by cyber-attacks.
  • Technology: Creating checks within a Cloud Platform (e.g. AWS) for unauthorized or malicious actions and having a plan to contain + remediate identified threats.
  • Retail: Developing a plan to manage data breaches that impact customer payment systems.

What Auditors Are Looking For

  • Documented incident response plan.
  • Records of incident response drills and simulations (e.g. table top exercises)
  • Incident logs and post-incident analysis reports.

Malware Defense

Requirement: Use anti-malware tools and practices to protect systems from malicious software. Industry Specific Examples

  • Education: Installing antivirus software on all school computers and conducting regular malware scans.
  • Technology: Implementing Managed Detection & Response (MDR) on production endpoints to prevent malicious activity
  • Utilities: Using specialized anti-malware tools to protect SCADA systems controlling critical infrastructure.

What Auditors Are Looking For

  • Anti-malware software deployment records.
  • Malware scan logs and reports.

Secure Configuration

Requirement: Ensure that systems are securely configured according to best practices to minimize vulnerabilities. Industry Specific Examples

  • Finance: Regularly updating and patching financial software (e.g. QuickBooks Desktop) to protect against exploits.
  • Healthcare: Configuring medical devices with secure settings to prevent unauthorized access.
  • Retail: Securing e-commerce platforms by disabling unnecessary services and changing default settings.

What Auditors Are Looking For

  • Secure configuration guidelines.
  • Records of system configurations.
  • Patch management process and logs.

Vulnerability Management

Requirement: Regularly scan for and address vulnerabilities in systems and applications. Industry Specific Examples

  • Technology: Performing regular vulnerability scans on software products and addressing identified issues.
  • Government: Conducting periodic security assessments of public service portals.
  • Healthcare: Scanning for vulnerabilities in hospital networks and medical devices.

What Auditors Are Looking For

  • Vulnerability scan records and reports
  • Documentation of vulnerability remediation.
  • Asset inventory and management records.

Data Backup and Recovery

Requirement: Implement regular data backup procedures and ensure that data can be recovered in the event of a loss. Industry Specific Examples

  • Finance: Daily backups of financial transaction data to a secure offsite location.
  • Legal: Regularly scheduled backups of client case files and legal documents.
  • E-commerce: Ensuring transactional data and customer information is backed up and can be restored quickly.

What Auditors Are Looking For

  • Data backup schedules and logs.
  • Evidence of offsite backup storage.
  • Documentation of data recovery tests and results.

Network Security

Requirement: Protect networks from unauthorized access and attacks through the use of firewalls, intrusion detection systems, and network segmentation. Industry Specific Examples

  • Healthcare: Using firewalls and network segmentation to protect patient records from unauthorized access.
  • Finance: Implementing intrusion detection systems to monitor for suspicious activity on financial networks.
  • Retail: Setting up VPNs for secure remote access to store networks.

What Auditors Are Looking For

  • Network security policies and procedures.
  • Firewall and intrusion detection system (IDS) logs.
  • VPN usage records and network segmentation documentation.

Physical Security

Requirement: Protect physical access to systems and data, especially in office environments. Industry Specific Examples

  • Finance: Securing server rooms with biometric access controls.
  • Healthcare: Using visitor logs and security badges to control access to sensitive areas.
  • Manufacturing: Protecting physical access to control systems and production machinery.

What Auditors Are Looking For

  • Physical security policies and controls.
  • Visitor log records.
  • CCTV footage and access control logs.

Personnel Security

Requirement: Implement measures to ensure the trustworthiness of personnel handling sensitive information. Industry Specific Examples

  • Technology: Conducting thorough background checks for employees coming in contact with customer data or sensitive, production systems
  • Healthcare: Defining security responsibilities for staff accessing patient data.
  • Finance: Enforcing strict policies for employee access to financial systems.

What Auditors Are Looking For

  • Background check procedures and records.
  • Security responsibilities in job descriptions.
  • Compliance with personnel security policies.

Security Assessment

Requirement: Regularly assess security controls and practices to ensure they are effective and up to date. Industry Specific Examples

  • Technology: Conducting regular security audits of software development processes.
  • Finance: Hiring third-party firms to perform security assessments of banking systems and internal network
  • Healthcare: Using internal and external audits to evaluate the security of patient data handling practices.

What Auditors Are Looking For

  • Security assessment reports.
  • Records of internal and external audits.
  • Action plans for addressing identified security issues.

Supplier Security

Requirement: Ensure that third-party suppliers and partners also meet security requirements. Industry Specific Examples

  • Retail: Conducting security assessments of suppliers handling customer data.
  • Finance: Including security requirements in contracts with third-party payment processors.
  • Healthcare: Monitoring compliance of cloud service providers storing patient information.

What Auditors Are Looking For

  • Vendor risk assessment documentation.
  • Security clauses in supplier contracts.
  • Records of ongoing supplier compliance monitoring.

The Certification Process

The CyberSecure Canada certification process is overseen by accredited third-party assessors. These independent experts conduct in-depth audits designed to identify any flaws or deficiencies in your program that could hinder your certification. In the event of a failed Stage 2 audit, your organization will be notified of the issues (referred to as Non-Conformities), and a follow-up audit will be conducted to verify that all identified NCs have been resolved.

Stay Audit-Ready and Simplify Compliance

Compliance doesn’t have to be complex. Kickstart your program on our unified trust, compliance, and security platform, free-for-life, and access:

  • Policy management – publish, distribute, and track policies with ease
  • Risk and vendor tracking – stay ahead of gaps and third-party exposures
  • Framework coverage – SOC 2, ISO 27001, HIPAA, GDPR, and 15+ more
  • Audit readiness tools – organize evidence and streamline certifications

Get started free today – no credit card required.