CyberSecure Canada is a voluntary federal cybersecurity certification programme designed for small and medium-sized enterprises (SMEs). It was originally launched by Innovation, Science and Economic Development Canada (ISED) and is now administered by the Standards Council of Canada (SCC), which took over as program authority on March 31, 2023.
If you run a Canadian SMB, charity, or venue and you have ever wondered whether CyberSecure Canada is worth pursuing — this is the short version of what it is, what it requires, and what value it actually provides.
What it is
CyberSecure Canada is a third-party-audited certification that demonstrates an organization has implemented a defined baseline set of cybersecurity controls. The certification is granted by an accredited Certification Body (a private firm certified by the Standards Council of Canada), is valid for two years, and gives the certified organization the right to display an official certification mark.
The technical baseline is defined by National Standard CAN/CIOSC 104:2021, which itself is built on the 13 baseline cybersecurity controls developed by the Canadian Centre for Cyber Security (CCCS). These controls are publicly documented and are designed to give SMEs the greatest protection with the smallest implementation burden.
The 13 baseline controls
The CCCS baseline controls are deliberately not exotic. They map closely to what most cybersecurity frameworks ask for at the foundational level. The 13 controls cover, broadly:
- Developing an incident response plan.
- Automatically patching operating systems and applications.
- Enabling security software (anti-malware, host firewalls).
- Securely configuring devices.
- Using strong user authentication, including multi-factor authentication.
- Providing employee awareness training.
- Backing up and encrypting data.
- Securing mobile devices.
- Establishing basic perimeter defences.
- Securing cloud and outsourced IT services.
- Securing websites.
- Implementing access control and authorization.
- Securing portable media.
The full text of each control, with implementation guidance, is published on the Canadian Centre for Cyber Security website. If you have already aligned to NIST CSF, CIS Controls, or ISO 27001, every one of these controls will look familiar.
The certification process
The certification process has four practical stages:
1. Self-assessment. The organization implements the 13 baseline controls and documents implementation. The CyberSecure Canada portal hosts a readiness survey that mirrors what an auditor will eventually verify.
2. Engage a Certification Body. The organization selects an accredited Certification Body via the CyberSecure Canada portal. Certification Bodies are private firms (both Canadian and international) that have been accredited by the Standards Council of Canada specifically for this programme. Pricing is set by each Certification Body individually, not by the federal government.
3. Audit. The Certification Body conducts the audit, which is primarily a documentation review against the standard's requirements. Most audits can be conducted remotely, which is one of the cost-control mechanisms built into the programme. If the auditor needs clarification, interviews follow.
4. Certification and display. Upon successful audit, the organization receives certification valid for two years and the right to display the CyberSecure Canada certification mark. Certified organizations can also opt into a public database of certified organizations on the SCC website.
Recertification follows the same process every two years. Organizations re-certifying after January 1, 2023 must adhere to the National Standard (CAN/CIOSC 104:2021) rather than the original baseline controls document.
Who is it actually for?
CyberSecure Canada is targeted at SMEs — the federal government's working definition is organizations with fewer than 500 employees, though the programme also accepts enterprise-sized applicants. The certification is most genuinely useful for:
- SMBs that supply goods or services to government, large enterprises, or supply chains where cybersecurity attestation is increasingly a procurement requirement.
- Charities seeking to reassure funders, donors, or boards about their cybersecurity posture.
- Organizations preparing for cyber insurance underwriting where carriers want third-party validation of controls.
- Organizations preparing to bid for federal defence contracts — CyberSecure Canada interacts with the new Canadian Program for Cyber Security Certification (CPCSC) for defence suppliers.
If your organization has no procurement, funder, or regulatory pressure for cybersecurity attestation, the certification is still valuable as a forcing function for getting the basics right — but it is reasonable to question whether the audit cost is the best use of cybersecurity budget compared to, say, getting incident response or backups truly working first.
How it relates to other frameworks
CyberSecure Canada is intentionally narrower than NIST CSF or ISO 27001. It is a baseline, not a maturity model. An organization aligned to NIST CSF 2.0 at Tier 2 (Risk-Informed) or above will almost certainly satisfy the CyberSecure Canada controls without major additional work; the audit will mostly be a documentation exercise.
For organizations operating in regulated sectors or pursuing more stringent contracts, CyberSecure Canada is a useful signal but not a substitute for the regulator-specific or contract-specific controls those engagements demand. It is a foundation, not a ceiling.
Resources
Official programme information is published at canada.ca/cybersecure (run by ISED) and the Standards Council of Canada page at scc.ca. The 13 baseline controls and detailed implementation guidance are at cyber.gc.ca, the Canadian Centre for Cyber Security website. The free e-learning course "Course 625: Cyber Security for Small and Medium Organizations" is available through the Canadian Centre for Cyber Security's Learning Hub at no cost.
For organizations weighing whether to pursue certification, the Canadian Centre for Cyber Security's resources are worth reading first — they will give you a clear picture of the implementation lift before you engage a Certification Body.
Disclaimer. Programme details, certification pricing, and accreditation processes change over time. Always verify current programme information directly with the Standards Council of Canada and your chosen Certification Body before committing.