calendrier d'événements

Cyber Sécuritaire Canada

CyberSecure Canada - Baseline cyber security controls for small and medium organizations

Small and medium organizations are the most likely targets for cyber threats and cybercrime. These attacks can lead to serious consequences, such as damage to the reputation of the organization, major disruptions, and loss of productivity, as well as substantial expenses incurred during business recovery.

The Canadian Centre for Cyber Security (Cyber Centre) encourages small and medium organizations to apply the baseline cyber security controls specified in the document Baseline Cyber Security Controls for Small and Medium Organizations V1.2 available on the Cyber Centre’s website. To this effect, a federal government certification program called CyberSecure Canada has been developed especially for organizations of 500 or fewer employees who wish to improve their cyber security practices.

Equipped with CyberSecure Canada certification, organizations will be able to show their commitment to the prevention of data theft, inter alia, for example, personal data of employees, clients, or suppliers; financial data; or any other confidential information.

Offre de certification 

Organizations wishing to show the efforts they are making to improve their control concerning cyber security and have this recognized may apply to the Bureau de normalisation du Québec (BNQ), whose CyberSecure Canada certification program which is accredited by the Standards Council of Canada (SCC).

To obtain certification, organizations must demonstrate to the BNQ that they are implementing security controls from the CyberSecure Canada program.

The certification cycle is a two-year cycle during which a maintenance audit is performed twelve months after the initial certification audit or the recertification audit, as applicable. The certification process begins with an initial application submitted to the BNQ using CyberSecure Canada’s online application portal, or with an application submitted directly to the BNQ by email using the application form provided for the purpose, available under Download the document required for certification.

Once the service contract between the BNQ and the client has been signed, and the requisite documentation pertaining to the CyberSecure Canada initial certification of the client has been sent to the BNQ, the name of the lead auditor is communicated to the client.

To being with, a preliminary assessment is carried out to measure the level of preparedness of the client, notably through the review of the documents submitted. The conclusions of the preliminary assessment are then communicated to the client in the form of a written report in which an initial neutral opinion is given as to conformity and the level of the client’s comprehension and implementation of cyber security controls. Should the assessment be favourable, the lead auditor prepares an audit plan.

The initial certification audit, during which relevant information pertaining to the CyberSecure Canada certification program is collected and verified by the auditor, can then start. This information is collected by means of interviews, the observation of activities and the work environment, and the consultation of documents on the spot. The client is informed of the auditor’s findings as the audit progresses, and these are also compiled in an audit report summarizing the auditor’s conclusions and given to the client.

Discrepancies observed during the audit may be subject to corrective action requests (CARs), which may be major or minor depending on the significance of the impact of the discrepancy on the achievement of the objectives. CARs must be closed (in other words resolved) within 30 days following the audit.

The decision to certify the client is based on the recommendation of the lead auditor along with the revision of the file by the BNQ to ensure that all certification conditions have been met.

Following a favourable decision by the BNQ, a certificate of conformity is sent to the client, who agrees to undergo a maintenance audit within twelve months after the first day of the initial certification audit.

  • Download certification program
  • Why choose the BNQ?

    Accredited by the Standards Council of Canada (SCC), the BNQ has always shown exemplary diligence regarding decision-making and certification recommendation. Our international accreditations guarantee that the BNQ’s procedures and practices are carried out in compliance with the regulations of the International Organization for Standardization (ISO), the International Accreditation Forum (IAF), and the World Trade Organization (WTO).

    Choosing the BNQ’s CyberSecure Canada certification program means:

    • choosing an approach that is transparent, independent, impartial, uniform, and confidential;
    • having access to an auditing approach that is structured, rigorous, trustworthy, and proven; and
    • increasing the confidence of your clients, suppliers, shareholders, employees, and other stakeholders regarding the controls put in place.
  • Webinar (French only)
    • 2022-10-27  L'information en votre possession est-elle traitée de façon sécuritaire?

    Présentation (PDF)

  • Contact

    Nancie Carrière
    Sales Technician
    Bureau de normalisation du Québec
    Cell.: 581-998-3625
    This email address is being protected from spambots. You need JavaScript enabled to view it.