← All insights
Compliance

CyberSecure Canada Certification: Cost, the 13 Controls, and How to Get Certified

More Canadian businesses are being asked to prove they take security seriously — by insurers, by enterprise customers, and increasingly in RFPs. CyberSecure Canada is the federal government’s answer: a recognized certification, built for small and medium organizations, that says you’ve put a baseline of sensible controls in place. Here’s what it is and how to earn it.

This is a general overview, not legal or compliance advice — confirm the current program requirements before you start.

What CyberSecure Canada is

CyberSecure Canada is a national cybersecurity certification program run by Innovation, Science and Economic Development Canada (ISED). It’s aimed squarely at small and medium organizations — roughly 1 to 499 employees — that don’t have the time or budget for a heavyweight framework like ISO 27001.

The certification is built on the Canadian Centre for Cyber Security’s Baseline Cyber Security Controls for Small and Medium Organizations — 13 practical controls (more on those below). Independent, accredited certification bodies assess your organization against those controls, and the Standards Council of Canada accredits those assessors. Once certified, you can display the CyberSecure Canada certification mark, and the certification is valid for two years before you need to recertify.

The 13 baseline controls

Certification comes down to demonstrating these 13 controls. None of them are exotic — they’re the fundamentals, done consistently:

  1. Develop an incident response plan — know who does what when something goes wrong.
  2. Automatically patch operating systems and applications — keep software current.
  3. Enable security software — anti-malware on endpoints.
  4. Securely configure devices — change default passwords, turn off what you don’t need.
  5. Use strong user authentication — MFA, especially on email, remote access, and admin accounts.
  6. Provide employee awareness training — so staff can spot phishing.
  7. Back up and encrypt data — and test that you can actually restore it.
  8. Secure mobility — manage phones, tablets, and laptops that leave the office.
  9. Establish basic perimeter defences — firewall, email filtering, web protection.
  10. Secure cloud and outsourced IT services — your SaaS and providers count too.
  11. Secure websites — keep your public-facing sites patched and configured.
  12. Implement access control and authorization — least privilege; people get only what they need.
  13. Secure portable media — control USB drives and external storage.

If you’ve worked through our 12-point cybersecurity checklist, most of this will look familiar.

What it costs

There’s no single sticker price, because cost depends on two things: the work to implement any controls you’re missing, and the assessment fee charged by the certification body you choose. ISED provides free eLearning and tooling to help you prepare, so the program itself isn’t the expensive part — the gap-closing usually is. The good news is that most of the controls are things you should have anyway, and several overlap directly with what cyber insurers now require.

The path to getting certified

  1. Implement the 13 controls. This is the real work. Do an honest gap assessment first.
  2. Create an account on the CyberSecure Canada portal and complete the readiness survey.
  3. Choose an accredited certification body through the portal.
  4. Undergo the assessment — primarily a documentation review against the controls, with interviews if the assessor needs clarification.
  5. Get certified, display the mark, and recertify in two years.

Is it worth it?

For a Canadian SMB, CyberSecure Canada hits a sweet spot. It’s lighter than SOC 2 or ISO 27001 (which we cover in SOC 2 for Canadian companies), it’s recognized federally, and the controls it certifies are the same ones that reduce your actual risk and help you qualify for cyber insurance. If you’re fielding security questionnaires from customers or want a credible way to signal maturity, it’s one of the most cost-effective certifications available.

The hardest part is closing the gaps and keeping the controls running day to day — which is exactly where a managed security partner earns its keep.

Keep reading

Related insights

Compliance

CPCSC Level 1: What Suppliers to the Government of Canada Need to Know

The Canadian Program for Cyber Security Certification (CPCSC) Level 1 sets a cyber-hygiene bar for federal suppliers. Here's who needs it and how to prepare.

Read article
Compliance

A Small Business Guide to CASL: Canada's Anti-Spam Law

CASL governs the commercial emails and texts your business sends. Here's what consent, identification, and unsubscribe rules mean for Canadian SMBs.

Read article
Compliance

Why Cyber Insurance Claims Get Denied — and How to Stay Covered

Cyber insurance claims get denied more often than you'd think. Here are the most common reasons Canadian businesses lose coverage — and how to avoid them.

Read article

Have a question about your security?

We're happy to help — book a no-obligation consultation with our team.

Talk to us