Transition CyberSecure Canada CBs to CAN/CIOSC 104:2021 National CyberSecure standard Baseline cyber security controls for small and medium organizations

Bulletin date:
Bulletin number:
2022-20

Action required

Effective January 1, 2023, all accredited certification bodies in the CyberSecure Canada scheme are required to certify all new clients to CAN/CIOSC 104:2021 National CyberSecure standard Baseline cyber security controls for small and medium organizations that is replacing the current CSE, Baseline Controls for Small and Medium organizations, v1.2.


All accredited certification bodies of the CyberSecure Canada scheme will be assessed for their competence to certify clients to CAN/CIOSC 104:2021 National CyberSecure standard Baseline cyber security controls for small and medium organizations at their next scheduled re-accreditation assessment. 


All organizations seeking certification or re-certification on or after January 1, 2023, are required to implement the CAN/CIOSC 104:2021 National CyberSecure standard Baseline cyber security controls for small and medium organizations. 


Certification body clients that have achieved certification or are in the process of becoming certified before January 1, 2023, are not immediately affected. They have until recertification audit to adopt the new standard.


ISED, the CyberSecure Canada scheme owner, has implemented an Exception Procedure to these requirements where certifications bodies may request exceptions to the implementation deadline for clients by writing directly to ISED.


Affected customers

Accredited certification bodies of the Cybersecure Canada scheme.


Background

In November 2021, the CIO Strategy Council and the Government of Canada published the National Standard CAN/CISO 104:2021, Baseline cyber security controls for small and medium organizations. This standard replaces the current Baseline Cybersecurity Controls for small and medium organizations, v1.2 and is available here: CAN/CIOSC 104:2021 Baseline cyber security controls for small and medium organizations.


New requirements

This Standard specifies a minimum set of cyber security controls intended for small and medium organizations. CAN/CIOSC 104:2021 National CyberSecure standard Baseline cyber security controls for small and medium organizations replaces Baseline Cybersecurity Controls for small and medium organizations, v1.2.


Most significant, is the:

 

Organizational controls

  • Leadership (new)
  • Accountability (new)
  • Cybersecurity risk assessment (new)
  • Cybersecurity / employee awareness training

 

Baseline controls

  • Develop an incident response plan
  • Automatically patch operating systems and applications
  • Enable security software
  • Securely configure devices
  • Use strong user authentication
  • Back up and encrypt data
  • Establish basic parameter defenses
  • Implement access control and authorization
  • Secure mobility
  • Secure cloud and outsourced IT services
  • Secure websites
  • Secure portable media
  • Point of sale and financial systems (new)
  • Computer security log management (new)

 

Deadline

January 1, 2023


Questions?

Please contact Abdel Kassou, Manager, Compliance and Assessment Services, at abdel.kassou@scc-ccn.ca or +1 613 238 3222 for more information.