ITSG-33 & the CCCS Baseline Cyber Security Controls — A Guide for Canadian SMBs

What Is ITSG-33?

ITSG-33 is the short name for IT Security Risk Management: A Lifecycle Approach, a publication of the Canadian Centre for Cyber Security (CCCS) — the operational arm of the Communications Security Establishment (CSE) and Canada's national authority on cyber security. At its heart, ITSG-33 does two things. First, it defines a structured risk-management process for the full lifecycle of an IT system: assess the sensitivity of the information, select a set of controls, implement them, assess whether they work, authorize the system for operation, and then monitor it continuously. Second, it provides a large catalogue of security controls — technical, operational, and management safeguards — organized into families such as access control, audit and accountability, configuration management, contingency planning, incident response, and system and communications protection.

If that structure sounds familiar, it should: ITSG-33 is deliberately aligned with the United States' NIST Special Publication 800-53. The control families, the naming conventions, and the catalogue-plus-profile model are all closely mapped, so an organization that already works with NIST will find ITSG-33 navigable. The reason the alignment exists is practical — Canada and its allies share threat intelligence and supply chains, and a common control vocabulary makes that cooperation far easier.

ITSG-33 was written first and foremost for Government of Canada departments. A federal system that handles PROTECTED or CLASSIFIED information is expected to be built and operated against an ITSG-33 control profile. That origin matters for small businesses in one specific way: ITSG-33 itself is enterprise-scale. The full catalogue contains hundreds of controls, many of which assume a dedicated security team, formal authorization boards, and resources a 30-person company simply does not have. Reading the raw catalogue and trying to apply every control to a small business is a common and expensive mistake. The Cyber Centre knows this, which is exactly why it created a smaller, SMB-focused companion — the baseline controls — covered in the next section.

ITSG-33 vs. the CCCS Baseline Controls — Know Which One You Need

The single most useful distinction in this whole topic is the difference between the full ITSG-33 catalogue and the Baseline Cyber Security Controls for Small and Medium Organizations. They are produced by the same agency, they share the same philosophy, and they are frequently confused — but they are aimed at completely different audiences.

The full ITSG-33 catalogue is the comprehensive, enterprise-grade reference. It is built so that a security practitioner can select a profile appropriate to a system's sensitivity and assemble dozens or hundreds of specific controls with assurance requirements attached. It is the right tool when a contract explicitly names an ITSG-33 profile, or when you operate a federal system. It is the wrong tool as a starting point for a small business with no security staff.

The CCCS baseline controls are the Cyber Centre's answer to the question every SMB owner asks: "I can't do all of that — what is the minimum that actually matters?" The baseline document deliberately prioritizes a condensed set of controls aimed at organizations with fewer than 500 employees. It assumes you have limited budget, no dedicated security team, and a need to protect your business against the most common threats rather than against a nation-state actor. The baseline is risk-based and outcome-focused: it tells you what to achieve, not how to fill out a federal authorization package. For the overwhelming majority of Canadian SMBs, the baseline — reinforced by the Cyber Centre's Top 10 IT security actions — is the correct framework to adopt.

A useful mental model: the baseline is the on-ramp, ITSG-33 is the full highway system. You build to the baseline first. If and when a contract requires a specific ITSG-33 profile, you extend from a baseline you have already established — which is far cheaper than starting cold.

The Cyber Centre's "ITSAP" Series and the Top 10 Security Actions

Alongside the dense technical publications, the Cyber Centre produces a plain-language series known as ITSAP — short for IT Security Awareness and Practices. These are the short, accessible "how to" sheets you will actually hand to a non-technical owner or office manager. They cover topics like securing remote work, choosing strong passphrases, recognizing phishing, backing up your data, and protecting against ransomware. If ITSG-33 is the reference manual, the ITSAP sheets are the quick-start cards.

The most important single piece of Cyber Centre guidance for an SMB is the Top 10 IT security actions (publication ITSM.10.189). These ten actions are not arbitrary — CSE's own data shows that implementing them blocks the large majority of the threats Canadian organizations actually face. They are the highest return-on-effort controls in the entire baseline, and every Canadian business should be able to answer "yes, we do that" to each one.

1. Consolidate, monitor, and defend internet gateways. Reduce the number of points where your network touches the internet, and put monitoring on the ones that remain — firewall, DNS filtering, and logging at the perimeter.
2. Patch operating systems and applications. Apply security updates promptly. Unpatched software is the most common way SMBs get breached; a defined patch SLA for critical updates closes that door.
3. Enforce the management of administrative privileges. Separate everyday accounts from admin accounts, grant admin rights only when needed, and review who holds them. Compromised admin access turns a small incident into a full takeover.
4. Harden operating systems and applications. Turn off unused services, ports, and default accounts. Apply secure configuration baselines rather than shipping defaults.
5. Segment and separate information. Keep guest Wi-Fi, servers, and sensitive data on separate network zones so a compromise in one area cannot spread freely to others.
6. Provide tailored security awareness training. Teach staff to recognize phishing — including the CRA and Interac-themed lures common in Canada — and to report suspicious activity.
7. Protect information at the enterprise level. Classify your data, control who can access it, and back it up. Maintain tested, isolated backups that ransomware cannot reach.
8. Apply protection at the host level. Deploy endpoint protection / EDR on every device, including laptops that leave the office.
9. Isolate web-facing applications. Anything reachable from the internet — a portal, a remote-access tool, a public web app — should be isolated so a compromise there does not expose the internal network.
10. Implement application allow lists. Where feasible, allow only approved software to run, which dramatically reduces the impact of malware.

If your organization does nothing else this year, work through these ten in order. They map directly onto the baseline controls and onto the gating requirements Canadian cyber-insurers now impose, so the effort pays off in more than one column. Our network security best practices guide and endpoint protection guide go deeper on the technical implementation of several of these actions.

The Baseline Control Families — What They Actually Ask For

The baseline organizes its requirements into themes that mirror the ITSG-33 control families but in plain language. Understanding what each family is trying to achieve — rather than memorizing control numbers — is how a small business gets value from the framework. Below is a practical walkthrough of the families that matter most for SMBs, with the outcome each one is driving toward.

Governance and organizational security. Someone must own security. The baseline expects you to name a responsible person (it does not need to be a full-time role), maintain a short set of security policies, and understand which information you hold and how sensitive it is. This is the foundation — without an accountable owner, every other control drifts.

Access control and authentication. The single highest-impact family. Enforce multi-factor authentication (MFA) on email, remote access, and administrative accounts. Use unique accounts per person, strong passphrases, and the principle of least privilege. Remove access promptly when someone leaves. See our MFA deployment guide for the rollout detail.

Configuration and patch management. Keep an inventory of devices and software, apply secure configurations, and patch on a defined schedule. You cannot protect what you do not know you have, and you cannot patch what you have not inventoried.

Malware and endpoint defence. Endpoint protection or EDR on every device, email filtering at the gateway, and DNS or web filtering to block known-malicious destinations. Layered host-and-network defence is the expectation, not a single antivirus product.

Backup and recovery. Maintain backups that are tested, versioned, and isolated from the production network so ransomware cannot encrypt them. A backup you have never restored from is a hypothesis, not a control. Our backup and disaster recovery guide covers the 3-2-1 model and recovery testing.

Incident response. A short, written plan that names who does what when something goes wrong — who isolates the affected system, who calls the insurer and legal counsel, who notifies the Office of the Privacy Commissioner or the Quebec CAI if personal information is involved, and how you reach the Cyber Centre. The first time you read your plan should not be during a live incident.

Security awareness. Recurring, practical training — not a one-time slideshow. Phishing simulations, reporting channels, and clear guidance on handling sensitive data and using personal devices.

Mapping the Baseline to a Real Canadian Small Business

Frameworks feel abstract until you map them onto a real environment. Consider a 40-person Canadian firm running Microsoft 365, a couple of on-premises servers, a line-of-business application, and a hybrid workforce. Here is how the baseline control families translate into concrete, costed actions for that organization — and how the typical SMB usually scores before any work begins.

The pattern is consistent across hundreds of SMB assessments: the controls that matter most are also the cheapest. MFA, a patch schedule, an isolated tested backup, separated admin accounts, and a one-page incident-response plan together cost very little and address the threats responsible for the great majority of real-world Canadian breaches. The expensive, advanced controls in the full ITSG-33 catalogue add marginal protection for an SMB until these basics are solid.

Who Must Comply — Government Contractors, Suppliers, and Everyone Else

This is the question that brings most businesses to this page: "Do I actually have to do this?" The honest answer is nuanced, because ITSG-33 and the baseline controls are not, by themselves, a law that applies to private companies. They become binding through three main channels.

1. Federal government contracts. This is the most direct path. If you bid on or hold a Government of Canada contract that involves sensitive or PROTECTED information, the contract will carry security requirements — typically administered through Public Services and Procurement Canada (PSPC) and the Contract Security Program (CSP), which governs organization and personnel screening. The technical security requirements those contracts reference are derived from ITSG-33. In practice this can mean anything from "demonstrate the baseline controls" for lower-sensitivity work to "implement a named PROTECTED B control profile and submit it for assessment" for sensitive systems. If you want federal work, ITSG-33-aligned controls are the price of entry, and the specific profile is set by the contract.

2. Supply-chain flow-down. Even if you never contract with the federal government directly, you may be a subcontractor to a company that does — or a supplier to a regulated enterprise. Prime contractors increasingly flow their security obligations down to suppliers. If a larger partner's contract requires ITSG-33-aligned controls, your slice of that work inherits the requirement. The same dynamic appears in the private sector through vendor-security questionnaires: banks, insurers, healthcare networks, and large enterprises now ask suppliers to attest to controls that map directly onto the CCCS baseline before they will share data.

3. Due care, insurance, and privacy law. For every other Canadian business, the baseline is not mandatory — but it is the recognized national standard of reasonable care. PIPEDA requires "security safeguards appropriate to the sensitivity of the information," and Quebec's Law 25 expects documented technical measures; neither statute names ITSG-33, but a regulator assessing whether your safeguards were reasonable will measure you against exactly the kind of controls the baseline describes. Cyber-insurers, similarly, gate coverage on MFA, tested backups, EDR, and an incident-response plan — the baseline by another name. Meeting the baseline is therefore the most defensible position available, whether or not a contract forces it. For the regulatory detail, see our Law 25 compliance guide and Canadian compliance frameworks overview.

The summary: if you sell to government, you almost certainly must comply, to a level the contract specifies. If you sell to large or regulated organizations, you will likely be asked to comply. And if you do neither, the baseline is still the smartest standard to adopt voluntarily, because it is what regulators and insurers will hold you to after an incident.

How to Implement the Baseline Controls — A Phased Plan

You do not implement a security framework all at once; you sequence it by impact. Below is the phased plan a competent Canadian advisor would run for a 15-to-75-person SMB targeting baseline alignment, with rough timing and the controls each phase addresses.

1. Assess and inventory (weeks 1–4). Document what you have: devices, software, cloud services, data types, and who can access them. Run a Microsoft 365 Secure Score review and a baseline gap analysis against the Top 10 actions. You cannot plan remediation without an honest current-state picture, and the inventory itself is a baseline requirement.
2. Quick-win technical controls (weeks 3–10). Enforce MFA on email, remote access, and admin accounts. Separate admin from daily-use accounts. Establish a patch schedule with an SLA for critical updates. Deploy EDR to every endpoint. Configure email authentication (SPF, DKIM, DMARC) and DNS filtering. Isolate and test your backups. These actions close the gaps behind most breaches and most insurer denials.
3. Network and configuration hardening (weeks 8–16). Segment the network — guest Wi-Fi, servers, and sensitive data on separate zones. Apply secure configuration baselines and disable legacy authentication in Microsoft 365 or Entra ID. Isolate any internet-facing application or remote-access tool. Implement conditional access policies.
4. Documentation and governance (weeks 10–20). Name your security owner. Write the core policies — acceptable use, access control, incident response, and a data classification register. Draft the privacy documentation PIPEDA and Law 25 expect. This is the paperwork that turns a set of technical controls into a defensible program, and it is what contracts and questionnaires actually ask you to produce.
5. People and rehearsal (weeks 14–24). Roll out recurring security-awareness training and a phishing simulation. Run a tabletop exercise against your incident-response plan so the team has rehearsed a real scenario before it happens. Establish how you would reach the Cyber Centre, your insurer, and legal counsel.
6. Monitor and sustain (ongoing). Baseline alignment is not a one-time event. Review the controls quarterly, keep the inventory and patch status current, re-test backups, and re-run the gap analysis annually — both because threats change and because contracts and insurers will ask you to demonstrate that the program is live, not historical.

Most SMBs reach substantial baseline alignment within three to six months on this plan. Organizations that already follow CIS Controls v8 Implementation Group 1 or NIST CSF 2.0 typically move faster, because the underlying controls overlap heavily and the work is mostly adding Canadian-specific documentation. Organizations chasing a specific ITSG-33 profile for a federal contract should extend phases 3 and 4 to meet the named profile and assurance requirements, which the contract will define.

Where ITSG-33 and the Baseline Fit Among Other Frameworks

A frequent source of paralysis for Canadian SMBs is the sheer number of frameworks: ITSG-33, the CCCS baseline, NIST CSF, NIST 800-53, CIS Controls, ISO/IEC 27001, SOC 2. The good news is that they are far more alike than different — they are all describing the same set of sensible security outcomes from different angles and for different audiences.

• ITSG-33 ≈ NIST SP 800-53. The Canadian and U.S. control catalogues are deliberately aligned. If a contract names one, the mappings to the other are well understood.
• CCCS baseline ≈ CIS Controls v8 Implementation Group 1. Both are the "essential, do-this-first" subsets for resource-constrained organizations. Achieving CIS IG1 gets you most of the way to the baseline.
• NIST CSF 2.0 is the higher-level governance lens (Govern, Identify, Protect, Detect, Respond, Recover). It pairs well with the baseline: CSF tells you the categories; the baseline tells you the specific controls.
• ISO/IEC 27001 and SOC 2 are certification/attestation regimes that customers sometimes demand. They are heavier than the baseline and usually pursued only when a contract or sales process specifically requires the certificate.

The practical takeaway: you do not need to choose one framework and reject the others. Build to the CCCS baseline (which is CIS IG1-like), document it under the NIST CSF 2.0 functions, and you will have satisfied the substance of nearly every Canadian SMB requirement. Extend toward a full ITSG-33 profile or an ISO 27001 certificate only when a specific contract asks for it. Our Canadian compliance frameworks guide lays out the crosswalk in full.

CCCS Baseline Controls Checklist for Canadian SMBs

Use this checklist as a quick self-assessment. If you can honestly tick every box, you are substantially aligned with the CCCS baseline and the Cyber Centre's Top 10 actions — and well positioned for an insurer questionnaire or a supplier-security review. Items you cannot tick are your remediation roadmap.

• ☐ A named person is accountable for security (does not need to be full-time).
• ☐ MFA is enforced on email, remote access, and all administrative accounts.
• ☐ Administrative accounts are separate from daily-use accounts and reviewed regularly.
• ☐ A current inventory of devices, software, and cloud services exists.
• ☐ Operating systems and applications are patched on a defined schedule, with an SLA for critical updates.
• ☐ Endpoint protection / EDR is deployed on every device, including remote laptops.
• ☐ Email is filtered and authenticated (SPF, DKIM, DMARC configured and enforced).
• ☐ Backups follow a 3-2-1 model, are isolated from production, and are restore-tested at least quarterly.
• ☐ The network is segmented (guest Wi-Fi, servers, and sensitive data on separate zones).
• ☐ Internet-facing applications and remote-access tools are isolated from the internal network.
• ☐ Core security policies exist: acceptable use, access control, and incident response.
• ☐ A written incident-response plan names roles and includes contacts for the insurer, legal counsel, the OPC/CAI, and the Cyber Centre.
• ☐ A data inventory and classification register exists (also required for Law 25 and PIPEDA).
• ☐ Staff receive recurring security-awareness training and phishing simulations.
• ☐ The control set is reviewed at least annually and after any significant change.

For hands-on help closing the gaps this checklist surfaces — MFA rollout, EDR deployment, backup isolation, and incident-response documentation — Canadian businesses can engage IT Cares for on-site implementation of CCCS baseline security controls across Canada, pairing the framework with the technical execution to actually meet it.

Common Mistakes Canadian SMBs Make with ITSG-33

Because ITSG-33 originates in the federal world, small businesses approaching it tend to make a predictable set of errors. Avoiding them saves months of wasted effort.

Starting from the full catalogue instead of the baseline. Downloading the complete ITSG-33 control catalogue and trying to apply every control to a 30-person company is the classic mistake. The baseline exists precisely so you do not have to. Start there; reach for the full catalogue only when a contract names a profile.

Treating it as a documentation exercise. Writing policies that describe controls you have not actually implemented produces a binder that fails the moment a real incident or a real auditor tests it. Implement the technical control first; document what is true.

Assuming it does not apply because you are not a government department. Supply-chain flow-down, insurer questionnaires, and the "reasonable safeguards" test under PIPEDA and Law 25 all pull private SMBs into the same control expectations. "We're too small to matter" is exactly the assumption attackers and regulators both punish.

Over-buying tools before fixing configuration. Many SMBs respond to a gap analysis by purchasing more security products. But most baseline gaps — MFA off, admin accounts shared, backups untested, legacy authentication enabled — are configuration problems in tools you already own, especially Microsoft 365. Fix configuration before you buy.

Letting alignment go stale. A baseline you met two years ago and never revisited is not a current program. Contracts, insurers, and regulators all ask you to demonstrate the controls are live. Build the annual review in from the start.

Related Guides

• Small Business Cybersecurity Hub →
• Canadian Compliance Frameworks Overview →
• Quebec Law 25 Compliance Guide →
• MFA Deployment in Canada →
• Network Security Best Practices →
• Business Backup & Disaster Recovery →
• Cybersecurity Consulting Services Canada →

FAQ

Frequently Asked Questions