Cyber Assessment and Certification for SME’s

Backgrounder

Overview

As part of a renewed Cyber Security framework, ISED and partners will establish a voluntary, recognizable certification intended to enable small and medium-sized businesses (SME) to demonstrate to customers, both businesses and consumers, that they meet a baseline set of security practices. A standardized certification will help participants position their cybersecurity practices for competitive advantage and to promote broader trust in the digital economy.

Internationally, similar initiatives are being implemented in the United Kingdom, Australia, and New Zealand.

Consultations with industry, SMEs, and potential certification bodies will help design a program that meets their needs, and ensure that accessibility and ease of use remain paramount features of its design.

Currently, SMEs in Canada are not adequately protected against cybersecurity threats. Approximately 71% of data breaches in Canada involve an SME, which make up 98% of all Canadian businesses.

Failure to provide adequate security can lead to profound economic consequences including: monetary losses; theft of valuable intellectual property; leaked consumer data; and it can put companies out of business.

Roles

Innovation, Science and Economic Development (ISED) is responsible for program implementation, oversight and evaluation. This includes designing the documentation and framework for certification, establishing and managing the certification brand, encouraging the participation of SMEs across all sectors, and creating/maintaining a database to track SME participation.

The Communications Security Establishment (CSE) is the technical authority for the program. CSE will define a basic set of measures designed to protect SMEs against the most common and prevalent cyber threats, with minimal burden on the SME.

Standards Council of Canada is the single accreditation body. It is responsible for accrediting Certification Bodies.

Certification Bodies will be specifically accredited to evaluate SMEs against the standard.

Once the SME meets all elements of the standard, it would be certified as compliant. As planned, the certification would be valid for a defined period and ISED would retain a database of valid certifications.

CSE will design a standard which draws from the best international practices, and which meets the needs of Canadian SMEs. The involvement of CSE in tailoring this national program to the threat environment of Canadian SMEs is a distinguishing feature over ‘off-the-shelf’ standards.

Ce document d’information est aussi disponible en français.

Page details

Date modified: