Foreword, Overview, Introduction

Previous

On this page

Foreword

The Security and privacy controls and assurance activities catalogue is an unclassified publication issued under the authority of the Head, Canadian Centre for Cyber Security (Cyber Centre).

This publication supersedes IT security risk management: A lifecycle approach (ITSG-33) Annex 3A – Security control catalogue.

For more information or to suggest amendments, email or phone our Contact Centre:

Effective date

This publication takes effect on March 31, 2026.

Revision history

  1. First release: March 31, 2026
 

Overview

To ensure a common baseline approach to risk management with the United States (US), the controls and assurance activities described in this publication align with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations. This enables us to adopt standards such as the US Committee on National Security Systems (CNSS) overlays on Canadian national security systems. This publication is an adapted version of NIST SP 800-53, reflecting Canadian unique business and legislative requirements. Sections 1 and 2 highlight the main differences between both publications.

This publication is part of a series of guidelines published by the Cyber Centre, under “Cyber security and privacy risk management: A lifecycle approach.” It contains definitions of assurance activities and controls for systems and organizations that practitioners can use as a foundation for selecting, tailoring and allocating controls and assurance activities to manage cyber security and privacy risks. Implementing a comprehensive set of security and privacy controls and assurance activities can help organizations achieve their business activities.

This publication has been created as a tool to assist security and privacy practitioners in their efforts to protect systems in compliance with applicable legislation, policies, directives and standards.

Organizational cyber security and privacy risk management activities (ITSP.10.036) and System lifecycle cyber security and privacy risk management activities (ITSP.10.037) provide guidance on how to use this catalogue to adequately select, tailor and implement controls and assurance activities at the organizational and system level, respectively.

 

Revision changes

The following items describe the main changes in the Cyber security and privacy risk management: A lifecycle approach series:

  • Addition of privacy elements: due to permutations in the relationship between cyber security and privacy program objectives and risk management, there is a need for close collaboration between those programs
  • Scope of the audience: now addressing critical infrastructures in addition to Government of Canada (GC)

Specifically, in ITSP.10.033, changes are as follows:

  • Alignment with NIST SP 800-53 Rev. 5 (formerly Rev. 4)
  • Addition of privacy and privacy-related controls and assurance activities
  • Addition of new families:
    • PM: Program Management
    • PT: Personal Information and Transparency
    • SR: Supply Chain Risk Management
  • If applicable, the discussion section is divided into a general discussion and a GC discussion. GC discussion is specifically directed to a GC audience as it addresses requirements derived from laws, policies, directives, and standards that GC departments and agencies need to comply with
  • All Canadian-specific security and privacy controls, activities or enhancements that previously started at 100 now start at 400 (e.g., SA-400, IA-04(400)). This change was made to avoid collision with NIST enhancements as some of them were getting close to 100
  • We refer to assurance-related “controls” as activities, rather than controls
 

Acknowledgements

The Cyber Centre wishes to acknowledge and thank Dr. Ron Ross and Victoria Pillitteri from the Computer Security Division at NIST for allowing the Cyber Security Guidance (CSG) team to use the NIST 800-53 Rev 5 control catalogue and modify it to the Canadian context.

We also want to acknowledge the continuous support provided by the Security Management and Governance Privacy Assessment (SMGPA) team at Shared Services Canada, especially for their significant contributions on the privacy aspects which have been instrumental in the completion of this project.

Furthermore, we would like to thank those who contributed to this project in various capacities: Treasury Board of Canada Secretariat and various Cyber Centre teams.

 
Top of page 

Introduction

A security control, also known as a safeguard, is a legal, administrative, operational or technical element of a system. They protect the confidentiality, integrity or availability of a business activity or asset and the information it relies on to satisfy security requirements and mitigate cyber security risk. A privacy control is a legal, administrative, operational or technical element of a system implemented at the organizational or system level to mitigate privacy risks and to ensure compliance with applicable privacy requirements.

An assurance activityFootnote 1 is a collection of tasks that increases the confidence that a security or privacy control is appropriately designed and implemented and is operating as intended. Assurance activities include tasks that aim to ensure that all security and privacy controls in a system’s design, implementation and operations are able to satisfy the business needs for security.

Security and privacy activities and controls are selected to satisfy security and privacy requirements levied on a system or organization. Security and privacy requirements are derived from applicable laws, Orders in Council, directives, regulations, policies, standard, and business needs to ensure the confidentiality, integrity and availability of information handled, stored or transmitted, and to manage risks to individual privacy.

The selection, allocation, design and implementation of security and privacy activities and controls are important tasks that have significant implications for the operations and assets of organizations, as well as for the welfare of individuals and of Canada. Organizations should answer the following key questions when addressing information security and privacy activities and controls:

  • What security and privacy activities and controls are needed to satisfy security and privacy requirements and to adequately manage mission or business risks or risks to individuals?
  • Have the selected activities and controls been implemented or is there a plan in place to do so?
  • What is the required level of assurance (i.e., grounds for confidence) that the selected controls, as designed and implemented, are effective?Footnote 2

The cyber security and privacy risk management activities described in Organizational cyber security and privacy risk management activities (ITSP.10.036) provide the context to adequately answer the above questions.

The Cyber Centre recommends that organizations use the security and privacy controls and assurance activities in this publication to satisfy their cyber security and privacy requirements. The activities and controls catalogue can be viewed as a toolbox containing a collection of safeguards, countermeasures, techniques and processes to respond to security and privacy risks. The activities and controls are employed as part of a well-defined risk management process that supports organizational cyber security and privacy programs. In turn, those cyber security and privacy programs lay the foundation for the success of the mission and business functions of the organization.

It is important that responsible officials or executives understand the cyber security and privacy risks that could adversely affect organizational operations and assets, individuals, other organizations and Canada. They must also understand the current status of their cyber security and privacy programs and the activities and controls planned or in place to protect information, information systems, and organizations to make informed judgments and investments that respond to identified risks in an acceptable manner. The objective is to manage these risks by selecting and implementing security and privacy assurance activities and controls.

 
Top of page 

Purpose

This publication is part of a series of guidelines published by the Canadian Centre for Cyber Security (the Cyber Centre), under “Cyber security and privacy risk management: A lifecycle approach.” It contains definitions of assurance activities and controls for systems and organizations that practitioners can use as a foundation for selecting, tailoring and allocating activities and controls to manage cyber security and privacy risks. Implementing a comprehensive set of security and privacy activities and controls can help organizations achieve their business activities.

The security and privacy activities and controls catalogue:

  • supports organizations in identifying the activities and controls needed to manage cyber security and privacy risks, and to satisfy their cyber security and privacy requirements
  • provides a set of security and privacy activities and controls to meet current organizational protection needs, while also adapting to evolving technical and business requirements and threat actor tradecraft
  • facilitates a consistent and repeatable approach for specifying and tailoring assurance activities and controls
  • creates a foundation for developing assessment methods and procedures to determine the effectiveness of security and privacy controls
  • provides a series of assurance activities used to specify security assurance levels (SALs) in System lifecycle cyber security and privacy risk management activities (ITSP.10.037)
  • improves communication among organizations and stakeholders by providing a common lexicon that supports discussion of cyber security and privacy risk management

In the GC context, this catalogue enables appropriate officials and executives to protect GC information systems and manage cyber security and privacy risks. This publication, along with others in the series, facilitates compliance to GC legislation and Treasury Board of Canada Secretariat (TBS) policies, directives and standards related to the protection of information systems and personal information.

 
Top of page 

Scope and applicability

The Security and privacy controls and assurance activities catalogue (ITSP.10.033) can assist cyber security and privacy practitioners during the definition and implementation of organizational cyber security and privacy functions, and during the information system implementation process when selecting security controls for specific information systems. The catalogue can also serve as the basis for developing organizational and domain-specific security and privacy activities and controls profiles.

The activities and controls are independent of the process employed to select those controls and assurance activities. The selection process can be part of an organizational risk management process, a systems engineering process or any other suitable framework addressing cyber security and privacy risk. Organizational cyber security and privacy risk management activities (ITSP.10.036) and System lifecycle cyber security and privacy risk management activities (ITSP.10.037) are recommended processes to adequately select, tailor and implement controls and assurance activities at the organizational and system level, respectively.

In the GC context, this publication provides security and privacy controls and assurance activities that are suitable for departments and agencies engaged in business activities ranging from very low to very high sensitivity and criticality, in Unclassified, Protected and Classified domains.

 
Top of page 

Audience

This publication is intended to serve a diverse audience, including:

  • individuals with system-development responsibilities, including mission or business owners, program managers, system engineers, system security engineers, privacy practitioners, hardware and software developers, system integrators and acquisition or procurement officials or executives
  • individuals with logistical or disposition-related responsibilities, including program managers, procurement officials or executives, system integrators and property managers
  • individuals with security and privacy implementation and operations responsibilities, including mission or business owners, system owners, information custodians, system administrators, continuity planners and system security or privacy officers
  • individuals with security and privacy assessment and monitoring responsibilities, including auditors, system evaluators, control assessors, independent verifiers and validators and analysts
  • commercial entities, including industry partners, that produce component products and systems, create security and privacy technologies, or provide services or capabilities that support cyber security or privacy

In the GC, this publication is intended for the audience above, as well as for individuals who support departmental cyber security and privacy risk management activities, such as:

  • individuals with system, information security, privacy, or risk management and oversight responsibilities, including authorizing officials, chief information officers (CIOs), chief security officers (CSOs), senior officials in the department’s security governance, designated officials for cyber security and appropriate privacy officials or executives
  • individuals who participate in the definition, design, development, installation and operation of information systems; more specifically, authorizers, project managers, cyber security architects, cyber security engineers, cyber security assessors and members of cyber security operations groups
 
Top of page 

Publication taxonomy

This publication is part of a series of guidelines, under “Cyber security and privacy risk management: A lifecycle approach.” The documents in the series are as follows:

  • Overview, Cyber security and privacy risk management: A lifecycle approach (ITSP.10.035)
  • Organizational cyber security and privacy risk management activities (ITSP.10.036)
  • System lifecycle cyber security and privacy risk management activities (ITSP.10.037)
  • Security and privacy controls and assurance activities catalogue (ITSP.10.033)
  • Suggested organizational security and privacy control and activity profile – Medium impact (ITSP.10.033-01)
  • Assessment of security and privacy controls and assurance activities (ITSP.10.033-02)
 
Top of page 

Publication organization

The remainder of this publication is organized as follows:

  • Section 2 Concepts and structure addresses the fundamental concepts associated with controls and assurance activities, including the structure of activities and controls, how they are organized in the catalogue, implementation approaches, the relationship between controls and activities and robustness
  • Section 3 The controls and assurance families provides a catalogue of assurance activities and controls, including a discussion section to explain the purpose of each assurance activity and control and to provide useful information regarding implementation and assessment. Where applicable, the discussion is divided into a general discussion and a GC discussion. GC discussion is specifically directed at a GC audience as it addresses requirements derived from laws, policies, directives and standards that departments and agencies need to comply with. A list of related activities and controls is provided to show the relationships and dependencies among them, and the section also contains a list of references to supporting publications that may be helpful to organizations
Previous
Date modified: