Governance & Compliance Review

CyberSecure Canada Program Reports 40% Increase in Certified SMEs — Procurement Language Driving Adoption

Innovation, Science and Economic Development Canada (ISED) reported a 40% year-over-year increase in small and medium enterprises achieving CyberSecure Canada certification. The program, based on 13 baseline security controls, is increasingly being referenced as a mandatory or preferred qualification in federal and provincial procurement.

The growth is driven by two factors: procurement language that now explicitly references CyberSecure Canada as a bid evaluation criterion, and increased awareness following high-profile supply chain attacks targeting Canadian SMEs. The 13 controls cover incident response planning, patching, access control, secure configuration, employee awareness training, and encryption of data in transit and at rest.

• Federal procurement solicitations are increasingly listing CyberSecure Canada as a mandatory or desirable qualification
• Provincial governments in Ontario, British Columbia, and Quebec are referencing the program in their own procurement frameworks
• Approximately 70% of CyberSecure Canada controls map directly to ISO 27001 Annex A, making it an effective stepping stone to full ISMS certification
• ISED is piloting an accelerated certification pathway for organizations that already hold ISO 27001 or SOC 2 reports

For SMEs in the federal supply chain, CyberSecure Canada certification is no longer optional positioning — it is becoming a market access requirement. Organizations should treat the 13 controls as a minimum baseline and begin documenting evidence of implementation now.

CyberSecure Canada Control Deep Dive — Incident Response Plans Remain the Most Common Gap

Analysis of recent CyberSecure Canada assessment outcomes shows that Control 13 (Incident Response Plan) remains the most frequently failed requirement. Over 60% of organizations attempting certification lack a documented, tested incident response procedure that meets program expectations.

The program requires more than a written policy. Organizations must demonstrate that the incident response plan has been communicated to relevant personnel, that roles and escalation paths are defined, and that the plan has been tested through a tabletop exercise or simulated incident. Simply having a document on file is insufficient — assessors are looking for evidence of operationalization.

Other commonly cited gaps include Control 3 (Automatic Patching) where organizations cannot demonstrate patch deployment within the required timeframe, and Control 6 (Secure Configuration of Devices) where default credentials and unnecessary services remain enabled on production systems. Organizations preparing for assessment should prioritize these three controls in their readiness planning.

CyberSecure Canada to ISO 27001 — Mapping the Transition Pathway for Growing Organizations

For organizations that have achieved CyberSecure Canada certification and are considering ISO 27001, the transition pathway is more efficient than starting from scratch. The overlap between the 13 CyberSecure controls and ISO 27001 Annex A provides a foundation that reduces the gap analysis and remediation effort.

Key areas where CyberSecure Canada provides direct coverage include access control (mapping to A.8.3–A.8.5), patch management (A.8.8), encryption (A.8.24), incident response (A.5.24–A.5.28), and security awareness (A.6.3). The incremental work for ISO 27001 centres on management system requirements — risk assessment methodology, Statement of Applicability, internal audit program, management review, and continuous improvement processes.

Organizations making this transition should plan for 6–12 months of implementation work, depending on organizational size and complexity. The most efficient approach is to treat the existing CyberSecure Canada evidence as the starting point for the ISO 27001 risk treatment plan, extending coverage to the full Annex A control set rather than rebuilding from the ground up.

CPCSC Level 2 Third-Party Assessment Requirements — What Defence Contractors Need to Prepare

With CPCSC Level 1 self-assessment now mandatory for new federal defence procurements, attention is turning to Level 2 requirements. Level 2 demands a third-party assessment against 110 security controls derived from NIST SP 800-171, covering 14 control families including Access Control, Audit & Accountability, Incident Response, and System & Communications Protection.

The assessment will be conducted by accredited third-party assessment organizations (C3PAOs), modelled on the U.S. CMMC ecosystem. Canada is currently standing up its own accreditation body and assessor training program. Organizations expecting to require Level 2 certification should not wait for the assessor ecosystem to mature — the control implementation work is substantial and should begin immediately.

• Level 2 maps to 110 controls from NIST SP 800-171 Rev 2, organized across 14 families
• Key areas: multi-factor authentication, encrypted CUI storage, continuous monitoring, and supply chain risk management
• Organizations must maintain a System Security Plan (SSP) documenting how each control is implemented
• Plan of Action & Milestones (POA&M) will be accepted for a limited number of controls during initial assessments
• Cross-border alignment with U.S. CMMC Level 2 is intentional — organizations pursuing both certifications can leverage shared evidence

CPCSC and CMMC Alignment — Canadian Companies Serving U.S. Defence Can Pursue Dual Certification

The deliberate alignment between Canada’s CPCSC and the U.S. CMMC framework creates an opportunity for Canadian defence contractors operating in both markets. Both programs draw from NIST SP 800-171, and the overlap in control requirements means that a single implementation effort can support certification under both programs.

Key differences remain: CPCSC includes Canada-specific requirements around PIPEDA compliance, bilingual documentation obligations, and data residency considerations for Controlled Unclassified Information (CUI) processed by Canadian entities. CMMC adds requirements around Federal Contract Information (FCI) handling and leverages the NIST SP 800-172 enhanced controls at Level 3.

For organizations in the Canadian defence supply chain that also hold U.S. DoD contracts, the recommended approach is to build a unified System Security Plan that addresses both frameworks, with an appendix mapping Canada-specific requirements. This avoids duplicate evidence management and presents a consistent security posture to assessors from both programs.

Building a CPCSC-Ready Evidence Package — Lessons from Early Adopter Assessments

Early CPCSC Level 1 self-assessments are revealing a consistent pattern: organizations that treat the self-assessment as a checkbox exercise are failing to produce evidence that would withstand a future Level 2 third-party review. The gap between “we do this” and “here is the documented proof” remains the primary readiness challenge.

Effective evidence packages include: configuration screenshots with timestamps, access control lists tied to named roles, patch deployment logs showing compliance timelines, incident response plan with documented test results, and employee training completion records. Generic policy documents without implementation evidence are insufficient.

Organizations should approach Level 1 self-assessment with Level 2 rigour. The evidence standards are the same — the only difference is who reviews it. Building robust evidence documentation now avoids a costly remediation effort when third-party assessment becomes mandatory for your contract tier.

Canada’s Artificial Intelligence and Data Act (AIDA) — Updated Framework Advances Through Parliamentary Review

The Artificial Intelligence and Data Act (AIDA), originally introduced as Part 3 of Bill C-27, continues to advance through parliamentary committee review with significant amendments. The updated framework establishes obligations for organizations designing, developing, and deploying “high-impact” AI systems in Canada, with enforcement powers assigned to a new AI and Data Commissioner.

AIDA’s high-impact classification covers AI systems used in employment decisions, access to services, biometric identification, content moderation, health care, law enforcement, and critical infrastructure. Organizations deploying high-impact systems will be required to conduct impact assessments, implement risk mitigation measures, maintain human oversight mechanisms, and provide transparency to affected individuals.

• High-impact AI systems require mandatory impact assessments before deployment
• Organizations must establish measures to identify, assess, and mitigate risks of harm and biased output
• Transparency obligations include notifying individuals when AI is used in decisions that affect them
• The AI and Data Commissioner will have authority to order compliance audits and issue administrative penalties
• Alignment with the EU AI Act risk-based approach is intentional, though AIDA’s scope and penalties differ

Organizations should not wait for royal assent to begin preparation. The core requirements — AI system inventory, impact assessment methodology, risk mitigation documentation, and human oversight procedures — are consistent across AIDA, the EU AI Act, and ISO 42001. Building governance structures now creates readiness across all three frameworks.

ISO/IEC 42001 as the Governance Foundation for AIDA Compliance — Practical Implementation Approach

With AIDA advancing and the EU AI Act now enforcing, ISO/IEC 42001 (AI Management Systems) is emerging as the primary governance framework for organizations that need to demonstrate AI accountability across multiple jurisdictions. The standard provides the management system structure that both AIDA and the EU AI Act reference as a recognized compliance pathway.

ISO 42001 requires organizations to establish an AI policy, conduct AI-specific risk assessments, maintain an inventory of AI systems with risk classifications, implement data governance controls for training and operational data, define human oversight mechanisms, and establish transparency and explainability procedures. These requirements map directly to AIDA’s obligations for high-impact systems.

• ISO 42001 Clause 6.1 (Actions to Address Risks) maps to AIDA’s mandatory impact assessment requirements
• Annex A controls for data governance (A.7) address AIDA’s requirements for training data documentation and bias monitoring
• Human oversight controls (A.9) satisfy both AIDA and EU AI Act human-in-the-loop mandates
• Organizations with existing ISO 27001 certification can integrate 42001 using shared management system clauses 4–10

Certification body accreditation for ISO 42001 has expanded rapidly. BSI, Bureau Veritas, and SGS all now offer accredited certification. For organizations preparing for AIDA compliance, achieving ISO 42001 certification provides documented, auditable evidence of AI governance that regulators and customers can independently verify.

EU AI Act Enforcement Begins — Lessons for Canadian Organizations Preparing for AIDA

The European Commission issued its first penalties under the EU AI Act this week, fining two organizations for deploying high-risk AI systems without meeting transparency, human oversight, and documentation requirements. The enforcement actions provide a preview of what AIDA compliance will look like when Canada’s framework becomes operational.

The fines — in the €15–30 million range — specifically cited failures in algorithmic impact assessments, absence of meaningful human-in-the-loop review, and inadequate documentation of training data provenance. For Canadian organizations, the enforcement signals that AI governance is shifting from voluntary best practice to regulated obligation with real financial consequences.

• Both AIDA and the EU AI Act use risk-based classification to determine compliance obligations
• Impact assessments, human oversight, and transparency are common requirements across both frameworks
• Canadian organizations with EU market exposure must comply with the AI Act now, regardless of AIDA’s timeline
• ISO 42001 and NIST AI RMF are being accepted by EU auditors as recognized governance frameworks

The strategic approach for Canadian organizations is to build AI governance structures that satisfy both AIDA and the EU AI Act simultaneously. The overlap is substantial, and organizations that invest in a unified governance framework now will avoid duplicating effort when AIDA becomes enforceable.

AI-Generated Phishing Surge Highlights the Intersection of AI Governance and Cybersecurity

A 400% increase in AI-generated phishing campaigns documented by CrowdStrike, Mandiant, and Palo Alto Networks is accelerating the convergence of AI governance and cybersecurity programs. Organizations are being forced to address AI as both a governance subject and a threat vector simultaneously.

From a governance perspective, organizations deploying AI systems must now account for adversarial use of AI in their risk assessments. ISO 42001 Annex A.6 (AI System Lifecycle) and A.10 (Third-Party and Stakeholder Relations) both require consideration of how AI-related threats affect the organization’s risk posture. Similarly, ISO 27001 controls A.5.7 (Threat Intelligence) and A.6.3 (Awareness Training) must be updated to address AI-augmented social engineering.

For organizations pursuing both ISO 27001 and ISO 42001, this convergence is an opportunity to build integrated risk treatment plans that address AI governance and cybersecurity under a unified management system. Auditors are increasingly expecting to see evidence that these two domains are connected, not siloed.