Baseline Controls News Resources Glossary About
Free Assessment
Home / Cybersecurity Assessment

Free Cybersecurity Assessment for Canadian Businesses

Evaluate your organization against the Canadian Centre for Cyber Security's 13 Baseline Controls. 50 questions, under 30 minutes, 100% confidential — your answers never leave your browser.

Start the Free Assessment View the 13 Controls

What Is This Assessment?

This is a free online tool that evaluates your organization's cybersecurity posture against the 13 Baseline Cyber Security Controls published by the Canadian Centre for Cyber Security (CCCS) in ITSM.10.089. The assessment asks 50 questions — covering areas from incident response planning to portable media security — and produces a score, a letter grade, and specific recommendations for improvement. It is designed for Canadian small and medium businesses and takes less than 30 minutes to complete.

The Baseline Cyber Security Controls for Small and Medium Organizations represent the minimum recommended security standard published by the Government of Canada. They are designed using the 80/20 principle: achieving approximately 80% of the security benefit from 20% of the effort. This assessment helps you measure where your organization stands against that standard.

Who Is This Assessment For?

The assessment is designed for Canadian small and medium businesses (SMBs), typically organizations with fewer than 500 employees. It is useful for:

  • Business owners and executives who want to understand their organization's cybersecurity posture without hiring a consultant
  • IT managers and administrators who need a structured framework to evaluate current security practices
  • Office managers and operations leads at small businesses that do not have dedicated IT security staff
  • Board members and directors who need to assess cybersecurity risk as part of their governance responsibilities
  • Organizations preparing for CyberSecure Canada certification or other cybersecurity frameworks

No technical expertise is required. The questions are written in plain language and include explanations for each topic area. If you can describe how your organization handles tasks like software updates, passwords, and data backups, you can complete this assessment.

What Does It Measure?

The assessment evaluates your organization across all 13 Baseline Control areas defined by the CCCS:

  1. Incident Response Planning (BC.1) — do you have a plan for responding to cybersecurity incidents?
  2. Patch Management (BC.2) — are your systems and software kept up to date?
  3. Anti-Malware (BC.3) — do you have protection against malicious software?
  4. Secure Configuration (BC.4) — are your systems configured securely?
  5. Authentication (BC.5) — how do you verify user identities?
  6. Security Awareness Training (BC.6) — are your employees trained to recognize threats?
  7. Data Backup & Recovery (BC.7) — can you recover from data loss?
  8. Mobile Device Security (BC.8) — are mobile devices managed and protected?
  9. Network & Perimeter Security (BC.9) — is your network defended against unauthorized access?
  10. Cloud Services Security (BC.10) — are your cloud services configured securely?
  11. Web Application Security (BC.11) — are your web-facing applications protected?
  12. Access Control & Authorization (BC.12) — do you control who has access to what?
  13. Portable Media Security (BC.13) — do you manage the risks of USB drives and removable storage?

Each control area is assessed through targeted questions that measure your level of implementation — from no measures in place to strong, documented practices.

How Does It Work?

The assessment consists of 50 questions, each with four answer options:

  • None — no measures are in place for this area
  • Basic — some informal or ad-hoc measures exist
  • Moderate — defined practices are in place and generally followed
  • Strong — documented, consistently applied practices with regular review

You answer each question based on your organization's current practices. There are no trick questions and no wrong answers — the goal is an honest assessment of your current state, not a pass/fail test.

The entire assessment runs in your web browser. When you finish, you receive your results immediately on screen. No email address is required, no account is created, and no data is transmitted to any server.

What Do You Get?

Upon completing the assessment, you receive:

  • An overall score — a percentage reflecting your alignment with the CCCS Baseline Controls
  • A letter grade — from A (strong alignment) through F (significant gaps)
  • Per-control scores — individual scores for each of the 13 Baseline Control areas, showing your strengths and gaps
  • Specific recommendations — for every question, you receive tailored guidance on how to improve, with references to the relevant CCCS control area

The results are designed to be actionable. Rather than a generic report, you receive specific next steps for each area where your organization can improve. You can use the results to prioritize security investments, brief leadership, or guide conversations with IT service providers.

How Long Does It Take?

The assessment takes less than 30 minutes for most organizations. If you are familiar with your organization's IT and security practices, it may take as little as 10 minutes. If you need to check with colleagues on certain questions, you can take your time — the assessment does not time out.

Your Privacy

This assessment collects zero data. Your answers are processed entirely in your browser using client-side JavaScript. No information is transmitted to any server, stored in any database, or shared with anyone — including us. When you close the browser tab, your answers are gone.

We built the assessment this way deliberately. Canadian businesses should be able to honestly evaluate their cybersecurity posture without worrying about who is collecting their answers. There is no email gate, no account creation, no cookies tracking your responses, and no upsell. Read our full Privacy Policy for details.

Start the Free Assessment
Important Disclaimers

Cybersecurity Canada is an independent resource and is not affiliated with, endorsed by, or connected to the Canadian Centre for Cyber Security, the Communications Security Establishment, or the Government of Canada.

The information provided on this website is for general educational and informational purposes only and does not constitute professional cybersecurity, legal, IT, compliance, or risk management advice. All content, including assessment results, scores, grades, and recommendations, is provided on a best-effort, "as is" basis without warranties of any kind. We expressly disclaim liability for any errors, omissions, or inaccuracies. Organizations should consult with qualified cybersecurity professionals and legal counsel to assess their specific situation. Use of this website or the assessment tool does not create a professional-client relationship. See our Terms of Use for full details.

Frequently Asked Questions

Is this assessment really free?

Yes. The assessment is completely free with no strings attached. There is no upsell, no premium version, no email required, and no account to create. It is a community resource for Canadian businesses, funded independently. It will remain free.

What are the CCCS Baseline Controls?

The Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089) are published by the Canadian Centre for Cyber Security, part of the Communications Security Establishment. They define 13 control areas that represent the minimum recommended cybersecurity standard for Canadian organizations with limited cybersecurity resources. The controls cover areas such as patch management, authentication, data backup, network security, and incident response planning.

Do I need technical knowledge to complete the assessment?

No. The questions are written in plain, non-technical language. If you are a business owner or manager who generally understands how your organization uses technology — how updates are handled, how employees log in, whether you have backups — you can complete the assessment. Each question includes context to help you understand what is being asked.

Can I use the results for CyberSecure Canada certification?

This assessment is not a substitute for CyberSecure Canada certification, which requires a formal audit by an accredited certification body. However, because both this assessment and the CyberSecure Canada program are based on the same CCCS Baseline Controls, your results can help you identify gaps before pursuing formal certification. Organizations that score well on this assessment are likely better prepared for the certification process.

What should I do after completing the assessment?

Review your per-control scores to identify the areas with the lowest ratings. The recommendations provided for each question give you specific next steps. Start with the controls that have the greatest impact relative to effort — typically patch management, authentication (enabling multi-factor authentication), and data backup. For detailed guidance on each control area, visit our Baseline Controls guide. For complex or high-risk environments, consider engaging a qualified cybersecurity professional.

Ready to Evaluate Your Cybersecurity Posture?

50 questions. Under 30 minutes. Zero data collection. Find out where your organization stands against Canada's recommended Baseline Controls.

Start the Free Assessment