Baseline Controls News Resources Glossary About
Free Assessment
Home / News / Understanding Canada's Baseline Cyber Security Controls for SMBs
January 15, 2026 Standards 2 min read

Understanding Canada's Baseline Cyber Security Controls for SMBs

By Cybersecurity Canada Editorial Team | Published January 15, 2026
Understanding Canada's Baseline Cyber Security Controls for SMBs

The Canadian Centre for Cyber Security (CCCS) has established a set of Baseline Cyber Security Controls specifically designed for small and medium organizations. Published as ITSM.10.089, this document represents the Government of Canada's recommended minimum security standard for Canadian businesses.

What Are the Baseline Controls?

The Baseline Controls are organized into 13 control areas that cover the fundamental aspects of cybersecurity that every organization should address:

  1. Incident Response Planning (BC.1) — Having a plan for when things go wrong
  2. Patch Management (BC.2) — Keeping software and systems up to date
  3. Anti-Malware (BC.3) — Protecting against viruses and malicious software
  4. Secure Configuration (BC.4) — Setting up systems securely from the start
  5. Authentication (BC.5) — Verifying who has access to your systems
  6. Security Awareness (BC.6) — Training employees to recognize threats
  7. Data Backup (BC.7) — Ensuring you can recover from data loss
  8. Mobile Devices (BC.8) — Securing phones and tablets
  9. Network Security (BC.9) — Protecting your network perimeter
  10. Cloud Services (BC.10) — Securing cloud-based tools and data
  11. Web Security (BC.11) — Protecting your public-facing websites
  12. Access Control (BC.12) — Managing who can access what
  13. Portable Media (BC.13) — Controlling USB drives and external storage

Why It Matters for Canadian SMBs

Small and medium businesses are increasingly targeted by cyber threats. According to Canadian government reports, many SMBs lack the resources for comprehensive security programs. The Baseline Controls provide a practical, achievable starting point.

These controls aren't about achieving perfect security — they're about establishing a minimum viable security posture that significantly reduces your risk of a successful cyber attack.

Getting Started

The best way to begin is by assessing where your organization currently stands. Our free assessment tool evaluates your practices against all 13 control areas and provides specific, actionable recommendations for improvement.

You can also review the official ITSM.10.089 document directly on the Canadian Centre for Cyber Security's website.

Disclaimer: This article is intended for general informational purposes only and does not constitute professional cybersecurity, legal, IT, or compliance advice. While we strive to ensure accuracy, the cybersecurity landscape changes rapidly and information may become outdated. Organizations should consult with qualified cybersecurity professionals and legal counsel to assess their specific situation and develop appropriate security policies. Use of this information is at your own risk. See our Privacy Policy for more information.

Cybersecurity Canada is an independent resource and is not affiliated with, endorsed by, or connected to the Canadian Centre for Cyber Security, the Communications Security Establishment, or the Government of Canada.

How does your organization measure up?

Take our free cybersecurity assessment based on the Canadian Centre for Cyber Security's Baseline Controls. 50 questions, under 30 minutes, 100% confidential — your answers never leave your browser.

Take the Free Assessment