Update to CyberSecure Canada - CAN/DGSI 104:2021 / Rev 1: 2024

Who should read this bulletin

This is intended for accredited customers, applicants, Accreditation Advisory Panel (AAP), and staff and assessors in the CyberSecure Canada scheme under the Management Systems Accreditation Program (MSAP).

What you need to know

The Digital Governance Standards Institute has released CAN/DGSI 104:2021 / Rev 1: 2024 - Baseline Cyber Security Controls for Small and Medium Organizations. 

The main changes include:

• Minor updates of terms and definitions.
• Addition of 4 new definitions for the terms: asset register, availability, DomainKeys Identified Mail and inherent risk.
• Updates to verbiage in sections in 4.3.2.1, 4.3.3.1, 5.1.2.3, 5.4, 5.4.2.1, 5.4.3.1, 5.6.1.1, 5.6.2.4, 5.6.2.6, 5.6.2.7, 5.6.2.8, 5.6.3.1, 6.2.3.1
• Removal of section 5.6.1.2
• Additional clarity on Level 1 versus Level 2 requirements relating to the following areas:
  • Cyber security training
  • Cyber security risk assessment
  • Incident response plan
  • Secure configuration process
  • Data back-ups
  • Secure cloud, outsourced IT services, and websites

For detailed information on the changes and requirements please refer to: Baseline Cyber Security Controls for Small and Medium Organizations

As a result of these changes, SCC has determined that the SCC Requirements and Guidance for the Accreditation of CyberSecure Canada Certification Bodies are now redundant, and that document has been withdrawn effective immediately.

What you need to do

Cybersecure customers and applicants required to follow CAN/DGSI 104:2021 / Rev 1: 2024 and update their quality management system (QMS) to reflect the new document and the withdrawal of the SCC Requirements and Guidance for the Accreditation of CyberSecure Canada Certification Bodies. 

Important dates

Effective immediately.

Questions?

Please contact Vivekananthan Kulasingham at [email protected] or +1 613-238-3222.