MSECB

Home → News & Resources → Experts Talk

ISO/IEC 27001 vs. CyberSecure Canada National Standard CAN/CIOSC 104:2021

This comparison aims to help organizations using CAN/CSA-ISO/IEC 27001 decide whether to migrate to ISO/IEC 27001 or use the CyberSecure Canada National Standard, CAN/CIOSC 104:2021. It maps the two standards to show where ISO/IEC 27001 clauses are satisfied by CyberSecure and to what extent.

It is useful to note that while CyberSecure has security and privacy requirements, it is focused on public sector entities and is primarily concerned with protecting sensitive, unclassified information.

ISO/IEC 27001 is a broader standard focused on protecting information assets, and it applies to organizations of any size or type.

This comparison is focused on the security aspect of CyberSecure. Still, it will also note where privacy requirements are covered separately and will provide a brief overview of the privacy requirements. This comparison can be helpful for both early adopters and existing users of CyberSecure. The decision for early adopters is straightforward.

If an organization has decided to commit to CyberSecure, we assume it is because the standard aligns with its information security management system (ISMS) goals and requirements. If that is the case, an organization can use this comparison to apply ISO/IEC 27001 best practices to implement CyberSecure, which will put them in a good position to easily transition back to ISO/IEC 27001 in the future.

For current CyberSecure users, this comparison will provide a clear understanding of what would be involved in migrating to ISO/IEC 27001. It will help to weigh the benefits of doing so against the costs.

Overview of ISO/IEC 27001

This part of the article is dedicated to the comparative analysis of ISO/IEC 27001 against other existing information security management standards and frameworks.

The comparison is only relevant to help organizations understand the additional requirements of CyberSecure Canada for achieving a level of confidence in information security; equivalent to “adequate security” in Clause 7 of the National Standard. It exclusively focuses on information security.

This is not intended to undermine ISO/IEC 27001, an eminent standard with the advantage of being a specification and therefore fully interpretable.  It has worldwide recognition which is not reflected by any industry or government standard.

ISO/IEC 27001 could be a suitable option for many organizations, especially if their goal is to achieve certified compliance with a single standard rather than obtaining multiple certifications. ISO/IEC 27001 is a generic standard not specifically aimed at the public sector.

Given that many public sector organizations must comply with the National Standard for Information Security in Canada to access government systems, it is necessary to have a detailed understanding of the additional requirements of the National Standard. Some of these will necessitate additional controls over and above those stated in ISO/IEC 27001.

For non-public sector organizations in Canada, ISO/IEC 27001 certification may still be a strategic move. It can be used to demonstrate compliance with many legislative requirements. Alternatively, it can serve as a way of consolidating many differing requirements into a single Information Security Management System. However, it is important to understand that additional requirements should be met.

The following comparison will help Canadian organizations to determine the gap between their current state of information security and the requirements of ISO/IEC 27001, to plan an implementation project.

Key Principles & Objectives

ISO/IEC 27001 aims to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System. The design and implementation of the management system are tailored to the organization’s objectives, information assets, operational processes, and assurance requirements.

The Information Security Management System considers the organization’s overall business and IT strategies in current and future contexts. This is achieved by providing a systematic approach to managing sensitive company information, identifying security risks, and providing confidence and integrity in the provision of information to all interested parties.

Specifically, the ISMS offers an optimal approach to managing the information of various security levels within the organization. It ensures that information remains secure through mobile secure storage, handling, and transfer protocols. By reducing the incidence of security threats and vulnerabilities, the ISMS can increase the company’s resilience to potential security issues.

This is supported by attaining information assurance and through independent assessments evaluating the effectiveness of security and information assurance activities and measures. Measures taken to achieve this may be supported by legal and regulatory requirements such as the EU General Data Protection Regulation (GDPR) and/or other data protection laws. Securing information before and after collaboration with other organizations and third parties is important for many companies.

An ISMS provides a systematic approach to managing information to remain secure when shared with others, including customers and stakeholders. This is done by applying an information security risk management process and maintaining a systematic approach to information security, ensuring that security controls in and around the information are effective.

The overall strength of ISO/IEC 27001 lies in the methodical and systematic approach to managing sensitive information and the versatility in applicability across varying types and sizes of organizations. This is especially beneficial in today’s fast-moving and globalized IT environment.

Structure & Requirements

The standard is divided into two major sections.

The first section, containing clauses 4 to 10, gives detailed security control objectives and a plan for implementing them; this is a management to-do list.

The second section, clause 11, requires management to create a system to monitor and review the ISMS. The standard deliberately points to clause 3.3.3 (the to-do list) as the top priority, leading some to believe the second section was an afterthought.

As the standard is designed to measure an organization’s ISMS, it does not prescribe a specific level of security. Most factors relevant to the business and its information requirements will be considered when determining the information security requirements and hence, the security level. This is explicitly left to be decided by the organization.

Cliff Smith is a globally recognized seasoned ISO/IEC 27001 ISMS specialist in the strategy and implementation of information security management systems. Cliff has identified what he believes to be two common ways organizations apply the standard; sometimes not what they should or ought to be doing. First, there is what he calls the “quick and dirty off-the-shelf approach”. This often sees organizations implement cheap security solutions to meet a basic set of security control requirements and attain some level of certification.

This approach is believed to specifically address the security level implied by the standard.

The second approach utilizes the standard to design and fully implement a system to be managed.  This approach is rooted in the belief that business and information requirements dictate security needs, necessitating a higher security level.  It means that organizations implement additional security controls beyond the basic set and, at times, add further clauses and controls to the standard.

Consider companies with legal or regulatory obligations, such as health providers, who will implement security controls specific to protecting personal health information. Both ways offer a valid application of the standard.  However, Smith uses the terms “quick and dirty certification grab” and “build a system ISMS”. He believes that the latter should be the focus of any organization wishing to make a self-assessed assertion of conformance to the standard.

Benefits & Limitations

The main cost of implementing ISO/IEC 27001 lies in the initial implementation and certification. There is a danger that organizations may see the certification cost to outweigh the benefit, leaving the certification as something they do not renew.

Over time, as more organizations get certified and the result is an improved level of security globally, it may become a de facto standard or law. This has been the case with BS7799, of which many of the concepts and requirements have been used in the development of ISO/IEC 27001.

ISO/IEC 27001 has the potential to be a key differentiator in competition between organizations. For example, the certification may be a requirement in contracts when considering outsourcing.

Given the potential for certification, this standard is quantifiable. An organization can determine precisely the effort and capital required to attain the security level outlined in the policy. This aspect is appealing to management seeking to quantify the effectiveness of security investments, as it facilitates easier measurement of return on investment.

The organization may overinvest in security; however, the risk management framework outlined in the ISMS allows for the  assessment of such situations. Any residual risk is accepted by management. This is an improvement on many security implementations which frequently leave a prominent level of residual risk because the security measures employed were not linked to a framework or standard.

On the global stage, an ISO/IEC 27001 certification may be a necessity for organizations trading in certain geographies.

Overview of CyberSecure Canada National Standard CAN/CIOSC 104:2021

CyberSecure Canada National Standard CAN/CIOSC 104:2021 was meant to be a standard that is a beginner to intermediate level for small and medium-sized enterprises (SMEs) and work-from-home organizations. It was created as an alternative to the many existing standards that are either too broad, or complex, or assume that the implementing party is capable of a large number of resources and expertise.

Its goal is to prevent cyber-attacks and enhance overall cybersecurity as organizations struggle to understand it due to a constantly changing digital landscape. It seeks to do this by having an easy-to-understand and implementing a standard that can gradually introduce organizations to proper cybersecurity. It aims to provide a standard that is cost-effective at a minimum and, ideally, facilitates certification and competitive advantage.

The standard itself was created by Francois Guay CISSP, working with the Canadian Centre for Cyber Security – Communications Security Establishment.

CAN/CIOSC 104:2021 has 13 high-level security objectives grouped within six security principles.

The objectives are to establish, initiate, and maintain cybersecurity to ensure the organization’s continuity and prosperity. Each principle encompasses several requirements, which include not only security controls but also objectives, intentions, and notes for clarification. In total, there are 94 requirements, many of which are simplified or consolidated versions of existing security controls within other standards.

Key Principles & Objectives

The standard is a consolidated framework that is comprised of detailed prescriptive baselines of security measures and a verification process to confirm that the specific security measures have been implemented as intended.

This contrasts with high-level frameworks such as ISO/IEC 27001, NIST Cybersecurity Framework, and others, which can be ambiguous and lack specific control requirements. This simplifies certification for both the certificate applicant and the certification body and increases the likelihood that the certification evaluation will yield consistent results between different examining organizations.

The standard is divided into a core set of security standards that apply to all organizations and additional sets tailored to specific categories of designated organizational mandates (e.g., for small and medium-sized enterprises or commercial off-the-shelf IT product vendors). The standard is designed to be scalable and applicable to organizations of varying sizes and mandates.

CyberSecure Canada’s national standard is designed to enhance the resiliency of the Canadian economy and of designated key public and private sector organizations against cyber-attacks.

The standard does so by operationalizing the concept of basic cyber hygiene: those essential protection and detection activities that high-value targets must do to prevent the efforts of opportunistic cyber adversaries. It also provides a deterministically defined cybersecurity certification scheme that enhances the integrity and security of products and services that are of high interest to the Government of Canada.

Structure & Requirements

The structure of the national standard begins with an introduction and scope of the standards, followed by the requirements clauses, and then annexes. Each requirements clause has an associated rationale to provide context and understanding for the requirement, and most have additional guidance on how to implement to assist organizations in following the intent of the requirement.

A comprehensive approach to developing sound cybersecurity in an organization often demands developing and implementing a framework that assists in defining how managed information assets will be protected. CAN/CIOSC 104:2021 Cybersecurity National Standard is based on best practices for managing cybersecurity in organizations from public, private, and not-for-profit sectors.

The national standard is a development initiative that will incorporate new guidance and practices as the science of cybersecurity evolves. It is best applied to critical and vital information and supports the protection of sensitive information when necessary. It was designed to be usable by organizations of all sizes.

Presently, it is best suited to medium to large-sized organizations due to their greater breadth and depth of information management and information security management capability when compared to smaller organizations. The national standard provides a pragmatic approach to providing a security posture that is commensurate with the value of the information assets to the organization and that supports the organization’s business goals and objectives.

Benefits & Limitations

Practically, if an organization is successful in implementing the national standard and has improved its security posture such that it would meet the eligibility criteria for the SME Cybersecurity Tax Credit, the cost of doing so would be effectively subsidized by the Government of Canada.

The sponsor concept believes that this would encourage the uptake and sustainment of small and medium enterprise-sponsored programs which will improve the security posture of Canadian small and medium enterprises, reducing the number of cyber incidents and their impact. This will also contribute towards the eligibility requirements for the CyberSecure Canada certification which is currently under development.

The certification will be modeled directly against this national standard to which it is equivalent and is expected to provide a competitive edge for certified organizations bidding on government contracts.

CyberSecure Canada has identified the benefits of the national standard to a potential adopting organization and to their ecosystem. This is to encourage the uptake and convey to the organizations the underlying principles and value proposition.

National standards set the stage for innovation, and economic growth, and increase Canada’s global competitiveness. It is identified that the baseline and intent of this national standard can have a very strong impact on improving the security of the Canadian ecosystem and at the same time, it is recognized that there are organizations in high-risk domains that would need to go further, seeking certification or claiming compliance in ISO/IEC 27001 or another equivalent standard.

Comparison with ISO/IEC 27001

Firstly, the guidance outlines commitment and a top-level policy would be expected. As CAN/CIOSC 104:2021 is specifically aimed toward cybersecurity, this is mirrored in its requirements for risk management and risk treatment specifically. This is more detailed than ISO/IEC 27001:2013, which only briefly touches on risk assessment before moving on to risk treatment.

Note that ISO/IEC 27001:2013 does not explicitly mention a risk assessment process. Using the ISO/IEC 27001:2013 requirement of a risk treatment process as a starting point, it would be possible to build a set of cybersecurity-specific risk assessment and treatment processes based on existing standards such as ISO/IEC 27035:2011. Requirements for security objectives and security control selection are similar.

ISO/IEC 27001:2013 requires that organizations set information security objectives and put controls in place to achieve them but does not give any further guidance. CAN/CIOSC 104:2021 requires that security objectives are to be linked to business objectives and provides specific requirements for both the selection of security controls and the statement of applicability.

Throughout the ISMS building process, decision-makers must continuously consider the scope of the ISMS, and CAN/CIOSC 104:2021 has detailed requirements for scoping at the planning stage and maintenance of an up-to-date scope. Specific support is also provided for system acquisition and development. CAN/CIOSC 104:2021 assumes that some organizations may have already implemented ISO/IEC 27001 or be looking to implement an ISO27k ISMS.

This is taken into consideration with opportunities for ISMS integration and transition from an existing ISMS. This is a highly detailed document; migration and integration are often weakly covered in generic standards documents. Any organization that has already implemented an ISMS to another standard will find that ISO/IEC 27001:2013 is not a tightly structured document, and CAN/CIOSC 104:2021 gives an easy reference point for mapping between the two standards and building additional processes and documents.

On the other hand, a brand-new information security manager may be intimidated by the level of detail. Secondly, requirements for ISMS maintenance and ISMS auditor competence are more detailed in CAN/CIOSC 104:2021. ISO/IEC 27001 9.3 Management Review and 9.2 Internal Audit are supported only by high-level requirements and do not guide as to what form management reviews and internal audits should take.

This is acceptable for management already accustomed to making reviews and audits but may leave others unsure as to what is actually required. CAN/CIOSC 104:2021 provides more specific requirements in these areas and a useful point to ISO/IEC 27007:2011 for ISMS auditing. This Chronicle and guidance are designed to be more instructive than the ISO27k standard itself.

Conclusion

The comparative analysis between ISO/IEC 27001 and the CyberSecure Canada National Standard CAN/CIOSC 104:2021 highlights the intricate balance between global and national cybersecurity standards. Both frameworks share a commitment to robust information security management, yet they cater to different organizational needs and security contexts.

ISO/IEC 27001 offers a broad, technology-neutral approach, making it versatile across several types and sizes of organizations worldwide. In contrast, CAN/CIOSC 104:2021 provides a more prescriptive model, particularly tailored for small to medium-sized enterprises (SMEs) in Canada, focusing on practical cybersecurity resilience against the evolving digital threats landscape.

This analysis underscores the potential for organizations to align or transition between these standards, leveraging their respective strengths to build a comprehensive and adaptive cybersecurity posture. For organizations operating within or alongside Canadian markets, understanding the nuances and synergies between these standards is crucial. It enables them to strategically navigate the cybersecurity domain, ensuring their practices are globally informed and locally applicable.

The decision to adopt ISO/IEC 27001, CAN/CIOSC 104:2021, or a blend of both, should be grounded in an organization’s specific security goals, operational requirements, and the unique challenges of the cyber landscape. This streamlined comparison aims to guide organizations toward making informed, strategic choices in their cybersecurity endeavors, enhancing their resilience and competitive standing in an increasingly digital and interconnected world.

About Author

Islam Elzayat, MSECB auditor for ISO 14001, ISO 9001, ISO/IEC 20000-1, and ISO/IEC 27001

Islam Elzayat

Islam Elzayat is an experienced IT professional specializing in Digital Transformation, Cybersecurity, and Governance. With a background in IT Compliance and Auditing, he implements standards to enhance security and operational efficiency. Transitioning his career to Canada, Islam holds certifications such as  ITIL E expert, COBIT 5, CISA, and Microsoft Certified Trainer. 
Since 2021, Islam has been a trusted auditor with MSECB, conducting audits across North America against ISO 14001, ISO 9001, ISO/IEC 20000-1, and ISO/IEC 27001. Known for his approach and effective communication, he turns audits into tools for business improvement, Islam embodies MSECB’s commitment to excellence and customer service, ensuring audits exceed client expectations and contribute to organizational growth. His dedication to advancing auditing practices underscores his role in shaping secure and sustainable business strategies in the digital era.

Other articles