Understanding Cybersecurity Compliance: A Guide to Key Frameworks
When it comes to cybersecurity, compliance is a critical part of keeping your business secure and prepared for potential risks. There are several government regulations and industry standards that businesses need to understand, especially if they operate internationally. In this blog, we’ll dive into the compliance landscape in Canada, and take a look at the key cybersecurity frameworks businesses should be familiar with.
This blog post is based on insights from our recent webinar on cybersecurity compliance. Our CEO and Founder, Vince Fung, covered the key frameworks, common challenges, and practical steps organizations can take to strengthen their security posture and meet evolving compliance expectations.
Note: This content is for informational purposes only and does not constitute legal, IT, or HR advice. Always enlist customized help, consult your internal IT, HR, and legal decision-makers before pursuing a compliance path in order to get the best results for your business’ situation.
Government Regulations: The Landscape in Canada
Canadian organizations might not currently feel pressure to follow industry regulations.
“If you look at cyber government regulations in Canada, there’s really not that much in Canada. Right. Like we have bills bill C 61, that’s actually been tabled like literally 5 or 6 years ago, it’s still sitting in the approval stages,” says Vince, “So there’s really very, very little for regulations in Canada around minimum cyber protection, that businesses need to actually have in place. There are some privacy regulations like PIPA and PIPEDA some health information acts. But really in Canada, we have very little government mandated legislation that requires organizations to have the right security controls in place. If you look south of the border, if we look at U.S. regulations, there are a ton of regulations that have actually been put in place in just the last few years.”
Even though Canada doesn’t have as many regulations, there are still frameworks organizations can use to boost their cybersecurity. One of the main ones is Cybersecurity Canada, a set of standards developed by the Government of Canada’s Cyber Security Agency. These regulations offer a solid foundation for Canadian businesses looking to strengthen their security.
Even if compliances aren’t legally mandated, there are may strong reasons to consider implementing it, including:
- Industry standards, requirements, and best practices
- Being well-prepared for any legal requirements that do come into place
- A greater potential to work with international customers who may see certain requirements as table stakes
- A greater level of security for your organization
Common Compliance Frameworks
ISO 27 001: Key for the Manufacturing Industry
Some of the more robust security frameworks include a framework called ISO 27,001. Our CEO and Founder notes, “having ISO 27 001 is very useful if you’re actually in the manufacturing industry. It’s very process-heavy. There’s requires a lot of documentation and it’s a standard that, if you’re in the manufacturing industry, you’re likely to actually get asked by your customers if you have this, so something to consider. For those of you in the manufacturing space, to really start looking seriously at ISO 27,001 and NIST 800.”
NIST 800-53: A U.S. Standard with Global Recognition
The National Institute of Standards and Technology (NIST) offers a comprehensive cybersecurity framework called NIST 800, with the current version being NIST 800-53. “This is a US based standard, but it’s also recognized around the world. This is also a very, very, robust set of security controls,” Vince notes, “And this set of standards, has, a lot of policy requirements, a lot of procedure requirements, and a lot of security control requirements from both technical controls, which are the software and tools to administrative controls, policies and procedures, as well as physical controls to ensure that your environment is protected from threats.”
PCI DSS: Notable for Businesses Processing Credit Cards
“Any of you or your organizations that process credit cards, you’re likely to require PCI, DSS, (Payment Card Industry Data Security Standard),” says Vince. Depending on the size of your organization, compliance may require everything from a self-assessment questionnaire to a full audit.
However, businesses need assistance in this area. “The reality is that you actually cannot really answer no to any of the questions,” says Vince, “You have to have all of these controls in place in order to be PCI, DSS compliant. So if you haven’t actually had a, third party, actually look closely at what you have in controls and check to ensure that your people are following it. If you actually have a data breach that causes the credit card company to, have losses, you could actually be liable for some of those losses if you cannot prove that you have met the compliance requirements for PCI DSS.”
CIS Controls 8.1: A Strong Starting Point and Staged Implementation
The Center for Internet Security (CIS) can be a strong starting point. “This, framework is actually one of the ones that I actually like implementing the most, because it actually, it’s broken up into 18 different control groups, each with a bunch of different controls and three implementation groups that allow you to actually select if you’re actually at a lower level of maturity, you would actually implement to group one, group two, and then three group three, as you become more mature. It allows organizations to kind of stage the implementation of these controls in a very, very, easy and understandable way,” explains Vince.
Vince notes that if you don’t have any frameworks that you are required to follow, CIS version 8.1 is actually a pretty good standard to actually start with, because it can create a foundation, and once you have started your first compliance initiative, the subsequent ones may be simpler due to overlap.
“If you look at all of the controls across all of these standards, probably 80, 85% of the controls actually overlap. So if you pick any one of these, you’ve already implemented 80% of the standards required in the other, other, security framework. So it makes it fairly easy for you to actually add another security standard for you to be compliant with.”
SOC 2: A Well-Known Standard for SaaS Companies
For SaaS companies, SOC 2 (Systems and Organization Controls) is probably the most well-known compliance framework.
Vince notes that the SOC security framework is one of the most onerous to get, because you need to engage with a third-party firm that does an audit, checking to make sure that you have the controls in place and checking for evidence that these are followed.
“SOC has different types of controls. So there’s SOC 1 which is primarily financial controls. So that’s not relevant on the cybersecurity side. But there’s SOC 2, and SOC 2 has three levels of reporting,” explains Vince.
Soc 2 Type 1 – A Point in Time Audit
“A Soc 2 Type 1 is actually a point in time audit. So they will just actually pick an audit date,” says Vince, “And they’re going to check to make sure that you have the controls in place for that period. And also ask for evidence to show that you have actually met the requirements during that [time].”
Soc 2 Type 2 – A Period Audit
“A SOC 2 Type 2 report is a period audit, which means that they audit you over a period of typically 6 or 12 months,” says Vince, “and they will actually ask for evidence that these controls are in place and ask for evidence any time during that audit period for any of the controls for you to prove that those controls were actually working, prove that the people in your organization followed the policies and procedures.”
The Costs of Compliance
“So it’s pretty onerous audit,” says Vince, “Typically, if you’re looking to get a SOC 2 type 2 report, the budget to do that would be pretty much a minimum of $100,000. We’ve seen organizations spend upwards of a quarter million dollars to actually get SOC 2 compliant. And this is probably the one that is, you’re going to see over the next few years, organizations, especially the really big companies asking for you to be able to produce a Soc2 Type 2 report.”
ISNetworld: A Supply Chain Security Standard
There are also industry-specific standards, like ISNetworld, a supply chain network where businesses must meet certain security standards to be eligible to bid on contracts. If your company wants to participate in this network, you’ll need to meet its security requirements—otherwise, you won’t even be able to get involved in the bidding process.
This highlights the growing importance of supply chain security for businesses looking to collaborate with larger organizations.
Compliance: More Than Just Tools
You might be thinking, “I’ve got a solid security setup with antivirus software, firewalls, and encryption.” While these technical controls are essential, they aren’t enough to ensure compliance. Compliance involves not only having the right tools in place but also implementing policies and procedures to meet specific security standards.
It’s also important to be able to have the right type of documentation to prove that your organization is consistently following these practices, so that you’re not scrambling for it after the fact. “Most importantly, isn’t just about having that stuff in place, but it’s about proving that that stuff is in place over a period of time,” says Vince.
Being Proactive About Compliance
It’s important to remember that achieving compliance isn’t something that happens overnight. If a client demands that you meet a specific standard, like SOC 2 Type 2, by next week, that’s simply not going to happen.
Getting compliant can take significant time and effort, so it’s important to have it on your roadmap well before you actually need it.
Risk Assessment and Compliance
A key part of compliance is risk assessment. Every business has its own set of risks, and compliance is about identifying which ones are the most critical and using resources to address them. Remember, you can’t eliminate all risks, but you can manage and minimize the biggest ones.
Compliance as a Competitive Edge
Cybersecurity compliance is essential for protecting your business and reducing potential liability. While Canada may have fewer regulations than the U.S., businesses here should still take compliance seriously, and even see it as an opportunity. By adopting the right cybersecurity frameworks and being able to prove your adherence to them, you’ll not only protect your business from threats but also position yourself for future opportunities and demonstrate your commitment to security.
“Most organizations today are not actually meeting hardly any of these compliance requirements. So this is a competitive edge that you could have for your organization,” says Vince. “having a SOC 2 Type 2 report actually puts you at the forefront because you can actually showcase a very high level of security maturity compared to some of your competitors who don’t have the money to invest in actually getting that type of security compliance.”
Learn More
Watch the webinar or get in touch with our team to learn more!
