Get Demo

What Is ITSG-33? Canadian Government IT Security

ITSG-33 explained for Canadian organizations — clear, practical guidance to meet federal IT security. Learn the essentials with CyberSilo.

📅 Published: June 2026 🔐 Cybersecurity • Canada Government • Canada ⏱️ 2,200 words

ITSG-33 is the Canadian government’s definitive IT security risk management standard. Published by the Canadian Centre for Cyber Security (CCCS), ITSG-33 provides a mandatory framework for federal departments and agencies to systematically identify, assess, and mitigate IT security risks using a structured methodology that aligns controls from NIST SP 800-53, ISO/IEC 27001, and other international standards with Canadian federal requirements. For organizations doing business with or serving the Government of Canada, understanding ITSG-33 is not optional—compliance is a contractual and regulatory prerequisite for federal IT procurement.

This guide offers a clear, practical breakdown of ITSG-33: its core components, how it differs from frameworks like NIST 800-53 and ISO 27001, who must comply, and practical steps to operationalize this complex standard. Whether you are a CISO at a defence contractor, a compliance officer at a federal systems integrator, or a GRC lead evaluating your organization’s posture, this article provides the essential knowledge you need.

Key takeaways:

  • ITSG-33 is Canada’s federal IT security risk management standard, mandatory for Government of Canada (GC) departments and their contractors.
  • It unifies risk management, control selection, and security architecture into one integrated document suite, using a multi-tiered approach.
  • It directly references NIST SP 800-53 and ISO/IEC 27001 control catalogs, but tailors them to the Canadian federal context with specific GC-mandated policies.
  • Non-compliance can exclude vendors from GC contracts and expose departmental systems to unacceptable risk levels.

What Is ITSG-33? Definition and Core Purpose

ITSG-33, formally titled IT Security Risk Management: A Lifecycle Approach, is the foundational security standard of the Government of Canada (GC). Published by the CCCS as part of its suite of guidance, ITSG-33 replaces older, fragmented Treasury Board (TB) security policies and provides a cohesive, lifecycle-oriented methodology for managing IT security risk. It was first released in 2012 and has been updated to reflect evolving threats and operational realities, aligning to the Directive on Security Management and the Policy on Government Security.

The standard’s primary purpose is to answer three fundamental questions for every federal system: (1) What risk level is acceptable? (2) What security controls are needed to maintain that risk level? (3) How do we continuously validate those controls are working? ITSG-33 accomplishes this through a prescribed risk management process that spans system conception through decommissioning. It is not simply a control checklist; it is a risk governance and assurance framework.

For vendors and service providers, ITSG-33 is the standard that governs all federal IT procurement security requirements. When a GC department issues an RFP, the security evaluation criteria are drawn from ITSG-33. Submitting a proposal without demonstrating alignment to ITSG-33 is a near-certain disqualifier, as the contracting authority must ensure the procured system meets the GC’s baseline security posture as defined by ITSG-33 and its companion Baseline Control Profiles.

The ITSG-33 Suite: Documents and Components

ITSG-33 is not a single document but a suite of interconnected components. Understanding how these parts fit together is critical to applying the standard correctly.

Core Documents in the ITSG-33 Suite

ITSG-33 Overview and Main Body (Volume 1): This is the policy and conceptual anchor. It describes the lifecycle risk management framework, defines key roles (e.g., Departmental Security Officer, Senior Official for Security, IT Security Coordinator), and outlines the mandatory risk management process. It does not list controls itself but directs the user to Volume 2 and Volume 3 for control selection and architecture guidance.

ITSG-33 Catalogue of Security Controls (Volume 2): This volume is the heart of the standard for most practitioners. It contains the full control catalog, structured into 18 control families (e.g., Access Control, Audit and Accountability, Configuration Management, Incident Response, Risk Assessment, System and Services Acquisition). Each control includes a control number, control name, control text, supplemental guidance, and control enhancements (for higher impact levels). Critically, this catalog directly baselines NIST SP 800-53 Rev. 4 control definitions, with modifications to suit Canadian federal legal requirements (e.g., references to the Privacy Act, the Access to Information Act, and the Treasury Board Secretariat’s policies). The catalog includes over 900 base controls and enhancements across all impact levels.

ITSG-33 Security Architecture Guide (Volume 3): This volume provides guidance on how to design secure architectures that implement the controls from Volume 2. It describes common GC IT security architecture patterns, including network segmentation approaches, identity management federation (using GC’s common authentication schemes), and data classification handling. It is less prescriptive than Volume 2 but essential for architects and system integrators.

ITSG-33 Baseline Control Profiles (Annex): The CCCS also publishes pre-defined “baseline” control profiles for common system types (e.g., web application, database server, network infrastructure, generic end-user system). These profiles assign specific controls at specific impact levels to save organizations from reinventing the wheel for standard system types. There are currently three GC Baseline Control Profiles: LOW, MEDIUM, and HIGH impact, mapping directly to the three impact levels used in the Security Categorization process.

Security Categorization and Impact Levels

Before selecting controls, each system must be categorized based on the potential impact of a security breach—loss of confidentiality, integrity, or availability (CIA). The impact levels are:

The categorization is performed using the methodology in ITSG-33 Volume 1, which draws heavily on the FIPS 199 / NIST SP 800-60 approach but adapted for Canadian federal context. The resulting impact level drives the stringency of the control baseline selected from Volume 2.

How ITSG-33 Differs from NIST SP 800-53 and ISO 27001

Canadian security professionals often ask: why not just use NIST or ISO? The answer lies in the GC’s unique legal and policy environment.

Aspect
ITSG-33 (GC)
NIST SP 800-53 (US Federal)
ISO/IEC 27001 (International)
Governing Authority
Treasury Board Secretariat / CCCS
NIST / FISMA / OMB
ISO / independent certification bodies
Legal Mandate
Policy on Government Security, Directive on Security Management, Privacy Act, Access to Information Act
FISMA, OMB A-130, Privacy Act (US), Executive Orders
No direct legislative mandate; contractual or market-driven
Control Catalog
Baseline = NIST 800-53 Rev. 4, tailored with GC-specific additions and policy references
NIST 800-53 Rev. 5 (latest); independent, evolving catalog
Annex A controls (114 controls in 14 domains, primarily ISMS-level)
Certification Model
GC internal accreditation; no third-party certification path (as of 2025)
FedRAMP + internal ATO processes; continuous monitoring
Third-party ISMS certification (ISO/IEC 27006)
Risk Management Approach
Lifecycle, process-oriented (Volume 1); integrated with security architecture (Volume 3)
Risk Management Framework (RMF) — 7-step process, deeply integrated with system development lifecycle
Plan-Do-Check-Act cycle, organization-level ISMS focus

The most important practical difference is that ITSG-33 requires alignment to GC-specific policies that have no direct NIST or ISO equivalent. For example, ITSG-33 controls may mandate compliance with the Directive on Privacy Practices or the Government of Canada Identity and Credential Management Standard. These are not found in generic frameworks. Additionally, ITSG-33 uses a system-level accreditation model where DSOs authorize system operation based on residual risk acceptance, rather than the third-party certification model common in ISO 27001.

Who Must Comply with ITSG-33?

Compliance with ITSG-33 is not optional for a specific and broad set of entities.

Directly obligated: All Government of Canada departments and agencies listed in Schedules I, I.1, and II of the Financial Administration Act. This includes major departments like Public Services and Procurement Canada (PSPC), National Defence, Health Canada, and the Canada Revenue Agency. Also included are separate agencies like the Canadian Space Agency and the National Research Council. Every GC information system—from email systems to mission-critical operational systems—must be managed under ITSG-33.

Contractually obligated (indirectly): Any organization that provides IT products, services, or managed solutions to the GC. This includes:

Provincial/municipal organizations: While ITSG-33 is a federal standard, many Canadian provinces and large municipalities (e.g., Ontario, British Columbia, City of Toronto) have adopted ITSG-33 or aligned their own IT security frameworks to it. Organizations meeting provincial security requirements will often find their controls closely mirror ITSG-33.

Implementing ITSG-33: A Practical Approach

Implementing ITSG-33 requires a systematic, lifecycle-focused effort. Based on our experience at CyberSilo helping Canadian federal system integrators and service providers achieve compliance, we recommend the following structured approach.

1

System Categorization and Impact Assessment

Start by performing a formal security categorization of your system using the process in ITSG-33 Volume 1. Gather system stakeholders—business owners, IT architects, privacy officers—and evaluate the potential impact of a CIA breach against the LOW/MEDIUM/HIGH definitions. Document the rationale and secure sign-off from the Senior Official for Security (SOS) or equivalent. This categorization drives everything downstream.

2

Baseline Control Selection

Using the CCCS Baseline Control Profiles (Annex) matching your system type and impact level, select the initial set of controls from ITSG-33 Volume 2. Do not attempt to apply all 900+ controls—only the baseline relevant to your categorization. If your system has unique characteristics (e.g., contains very sensitive personally identifiable information under PIPEDA or Quebec Law 25), you may need to add additional controls or control enhancements beyond the baseline. Document every tailored control selection in a System Security Plan (SSP).

3

Security Architecture Design

Reference ITSG-33 Volume 3 to design an architecture that implements the selected controls. This includes network segmentation (e.g., using the GC Enterprise Network standard), identity management (e.g., alignment with GC’s federation standards), encryption standards, and logging/auditing configuration. For cloud services, ensure alignment with the GC Cloud Adoption Strategy and the CCCS Cloud Risk Assessment guidance. At this stage, a maturity assessment against the CCCS Baseline Controls is highly valuable.

4

Implementation and Evidence Collection

Implement the controls and begin collecting evidence of operation. This is where automation becomes critical. Manual evidence collection for hundreds of controls is unsustainable and error-prone. Most high-functioning GC programs use automated compliance platforms to generate control evidence continuously. At CyberSilo, our Compliance Standards Automation platform is designed to integrate with GC IT environments and produce ready-for-audit evidence aligned to ITSG-33 Volume 2 control requirements.

5

Testing and Accreditation

The DSO will require evidence that the controls are implemented correctly and operating effectively. This includes vulnerability scans, penetration tests, configuration audit tests, and often a formal independent assessment by a CCCS-approved third-party assessor (if required by the contract or system impact level). The DSO then conducts a residual risk assessment and issues the Authorization to Operate (ATO) or Interim ATO. Continuous monitoring is required post-ATO—this is where a SIEM solution like ThreatHawk SIEM can provide automated, real-time compliance monitoring aligned to ITSG-33 audit logging and monitoring controls.

Common Challenges in ITSG-33 Compliance

Even experienced security teams face obstacles when operationalizing ITSG-33:

Compliance note for contractors: If you are bidding on a GC contract, ensure your System Security Plan (SSP) and control evidence are prepared before submission. The PPPC (Public Procurement and Property Management) evaluation criteria heavily weight demonstrated security capability. A strong ITSG-33-aligned SSP significantly increases your competitive advantage. Consider engaging CyberSilo for a Compliance Assessment early in the RFP process.

What Is the Relationship Between ITSG-33 and CCCS Baseline Controls?

The CCCS Baseline Controls are not a separate standard—they are an implementation subset of ITSG-33. Specifically, the CCCS publishes a set of Baseline Control Profiles (one for LOW, MEDIUM, and HIGH impact) that identify the minimal set of controls from ITSG-33 Volume 2 that every system at that impact level must implement. They are “baseline” in the sense that they represent the starting point. Organizations can add controls above the baseline (e.g., for system-specific risks or contractual requirements) but cannot subtract any control from the baseline.

For example, the CCCS Baseline Control Profile for MEDIUM includes specific control families like Access Control (AC-1 through AC-25 plus select enhancements), Audit and Accountability (AU-1 through AU-16), and Incident Response (IR-1 through IR-10). The profile also references which enhancements are mandatory. For IT vendors and federal system integrators, the CCCS Baseline Controls are often the primary document referenced in RFPs and security evaluation criteria, as they provide a defined “minimum bar” that procurement evaluators can assess.

It is critical to note that the CCCS Baseline Controls are higher than many commercial standards in stringency. For instance, the MEDIUM baseline includes multifactor authentication requirements (IA-3) and malicious code protection (SI-3) that exceed what is found in common SOC 2 Level 2 criteria.

How CyberSilo Helps Canadian Organizations Achieve ITSG-33 Compliance

Implementing ITSG-33 is a complex, multi-year effort for many organizations. At CyberSilo, we specialize in helping federal departments, contractors, and system integrators operationalize the standard—not just pass a point-in-time assessment, but build a sustainable compliance program.

Our Compliance Standards Automation platform is purpose-built to combat the biggest compliance challenge: evidence collection and control lifecycle management. The platform maps automatically to all ITSG-33 Volume 2 controls and CCCS Baseline Profiles, ingests data from your IT environment (cloud, on-premise, hybrid), performs automated control checks, and produces audit-ready reports. This shrinks the evidence-gathering cycle from months to days.

We also offer managed services to support your compliance journey:

Ready to Operationalize ITSG-33 for Your Organization?

Stop treating compliance as a one-time checkbox. CyberSilo’s compliance and SIEM solutions make ITSG-33 continuous, auditable, and sustainable. Whether you are a GC department upgrading your ATO or a contractor preparing for a major bid, we deliver the expertise and automation you need.

Frequently Asked Questions About ITSG-33

What is the difference between ITSG-33 and CCCS Baseline Controls?

ITSG-33 is the full standard suite (risk management framework, control catalog, architecture guide) while the CCCS Baseline Controls are a pre-defined subset of controls from ITSG-33 Volume 2, organized by impact level. You must use the full ITSG-33 framework to understand how to apply the controls, but the baseline controls tell you which controls are mandatory for your system’s impact level.

Is ITSG-33 mandatory for all Canadian companies?

No. ITSG-33 is mandatory only for federal government departments and agencies. However, it is contractually required for any organization providing IT services, products, or solutions to the Government of Canada. Provincial governments and private sector organizations often adopt ITSG-33 voluntarily or align to it due to its rigorous baseline.

Can I use ISO 27001 instead of ITSG-33?

Not for federal compliance. While ITSG-33 draws from ISO 27001 and NIST, it contains GC-specific controls (e.g., references to the Privacy Act, the Access to Information Act, the Directive on Security Management) that ISO 27001 does not address. The GC requires ITSG-33 alignment; ISO 27001 certification can complement but not replace it.

How long does it take to become ITSG-33 compliant?

For a well-resourced organization with a mature security program, the initial categorization, control selection, and implementation typically takes 6–12 months for a LOW or MEDIUM impact system. HIGH impact systems, especially those with many control enhancements and complex architectures, can take 18–24 months. Using automation and experienced partners can significantly compress this timeline.

Does the CCCS certify organizations under ITSG-33?

As of 2025, there is no third-party certification model for ITSG-33 like there is for ISO 27001. Compliance is assessed through the GC’s internal accreditation process, where the Departmental Security Officer (DSO) authorizes the system to operate (ATO). Some programs, like the GC’s Protected Cloud certification, use ITSG-33 as the basis for cloud service provider evaluation, but they result in a use-case authorization, not a blanket certification.

What happens if a GC contractor is not compliant?

If an organization that has bid on a GC contract cannot demonstrate ITSG-33 compliance, the contracting authority may disqualify the bid or impose remedial conditions. For existing contractors, non-compliance can result in work stoppage, contract termination, or being placed on procurement risk lists that affect future bids. The GC takes non-compliance seriously—especially in the wake of supply chain attacks targeting Canadian federal systems.

Our Conclusion & Recommendation

Our Conclusion & Recommendation

ITSG-33 is not just a standard—it is the authoritative governance framework for IT security across the Government of Canada. For federal departments, it is mandatory. For contractors, it is the price of entry. For provincial organizations and forward-looking private firms, it represents a gold-standard approach to risk management that surpasses most commercial frameworks in rigor.

The mistake many organizations make is treating ITSG-33 compliance as a one-time hurdle, rather than a continuous operational capability. The standard’s lifecycle approach demands ongoing monitoring, evidence collection, and control validation. Attempting to manage this manually, with 170+ controls (even at MEDIUM), is a recipe for audit failure and operational risk. CyberSilo’s Compliance Standards Automation platform provides the intelligent automation layer that transforms ITSG-33 from a compliance burden into a sustainable security capability, integrating seamlessly with ThreatHawk SIEM for real-time control evidence and continuous monitoring. For Canadian organizations serious about doing business with the Government of Canada, this is the most effective path to enduring compliance.

Take the first step today. Contact CyberSilo for a readiness assessment and see exactly where your organization stands against the CCCS Baseline Control Profiles.

Get Your ITSG-33 Compliance Assessment

Understand your current posture against CCCS Baseline Controls and develop a clear roadmap to compliance—optimized for federal procurement success.

📰 More from CyberSilo

Latest Articles

Stay ahead of evolving cyber threats with our expert insights

Privacy Compliance for US Online Retailers (CCPA & State Laws)
SIEM
Jun 23, 2026 ⏱ 17 min

Privacy Compliance for US Online Retailers (CCPA & State Laws)

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on privacy compliance for us online retailers (ccpa & s

Read Article
Holiday Season Cyber Threats for Retailers
SIEM
Jun 23, 2026 ⏱ 10 min

Holiday Season Cyber Threats for Retailers

Holiday Season Cyber Threats for Retailers explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentia

Read Article
eCommerce Privacy in Canada: PIPEDA & Law 25
SIEM
Jun 23, 2026 ⏱ 10 min

eCommerce Privacy in Canada: PIPEDA & Law 25

See how CyberSilo helps you strengthen your security posture for Canadian organizations. Practical guidance on ecommerce privacy in canada with expert support.

Read Article
Cybersecurity Compliance for US Schools and Universities
SIEM
Jun 23, 2026 ⏱ 15 min

Cybersecurity Compliance for US Schools and Universities

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on cybersecurity compliance for us schools and universi

Read Article
Protecting Student Data: FERPA and COPPA for EdTech
SIEM
Jun 23, 2026 ⏱ 14 min

Protecting Student Data: FERPA and COPPA for EdTech

Protecting Student Data explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with CyberSilo.

Read Article
Ransomware in K-12 and Higher Ed: Defense Strategies
SIEM
Jun 23, 2026 ⏱ 11 min

Ransomware in K-12 and Higher Ed: Defense Strategies

Ransomware in K-12 and Higher Ed explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with Cy

Read Article
✅ Link copied!