This Website Sponsored by
Understand the framework, implement the 12 controls, and demonstrate your commitment to cybersecurity, without needing an enterprise security team.
Cyber threats are increasingly targeting small and medium businesses across Canada. Ransomware, phishing attacks, and data breaches can disrupt operations, expose sensitive information, and damage customer trust.
CAN/DGSI:104 was created to help organizations address these risks by defining a practical baseline for cybersecurity. It outlines the essential security practices businesses should implement to protect their systems, their data, and their operations.
This guide explains what CAN/DGSI:104 is, who it applies to, and how organizations can begin implementing the security controls it recommends.
A Canadian cybersecurity framework that outlines the basic security practices organizations should implement to protect their systems, data, and operations from cyber threats.
CAN/DGSI:104 was designed to give small and medium businesses a practical set of cybersecurity controls they can realistically implement without needing a large security team. The framework focuses on the most common cyber threats businesses face today.
Rather than prescribing specific technologies, CAN/DGSI:104 defines the types of security controls an organization should have in place. These controls cover areas such as:
The goal is to help organizations establish a reliable foundation for cybersecurity.
The framework was designed primarily for small and medium organizations operating in Canada across a wide range of industries that rely on technology to run their operations and manage data.
Law firms, consultancies, accounting firms, and other professional service providers that manage client information.
Medical practices and health services that store sensitive patient data requiring strong cybersecurity protections.
Accounting firms, financial advisors, and other companies managing sensitive financial information.
Firms managing project data, contracts, and operational systems that depend on technology.
Businesses with operational technology and supply chain systems that require protection from cyber threats.
Organizations handling customer data, payment information, and online transaction systems.
Software companies, MSPs, and IT providers responsible for protecting client systems and data.
Charities and non-profits that manage donor data and must maintain the trust of stakeholders.
Note: Many businesses also implement the framework because their customers, partners, or insurance providers expect them to maintain reasonable cybersecurity protections. As cybersecurity expectations continue to increase, frameworks like CAN/DGSI:104 help organizations demonstrate that they take security seriously.
Cyber attacks increasingly target small and medium organizations because they often lack dedicated cybersecurity resources. Many businesses rely on basic IT protections that were never designed to defend against modern threats.
CAN/DGSI:104 was created to address this gap by providing a clear and practical baseline for cybersecurity that organizations can implement regardless of their size.
CAN/DGSI:104 gives organizations a structured starting point for improving their security posture.
CAN/DGSI:104 itself is not a mandatory regulation. However, many organizations adopt the framework because it supports the CyberSecure Canada certification program and demonstrates responsible cybersecurity practices to customers, partners, and insurers.
As cyber threats continue to grow, many businesses find that clients, partners, and insurers increasingly expect documented security practices, making frameworks like CAN/DGSI:104 effectively required by market expectations.
Learn About CyberSecure Canada CertificationThe following cybersecurity protection model layers work together to protect a business.
CAN/DGSI:104 promotes a layered approach where multiple protections work together.
CAN/DGSI:104 promotes a defense-in-depth approach to cybersecurity. This approach recognizes that cyber threats may target people, devices, accounts, networks, and data. By implementing security protections across multiple layers of the organization, businesses can significantly reduce the likelihood and impact of cyber incidents.
The framework focuses on practical protections that help organizations defend against common threats such as phishing attacks, ransomware, credential theft, and system compromise.
Employees are often the first target. Phishing simulations, awareness training, and acceptable use policies reduce the risk of human error enabling attacks.
Multi-factor authentication, strong passwords, and role-based access control protect accounts from unauthorized access; one of the most critical controls.
Malware detection, device encryption, host firewalls, and device monitoring secure laptops, desktops, servers, and mobile devices against compromise and unauthorized access.
Email filtering, phishing detection, attachment scanning, and domain authentication block malicious messages before they reach users.
Firewalls, secure remote access, network segmentation, and intrusion monitoring prevent unauthorized access to the internal network.
Regular backups, offsite storage, backup testing, and data encryption ensure business continuity if systems become unavailable.
Log collection, 24/7 threat detection, security alerts, and investigation of unusual activity enable early detection and rapid response to attacks.
Documented procedures, communication plans, recovery processes, and post-incident review help organizations respond quickly to cyber incidents.
Cyber incidents can have significant consequences for businesses. A successful attack may lead to operational downtime, loss of sensitive data, financial loss, and reputational damage.
Implementing the controls outlined in CAN/DGSI:104 helps organizations build resilience against cyber threats. These protections are explained in detail in the Security Controls Guide.
The framework focuses on security practices that address the most common attack methods used by cybercriminals, significantly lowering the chances of successful attacks.
Customers increasingly expect organizations to protect their information. Demonstrating recognized cybersecurity practices strengthens confidence in your services.
Many larger organizations now evaluate the cybersecurity practices of their vendors. Implementing recognized controls helps you meet these expectations.
Cyber incidents cannot always be prevented, but organizations that prepare in advance are far better equipped to respond and recover quickly.
Many organizations believe they already have adequate protections in place, but common gaps often remain.
CAN/DGSI:104 helps organizations identify and address these gaps by providing a clear set of baseline cybersecurity controls.
We've organized the CAN/DGSI:104 requirements into 12 practical areas to help you understand what's involved.
CAN/DGSI:104 can be understood through a set of core cybersecurity control areas that organizations should implement to build a strong security foundation.
These controls represent the essential components of a modern cybersecurity program.
Clear cybersecurity policies defining acceptable use, password requirements, and incident response procedures.
Maintain an inventory of all devices, systems, applications, and data used in your environment.
Role-based access, multi-factor authentication, and strong password policies prevent unauthorized access.
Endpoint protection technologies detect and prevent malicious activity and unauthorized access on computers and mobile devices.
Regular updates to operating systems and applications address known security vulnerabilities.
Email filtering, anti-phishing tools, and attachment scanning block malicious messages before they reach users.
Training programs help staff recognize phishing attacks, social engineering, and other human-targeted threats.
Secure backups and regular recovery tests ensure operations can be restored quickly following ransomware attacks or system failures.
Firewalls and other controls prevent unauthorized network access and monitor network activity.
24/7 monitoring of systems for signs of suspicious activity enables early attack detection and faster response.
A clear plan defines how incidents are detected, reported, contained, and resolved.
Cloud services must be configured securely and monitored to prevent unauthorized access or data exposure.
Organizations that want to begin implementing the framework can start with a few key steps. These foundational protections address many of the most common attack methods used against businesses today.
To help organizations implement the framework, this site provides several additional guides and tools.
A detailed checklist covering all 12 control areas. Use it to identify gaps in your current protections and track your progress.
Detailed explanations of each of the 12 security controls: what they protect against, key practices, and how organizations implement them.
A practical, step-by-step guide for implementing CAN/DGSI:104 controls in your organization, including a typical implementation timeline.
A 21-question assessment aligned with Annex B of CAN/DGSI:104 that evaluates your cybersecurity practices and provides a personalized readiness score with recommendations.
Learn about the Government of Canada's national cybersecurity certification program and how CAN/DGSI:104 supports certification.
Links to official sources, related frameworks, and additional reading to support your cybersecurity program.
Take our free CAN/DGSI:104 Readiness Assessment and receive a personalized report on your organization's cybersecurity strengths and gaps.