What are the CCCS Baseline Controls?

The Canadian Centre for Cyber Security (CCCS) publishes a set of baseline controls that define the minimum cybersecurity posture every Canadian organization should maintain. There are 13 core controls. They are not a legal requirement for most businesses, but they form the foundation of CPCSC Level 1 and are the benchmark most government and regulated-sector contracts are measured against. Here's what each control covers and what it takes to implement.

Who publishes these controls and why they matter

The Canadian Centre for Cyber Security (CCCS) is Canada's national authority on cybersecurity. It sits within the Communications Security Establishment (CSE) and is the Canadian equivalent of the U.S. CISA.

The CCCS Baseline Controls (published as ITSAP.10.096 and referenced in ITSP.10.171) are the minimum controls the CCCS recommends for all Canadian organizations. They cover what the CCCS considers to be the fundamentals: the controls that, if absent, leave you highly vulnerable to the most common attacks.

For defence suppliers, these controls form the foundation of CPCSC Level 1. For any Canadian SMB, they are a useful benchmark to assess where you stand.

The 13 baseline controls

• Develop an incident response plan: know what you'll do before an incident happens. Write the plan, name the owners, and keep contact lists current.
• Automatically patch operating systems: keep operating systems up to date automatically. Unpatched systems are the most common attacker entry point.
• Automatically patch applications: patch browsers, email clients, and productivity tools automatically. Application vulnerabilities are equally exploited.
• Enable automatic backups: back up data automatically and test the restore process. Backups should be isolated from your main network so ransomware can't reach them.
• Enable multi-factor authentication: require a second factor for all accounts that access sensitive systems or data. Passwords alone are not enough.
• Apply strong authentication to privileged accounts: extend MFA to all administrative and privileged access. The strongest accounts need the strongest authentication.
• Apply least privilege access: give users, contractors, and applications only the access they need. Review access regularly and revoke it when it is no longer needed.
• Encrypt sensitive data at rest: data stored on devices, servers, or cloud storage should be encrypted. Lost or stolen devices become unreadable.
• Encrypt data in transit: data moving between systems should use TLS or HTTPS. Unencrypted data in transit can be intercepted.
• Enable security logging: log authentication events, access to sensitive systems, and configuration changes. Logs are what tell you what happened during an incident.
• Centrally monitor security logs: don't just collect logs, review them. Set up alerts for suspicious patterns. Without review, logs are just storage.
• Establish a secure configuration baseline: define a standard, secure configuration for devices and systems. Apply it to every new device and document it.
• Train employees on cybersecurity: run regular security awareness training. Phishing is the leading attack vector, and trained employees are your first line of defense.

How to assess your compliance

Going through this list and honestly answering whether each control is implemented is a good starting point. Most Canadian SMBs are partially compliant: some controls in place, others missing.

The most common gaps are centralized log monitoring (control 11), a documented incident response plan (control 1), and a formal secure configuration baseline (control 12).

If you are preparing for CPCSC Level 1, mapping your posture against these 13 controls is the first step. The gap between where you are and where Level 1 requires you to be becomes your implementation plan.

HuCortex maps your posture against the CCCS baseline controls as part of CPCSC readiness assessments and BYOE contractor governance reviews.