Baseline Cyber Security Controls for Small and Medium Organizations (CCCS) — v1.2

Canadian Centre for Cyber Security baseline controls for small and medium organizations—practical cyber security guidance for SMEs, published by the Government of Canada.

The Canadian Centre for Cyber Security (Government of Canada) published this guide to help small and medium organizations improve cyber security in a practical, achievable way. It is written for the real world: lean teams, busy operations, limited time, and technology that has to keep working. Instead of aiming for perfection, the document sets out a baseline—an “80/20” set of controls that can significantly reduce common cyber risks without requiring a full-time security department or enterprise-grade complexity.

For many organizations, cyber security guidance can feel like it was written for large companies with dedicated specialists. This publication takes a different approach. It focuses on the essentials that most organizations can implement, maintain, and measure. The goal is straightforward: strengthen resilience, reduce exposure to common threats, and improve the organization’s ability to respond and recover when something goes wrong. In other words, it is less about chasing the latest security tool and more about building dependable habits that prevent the most frequent and costly problems.

The document is best understood as a roadmap for cyber security fundamentals. It provides a structured overview of the areas that matter most, helping organizations prioritize work and avoid getting stuck on low-impact projects. It also offers a common language for leadership and technical staff to talk about risk, accountability, and progress. That is especially valuable for small and medium businesses, where cyber security responsibilities may be shared across roles, and where decisions must balance protection with operational reality.

A major theme throughout the guide is preparedness. The publication emphasizes that organizations should plan for cyber incidents before they happen, not after. It highlights the value of knowing who is responsible for what, how decisions will be made under pressure, and what steps will be taken to contain an issue and restore normal operations. For small organizations, this planning is not bureaucracy—it is a practical way to avoid confusion when time is limited and the stakes are high. The baseline approach supports readiness that is simple, documented, and usable, rather than overly detailed plans that no one can execute.

The guide also reinforces the importance of core technical hygiene. Many successful attacks rely on predictable weaknesses: unpatched systems, misconfigured devices, weak passwords, reused credentials, or excessive access rights. Rather than treating these as unavoidable, the baseline controls present them as addressable priorities. The document encourages routine maintenance and consistent safeguards that reduce the likelihood of compromise and lower the impact of mistakes. The emphasis is on repeatable practices—controls that work quietly in the background day after day and form a stable foundation for the rest of the environment.

Identity and access are treated as central to modern security. That reflects the way most incidents unfold today: attackers often do not “hack in” so much as they log in using stolen or abused credentials. The baseline controls therefore place strong attention on securing user accounts and administrative access, strengthening authentication, and keeping access to critical systems appropriately limited. For organizations using cloud services, this focus is even more important, since email, file storage, and business applications are often the core of daily operations and a primary target for attackers.

From there, the publication expands to cover the organization’s exposure to the internet and the safety of remote connectivity. Small and medium organizations frequently rely on remote access, managed services, and online tools. That convenience can become a weakness if the network boundary is poorly protected or if remote connections are not adequately secured. The document describes baseline expectations for perimeter defenses and safer remote access, reflecting a simple principle: reduce the number of easy pathways into the business, and ensure that access to critical systems is protected to an appropriate standard.

Another key focus is business continuity and recovery. Even strong preventive controls cannot eliminate risk entirely, particularly when threats are persistent and financially motivated. The baseline controls therefore emphasize resilience: reliable backups, protected information, and the ability to restore systems and data when required. For many small and mid-sized organizations, this is one of the most important strategic points in the entire document. Strong recovery capability can turn a serious incident into a manageable disruption, while poor recovery planning can turn the same incident into long-term downtime, significant cost, or permanent damage to customer trust.

The guide also recognizes that modern businesses depend on third parties—cloud platforms, hosted services, vendors, and managed providers. Outsourcing can strengthen capability, but it does not eliminate accountability. The baseline controls take a practical view of third-party risk and cloud security: understand what services you rely on, ensure that administrative access is protected, and apply reasonable due diligence so that critical systems are not treated as a blind spot. This part of the document helps organizations think clearly about responsibility in a supply-chain environment where services are shared and boundaries are less visible.

Website security and internet-facing services are also part of the baseline view. For organizations that publish online content, run web applications, or depend on external-facing systems, weaknesses can quickly become public and costly. The guide’s baseline framing supports the idea that web and cloud systems should not be treated as separate from “IT security.” For many organizations, web presence and cloud identity are the business. The baseline controls help readers treat those systems with appropriate seriousness, without requiring specialized language or advanced security concepts to get started.

What makes this document useful as a public reference is its balance. It does not attempt to be a complete security framework or a compliance standard. It is intended to be a baseline—an on-ramp that helps organizations establish a credible minimum level of protection. That makes it well-suited for organizations that want to improve quickly, reduce obvious weaknesses, and build a plan that can be implemented in stages. For teams that already follow formal standards, it can still serve as a concise checklist to confirm that fundamentals are covered and that the organization has not missed critical basics while pursuing more complex initiatives.

Organizations often ask the same questions when they begin improving cyber security: Where do we start? What matters most? What is realistic for our size? This guide is designed to answer those questions in a way that is accessible, structured, and practical. It supports clear prioritization, incremental improvement, and measurable progress. The result is a baseline that can guide security planning, budgeting, and operational routines—without overwhelming the reader.

This is a public document intended for broad distribution and citation. Document status: UNCLASSIFIED (TLP:WHITE). Publisher: Canadian Centre for Cyber Security, Government of Canada. Intended audience: small and medium organizations.

• Click here to download