Cyber Maturity Self Assessment

From wiki
Jump to navigation Jump to search
CSAP picture.png

Disclaimer: The Cyber Maturity Self-Assessment tool is only available internally to Government of Canada.


  • To provide departments and agencies with an easy to use tool to enable a better understanding of their cyber security maturity posture.
  • A repeatable and uniform self-assessment based on the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF).

Departmental Benefits & Outcomes


Risk Management

  • Ensure that enterprise cyber risks are being adequately managed

Response Time

  • Increase response time to potential risks by ensuring a secure and resilient enterprise infrastructure that enables the trusted delivery of programs and services

Cost and Time Saving

  • Reducing the cost and time spent in assessing cyber security maturity through other means (e.g., third party assessors). The CSM self-assessment is expected to take a few hours to complete and will be at no additional cost to departments and agencies.


Prioritize Actions

  • Identify areas that require improvement and prioritize future actions

Continual assessment

  • Continually reassess maturity using departmental results as a baseline

Ongoing dialogue

  • Continue the open dialogue to foster greater collaboration across the GC and to ensure that best practices within the security community are being leveraged.

Framework Overview



"Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities."

  • Asset Management (ID.AM)
  • Business Environment (ID.BE)
  • Governance (ID.GV)
  • Risk Assessment (ID.RA)
  • Risk Management Strategy (ID.RM)
  • Supply Chain Risk Management (ID.SC)


"Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services."

  • Access Control (PR.AC)
  • Awareness and Training (PR.AT)
  • Data Security (PR.DS)
  • Information Protection Processes and Procedures (PR.IP)
  • Maintenance (PR.MA)
  • Protective Technology (PR.PT)


"Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event."

  • Anomalies and Events (DE.AE)
  • Security Continuous Monitoring (DE.CM)
  • Detection Processes (DE.DP)


"Develop and implement the appropriate activities to take action regarding a detected cybersecurity event."

  • Response Planning (RS.RP)
  • Communications (RS.CO)
  • Analysis (RS.AN)
  • Mitigation (RS.MI)
  • Improvements (RS.IM)


"Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event."

  • Recovery Planning (RC.RP)
  • Improvements (RC.IM)
  • Communications (RC.CO)


Other Relevant Wikis on Cyber Security