The Canadian Cyber Security Tool

The Canadian Cyber Security Tool (CCST) and The Canadian Cyber Security Tool 2.0 (CCST 2.0) are virtual self-assessment tools developed by Public Safety Canada (PS) in collaboration with the Communications Security Establishment and its Canadian Centre for Cyber Security (Cyber Centre). The tools are specifically designed for Canadian Critical Infrastructure (CI) owners and operators to take part in voluntary, short, and easy to use self-assessments that provides the participant with an overview of their organization's operational resilience and cyber security posture, as well as comparative results across their sector.

CCST and CCST 2.0

The original CCST is designed for organizations that wish to perform a basic virtual assessment of their cyber security resiliency. It consists of 38 questions and provides an assessment of the organization's technical and program approach to cyber security. Approximate time to complete is one hour.

The CCST 2.0 is a "deeper dive" into the organizational approach to cyber security. It includes an expanded overall set of just over 100 targeted questions designed to assess the organization's technical and program approaches to cyber security. In addition, it provides direct mapping to the National Institute for Standards and Technology (NIST) cyber security framework, with additional ratings for each NIST function. Approximate time to complete is two hours.

Who can take part in the self-assessment

The CCST was created specifically with Canadian CI owners and operators in mind. If you would like to know if your organization falls within this CI category, please see Critical Infrastructure Partners for more information.

How they work

The CCST and the CCST 2.0 are assessments of an organization's programs and practices that includes questions related to cyber incidents the organization has experienced, as well as questions related to technical and program resilience.

Each self-assessment is divided into specific and clearly defined categories that are complemented by supporting web links that provide additional guidance and information.

Adding on to the success of the CCST, the CCST 2.0 presents the respondent with a series of questions and a group of associated answers for each of the questions. Each of the chosen answers will aid in indicating the organization's overall level of cyber resiliency. Once the survey is submitted, a report will be provided within five business days.

After the self-assessment

Upon completion, participants will receive a report which will provide them with advice and guidance related to each cyber security theme discussed throughout the tool. Participants will also receive a score, based on comparative results from other organization's responses.

How it helps your organization

In addition to post-self-assessment results and a comparative overview of the organization's cyber security posture, participants will also receive advice and guidance related to improving their cyber security resiliency in relation to the assessed areas.

Once completed, the results will be used to understand the cyber security posture of Canadian industries, and assist PS and the Cyber Centre in tailoring the next generation of products and services to address the cyber security needs of Canada's Critical Infrastructure.

To request access to the CCST or the CCST 2.0

If you think your organization would benefit from the CCST or a more in-depth assessment like the CCST 2.0, please contact us to request a username and password or for additional information.

The results of this self-assessment will be made available only to designated members of Public Safety Canada and the Canadian Centre for Cyber Security, who are responsible for program administration and the development of the national cyber security database.

All self-assessment responses will be treated as confidential, but will remain subject to the provisions of the Access to Information Act.

With those obligations in mind, the self-assessment has been designed to avoid collecting identifying information such as names, organizations, email addresses or IP addresses.

Date modified: