CAN/DGSI 104 Certification Support (CyberSecure Canada)
Canada's baseline standard for SMEs. Without the pitfalls.
Level 1 or Level 2 — we help you choose, then take you to certification.
CAN/DGSI 104 certification support is a structured engagement that takes your organization from initial assessment through to certification recommendation by an accredited third-party body, under the CyberSecure Canada program. The standard specifies 18 core cybersecurity controls (55 sub-controls) organized across Sections 5 and 6 of the document, with two levels of requirements (Level 1 and Level 2). The Rev 1:2024 revision clarified the distinction between Level 1 and Level 2 across six areas: cybersecurity training, risk assessment, incident response plan, secure configuration process, data backups, and cloud / outsourced IT services. Factero leads the process: level selection (1 or 2), gap analysis, control implementation, documentation, internal audit, support through the certification audit, and preparation of the 12-month maintenance audit. We prepare — we don't certify. The certification body, accredited by the Standards Council of Canada (SCC) under ISO/IEC 17021-1, remains an independent third party. Engagement led by a CISA-certified principal associate, with CAN/DGSI 104:2021 Rev 1:2024 as the target standard and NIST-CSF as supporting framework for risk prioritization.
Who is it for?
Canadian SMEs under 500 employees wanting a cyber certification sized to their reality — without jumping straight to ISO 27001.
Organizations that receive corporate client security questionnaires and want to answer them with a federally recognized framework, without carrying ISO 27001 costs.
Professional service providers (accountants, law firms, consultants, agencies) handling sensitive client information and wanting to demonstrate a measurable cyber posture.
Clinics, medical practices, and healthcare organizations holding health information and wanting a pragmatic certification aligned with their maturity level.
Organizations working with the federal government, or positioning for bids where CyberSecure Canada certification is becoming a qualifying criterion.
SMEs planning ISO 27001 medium-term and looking for a concrete first step — CAN/DGSI 104 Level 2 is a logical launch pad.
When does it help?
If you recognize yourself in any of these situations, this service is designed for you.
- A corporate client requires a recognized cyber certification — but ISO 27001 is out of budget or out of timeline.
- You regularly complete client security questionnaires and want a certification that answers 80% of them once and for all.
- You're hesitating between Level 1 and Level 2 and want an outside perspective to decide — not a vendor pushing the more expensive option.
- You've seen "CyberSecure Canada" in a bid or federal contract and want to understand what's actually required.
- Your cyber insurer is starting to demand more than a questionnaire — they want to see a certification or formal attestation.
- You're already compliant with Quebec's Law 25 and want to build on that work to get CAN/DGSI 104 without starting over.
- You want a certification valid for 2 years, with effort proportional to your size — not a project that consumes the organization for 18 months.
- You're confusing CAN/DGSI 104 (CyberSecure Canada) with the CPCSC (Canadian Program for Cyber Security Certification for Defence suppliers) — and you want to know which one applies to you.
What will you receive?
A clear Level 1 or Level 2 recommendation, justified by your operational reality, clients, and contractual obligations — not by commercial preference.
A complete gap analysis between your current posture and the requirements of the selected level, with a plan prioritized by risk level.
The policies, procedures, and records required by the standard, drafted and adapted to your reality — not a batch of generic copy-paste templates.
Implementation of missing technical controls, in collaboration with your IT team or MSP: MFA, tested backups, access management, monitoring, etc.
A documented internal audit before the certification audit — to avoid surprises on audit day.
An organized evidence file, structured for the certification body's expectations — documents in the right place, no scramble on audit day.
Support during the certification audit conducted by the accredited body of your choice: team preparation, question translation, non-conformity management.
A maintenance plan over the 2-year cycle: tracking standard changes, recertification preparation, adjustments if your environment evolves.
Not a good fit?
- CAN/DGSI 104 is the right standard for most Canadian SMEs. But a few situations call for a different path.
- If your client explicitly requires ISO 27001 — not an "equivalent" or "recognized" certification — then ISO 27001 support is the right service. CAN/DGSI 104 is not accepted as a substitute for ISO 27001 in most international contracts.
- If you're a Canadian Defence supplier and someone mentions "cyber certification for military contracts," they likely mean the CPCSC (Canadian Program for Cyber Security Certification), based on NIST 800-171 — not CyberSecure Canada. These two programs are distinct — we clarify quickly during the discovery call.
- If your current maturity is very low and even Level 1 seems out of reach within the next 6 months, the SME offer or an independent Factero audit are often the right starting point — to build the foundations before targeting formal certification.
- And if your need is one-off — answering a single client questionnaire, reassuring a specific investor — a targeted attestation may be enough at much lower cost. We'll discuss this openly.
How does the process work?
A rigorous and transparent approach, step by step.
Assessment and level selection
We start by determining which level is right for your organization. Level 1 is a foundational baseline — ideal for an SME structuring cybersecurity for the first time. Level 2 is more demanding and typically required when your clients (or the federal government) need stronger assurance. We look at your business context, contractual obligations, and current maturity to decide. Sometimes the right answer is to aim for Level 1 now and Level 2 in a second cycle, after the 12-month maintenance audit.
Gap analysis
We map your current posture against the requirements of the selected level. We identify what's already in place (and documentable), what's missing, and what needs realignment. Deliverable: prioritized gap report, realistic effort estimate, and clear recommendation on achievable timeline.
Control implementation
We implement missing controls with your IT team or MSP. Guiding principle: every control must be lived, not just documented. An MFA control that exists on paper but isn't activated on critical accounts isn't a control. We use the NIST-CSF framework to structure risk assessment and prioritize fixes by actual impact.
Documentation and internal audit
We draft the policies, procedures, and records the standard requires. We conduct a formal internal audit before the certification audit — an independent external perspective that identifies blind spots self-audit can't see. Internal audit is a prerequisite for Level 2 certification, and it's often where unaccompanied efforts derail.
Certification audit support
We support you through the audit conducted by the certification body accredited by the SCC that you've chosen. Our role: translate, structure responses, manage any non-conformities. For Level 1, the audit is generally lighter (primarily documentation review). For Level 2, it includes in-depth implementation verification. Choice of certification body remains yours — we can present accredited options, with no commercial tie to any of them.
Maintenance over 2-year cycle
CAN/DGSI 104 certification is valid for 2 years. We remain available to prepare recertification, adjust the setup if your environment evolves (new systems, new employees, new contracts), and integrate standard updates. Without locking you into a recurring contract.
Frequently Asked Questions
Answers to the questions our clients ask before reaching out.
Is Factero itself certified CAN/DGSI 104?
Yes. Factero holds the CyberSecure Canada (CAN/DGSI 104:2021 Rev 1:2024) certification, publicly verifiable through the IAF CertSearch registry and through our Trust Center. We've been through the very process we're offering to guide you through — from initial assessment to certificate issuance by an accredited third-party body. This means two concrete things for you: (1) we know precisely where the pitfalls are, which choices save time, and what the certification body will ask; (2) we apply to our own organization the standards we assess in yours — not a commercial line, but a documented, verifiable reality. A firm supporting clients toward a recognized certification should, by professional consistency, hold one itself.
Level 1 or Level 2 — how do we choose?
The answer depends on what your clients (or the government) actually require, not on which level sounds more reassuring. Level 1 is a foundational baseline: basic governance, awareness, incident management, backups, authentication. It suits an SME structuring cybersecurity for the first time whose clients aren't demanding a higher level. Level 2 adds requirements on risk management, formal third-party management, active monitoring, and requires a documented internal audit. It's typically expected when your corporate clients, the federal government, or your cyber insurer need stronger assurance. Factero reviews your contracts, recent client questionnaires, and industry with you to decide — not by default, not by commercial preference.
How long does it take?
For Level 1, expect 3 to 6 months depending on your starting point. For Level 2, 6 to 12 months is realistic. If you're starting from a mature position (already Law 25 compliant and NIST-CSF aligned), Level 1 can be reached in 2-3 months. If you're starting from zero and your organization is highly decentralized, even Level 1 can take 6 months. Very short timelines advertised elsewhere ("certified in 30 days") apply only to organizations that already have everything in place — and in that case, it's not an engagement, it's a documentation review. Factero gives a realistic estimate from the gap analysis onward, not a marketing range.
Is it mandatory?
No — CAN/DGSI 104 / CyberSecure Canada is a voluntary certification. It's not imposed by Canadian law. But it becomes de facto necessary in several contexts: corporate clients requiring it in contracts, federal or provincial bids listing it as a qualifying criterion, cyber insurers recognizing it as maturity evidence, and certain regulated sectors expecting it. Quebec's Law 25 is a separate legal obligation — one doesn't replace the other, but they share some technical controls.
What does it cost — and what's not included?
Factero's engagement covers the preparation through certification — assessment, gap analysis, control implementation with your teams, documentation, internal audit (for Level 2), support during the certification audit. Costs not included and paid directly by you: certification body fees (the audit itself, certificate issuance, recertification at 2 years), any technical investments identified during the engagement (MFA licenses, backup solutions, access management tools), and your internal team's time. We provide a full estimate of all three from the gap analysis onward.
Is CAN/DGSI 104 equivalent to ISO 27001?
No, and they should not be presented as equivalent to a client. CAN/DGSI 104 is a baseline standard — designed to offer Canadian SMEs a pragmatic foundation with proportional effort. ISO 27001 is a management system standard (ISMS) — much more demanding, internationally recognized, with control count and documentation depth of a different order of magnitude. The two are complementary, not substitutable: an international client requiring ISO 27001 won't accept a CAN/DGSI 104 certificate. That said, CAN/DGSI 104 Level 2 is a logical launch pad toward ISO 27001 — much of the work transfers. Factero is transparent on this from the first conversation.
Our MSP already manages our infrastructure. Can they also drive our CAN/DGSI 104 certification?
Your MSP is a key player in technical implementation — but driving the certification is a separate role. CAN/DGSI 104 Level 2 requires an internal audit — if your MSP manages your infrastructure and drives your certification, they'll be auditing their own delivery. The certification body may raise this conflict of interest, and some flatly refuse to start the audit under these conditions. Factero has no commercial ties to your MSP: we audit reality, not the vendor's official version. That said, the MSP relationship remains essential — they're a key actor in technical implementation. We work with them, not in their place, exactly as in an independent audit. Same logic as for ISO 27001.
We've already done the work for Law 25. Does that accelerate CAN/DGSI 104?
Yes, significantly. Based on our recent engagements, solid Law 25 compliance covers a substantial portion of CAN/DGSI 104 requirements — notably incident management, designation of a responsible officer, access controls, and processing documentation. Overlap is higher with Level 1 than Level 2, which adds requirements of its own (formal third-party management, active monitoring, internal audit). The gap analysis identifies precisely what transfers, what needs adaptation, and what remains to be built. You're not starting from zero.
Is CAN/DGSI 104 the same as CPCSC?
No — these are two distinct Canadian programs often confused. CAN/DGSI 104 (CyberSecure Canada) is a general cybersecurity standard for Canadian SMEs, administered by the Standards Council of Canada. The CPCSC (Canadian Program for Cyber Security Certification) is a program specific to Department of National Defence suppliers, based on the ITSP.10.171 standard (itself aligned with NIST SP 800-171, therefore the U.S. CMMC). The two programs have their own levels (1, 2, 3), distinct accreditation processes, and different audiences. If a Defence bid asks for "cyber certification," it almost certainly means CPCSC — not CyberSecure Canada. We clarify this at the discovery call: it would be frustrating to pursue the wrong certification.
Who delivers the certification?
Certification is delivered exclusively by a certification body (CB) accredited by the Standards Council of Canada (SCC). SCC accreditation is based on the international standard ISO/IEC 17021-1, which gives the certificate recognition beyond Canada. No consultant can "deliver" the certification — it would be a conflict of interest the program explicitly prohibits. Factero prepares you, supports you through the audit, and helps you choose the most appropriate accredited certification body. Our Charter of Independence prohibits any commercial tie or commission with certification bodies.
What methodology do you use?
Factero uses CAN/DGSI 104:2021 Rev 1:2024 as the target standard (the in-force version published by the Digital Governance Standards Institute, revised in 2024), complemented by the NIST Cybersecurity Framework (NIST-CSF) to structure risk assessment and prioritize recommendations. The principal associate holds the CISA certification (Certified Information Systems Auditor) from ISACA — the international reference in information systems auditing. In practice, the approach is adapted to each organization's size and reality: we don't build the same setup for a 15-employee agency and a 300-employee industrial SME. Each control is evaluated on actual applicability.
Will the standard change soon?
A periodic revision of CAN/DGSI 104 was launched in December 2025 by the Digital Governance Standards Institute. The currently in-force version remains CAN/DGSI 104:2021 Rev 1:2024, and certifications issued under this version remain valid. The revision underway aims to integrate threat landscape developments and clarify certain controls (cloud, mobility, log management). Factero actively tracks these developments — if a new version is published during your engagement, we adjust the approach without restarting.
Is it confidential?
Yes, every support engagement conducted by Factero is governed by a formal confidentiality agreement in favor of the client, signed before any work begins. No information — findings, analyzed documents, internal audit results — is shared with any third party, provider, or partner without your explicit written authorization, in accordance with our privacy protection policy and Law 25 requirements. Materials provided to the certification body are shared under your control and with your approval. This standard applies across all our engagements, without exception.
Does this commit us to ongoing work?
No. The engagement ends naturally with certification. With certification valid for 2 years, some organizations prefer to keep us on a light cadence to prepare recertification and absorb standard updates. Others prefer to internalize — often a good outcome. Our Charter of Independence prohibits creating artificial dependency. We never recommend follow-up you don't need.
Why Factero for this engagement — what sets you apart?
Before signing with a support firm, verify a few fundamental elements. A serious firm demonstrates them without hesitation and in writing.
The firm itself is certified — Factero holds the CyberSecure Canada (CAN/DGSI 104:2021 / Rev 1:2024) certification, publicly verifiable through the IAF CertSearch registry and through our Trust Center. We apply to our own organization the same standards we support for our clients. A firm guiding you toward a recognized certification should, by consistency, hold one itself.
Incorporated and established since 2022 — Factero Service Conseil is duly incorporated with the Quebec Enterprise Registrar (REQ) since 2022, with no insolvency or bankruptcy proceedings on record. The legal status of any candidate firm can be verified free of charge through the REQ; insolvency and bankruptcy proceedings appear in the registry of the Office of the Superintendent of Bankruptcy Canada (osb-bsf.ic.gc.ca).
Complete team and operational continuity — Factero relies on an interdisciplinary team covering information technology, human resources, and accounting — the three dimensions that intersect in most governance engagements. A CAN/DGSI 104 certification engagement extends over 3 to 6 months depending on organizational maturity, followed by a 12-month maintenance audit; the firm supporting you must have the team depth to go the distance, not just the availability of a single person.
Professional liability and cyber insurance — Factero maintains active professional liability (E&O) and cyber insurance coverage, adapted to its IT governance and cybersecurity consulting activities. A firm that recommends cyber insurance to you should, by consistency, hold one itself. Ask for the certificate before signing.
Written and public independence — Our engagements are governed by a public Charter of Independence that prohibits commissions, rebates, and commercial arrangements with vendors, brokers, or markets.
Public procurement registration — Factero is registered with the SEAO (Quebec) and the Ontario Tenders Portal — a process that involves regulatory verifications and up-to-date tax attestations.
These criteria are not commercial arguments. They are the minimum conditions to require of any candidate firm. The absence of a clear answer to any of these questions is, in itself, an answer.
Need to move forward on this?
Let's discuss your specific situation. No commitment, just expert advice.