Home
arrow_forward_ios
Frameworks
arrow_forward_ios
Cloud Security Assessment and Authorization Guidance (CSAG)
Cloud Security
DETAIL

Canada CSAG (Cloud Security Assessment and Authorization Guidance)

SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting.
Framework text may require a separate license unless explicitly provided.

Overview

Canada CSAG (Cloud Security Assessment and Authorization Guidance) is a cybersecurity and compliance framework that helps organizations assess, authorize, and manage the security of cloud services within the Canadian public sector.

Why it Matters

Canada CSAG helps organizations ensure the secure use of cloud services while meeting rigorous Canadian government security and compliance standards. Key benefits include:

  • Strengthen cloud security governance

Enable consistent assessment and management of cloud security risks through structured evaluation and ongoing oversight processes.

  • Enhance regulatory compliance

Support alignment with Canadian privacy, risk, and data protection regulations to facilitate approval for handling sensitive government information.

  • Improve third-party risk management

Assist in systematically evaluating cloud service providers’ controls, reducing the risk of data breaches and vendor-related incidents.

  • Increase audit readiness

Facilitate the preparation and documentation necessary for demonstrating due diligence to auditors, regulators, and stakeholders.

How it Works

CSAG structures its approach around control families, risk management processes, and assessment methodologies tailored for cloud security, establishing a set of security safeguards and governance domains aligned with federal regulatory requirements.

Key Elements

  • Security Assessment Processes

Describes procedures for evaluating cloud service providers against defined security requirements and risk criteria.

  • Authorization Framework

Establishes criteria and documentation required for granting and maintaining approval to operate cloud-based services.

  • Continuous Monitoring Practices

Outlines ongoing mechanisms to regularly assess cloud service provider compliance and identify emerging risks.

  • Risk Management Methodology

Defines structured approaches for identifying, analyzing, and mitigating risks associated with cloud service adoption.

Framework Scope

Canada CSAG is used by Canadian government departments, agencies, and cloud service providers handling sensitive or protected data.

Framework Objectives

Canada CSAG provides a standardized approach to managing cybersecurity, risk management, and compliance for cloud services in the Canadian public sector.

  • Ensure alignment with Canadian regulatory and data protection requirements
  • Strengthen cybersecurity governance and continuous oversight for cloud environments
  • Support risk management through comprehensive security assessments and controls
  • Demonstrate audit readiness and due diligence to regulators and stakeholders
At a Glance
Cloud Security Assessment and Authorization Guidance (CSAG)
  • checklist
    Classicifation
    Category
    info
    Cloud Security
    Domain
    info
    Cloud Security
    Framework Family
    info
    Other
  • info
    Regulatory Context
    Type
    info
    Framework
    Legal Instrument
    info
    Guideline
    Sector
    info
    Government Sector
    Industry
    info
    Government & Public Sector
  • arrow_upload_ready
    Region / Publisher
    Region
    info
    North America
    Region Detail
    info
    Canada
    Publisher
    info
    Office of the Superintendent of Financial Institutions (OSFI)
  • published_with_changes
    Versioning
    Version
    info
    1.0
    Effective Date
    info
    2022
    Issue Date
    info
    2021
  • graph_3
    Adoption
    Adoption Model
    info
    Regulatory Compliance
    Implementation Complexity
    info
    High
  • captive_portal
    Official Reference
    Source
    info
    Open Link in New Tab
License Information

License included / downloadable: Yes

Canada's Cloud Security Assessment and Authorization Guidance is published by Canadian government authorities and is publicly available through official government resources.

Official Resources
Canada CSAG Overview
Provides a comprehensive guide to Canada’s Cloud Security Assessment and Authorization process.
chevron_forward
Cyber Security Self-Assessment Guidance
Outlines self-assessment processes for Canadian cybersecurity risk management.
chevron_forward
SMARTSUITE

How SmartSuite Supports Americas Canada CSAG

Centralize controls, evidence, and audit workflows to stay continuously SOC 2–ready.

Self-Assessment Questionnaire Structure

Run structured cyber self-assessments with scoring and evidence attachments.

Gap Remediation Roadmap

Convert findings into a prioritized roadmap with owners and milestones.

Evidence and Practice Documentation

Centralize proof that practices are defined, performed, and repeatable.

Maturity Progression Tracking

Track maturity progression over time with measurable indicators.

Governance Reporting and Reviews

Schedule periodic reviews and maintain leadership reporting evidence.

Corrective Action and Program Enhancement Tracking

Track corrective actions, closure verification, and program enhancements.

Related frameworks

CSA STAR

CSA STAR is a cloud security assurance program helping organizations assess and demonstrate cloud security and compliance.

Learn More
arrow_forward
FedRAMP Rev. 5

FedRAMP standardizes security requirements to assess, authorize, and continuously monitor cloud services that handle U.S. federal data.

Learn More
arrow_forward
ISO 27001:2022

ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.

Learn More
arrow_forward
ISO 27017

ISO/IEC 27017 provides cloud-specific security controls to help organizations protect data and manage cloud-related risks.

Learn More
arrow_forward
ISO 27018

ISO/IEC 27018 provides guidelines for protecting personally identifiable information processed in public cloud services.

Learn More
arrow_forward
NIST 800-53 Rev.5

NIST SP 800-53 Rev. 5 provides a catalog of security and privacy controls to manage risks to information systems.

Learn More
arrow_forward
ONBOARDING FAQS

Frequently Asked Questions For Canada CSAG (Cloud Security Assessment and Authorization Guidance)

What is Canada CSAG used for?

Canada CSAG is used to assess, authorize, and manage the security of cloud services within the Canadian public sector. The guidance ensures that cloud service providers meet defined security requirements for protecting sensitive data and supporting regulatory compliance.

Is Canada CSAG mandatory or certifiable?

Canada CSAG is not a certifiable standard, but compliance is required for cloud service providers seeking to offer services to Canadian government organizations. Adherence to CSAG is typically mandated through procurement requirements or internal policy for handling protected and sensitive information.

What organizations are in scope for Canada CSAG?

CSAG primarily applies to Canadian federal government departments, agencies, and their third-party cloud service providers. It may also be referenced by organizations handling sensitive or regulated data under Canadian jurisdiction.

What are the key concepts and artifacts required for Canada CSAG compliance?

Key artifacts for CSAG compliance include risk assessment reports, security control mappings, system security plans, and formal authorization packages. The framework also requires evidence of continuous monitoring, control testing, and supplier assurance activities.

How does an organization implement the Canada CSAG framework?

Organizations implement CSAG by mapping their existing security controls to the CSAG control catalog, conducting risk assessments, and preparing authorization packages for cloud services. Implementation also involves establishing governance structures, assigning control ownership, and documenting compliance status.

How does Canada CSAG relate to other security frameworks?

Canada CSAG aligns with Canadian privacy and risk management standards and may harmonize with international frameworks such as NIST and ISO 27001. It builds on global best practices while addressing Canada-specific regulatory and jurisdictional requirements for data protection.

What are the ongoing compliance requirements for Canada CSAG?

Maintaining CSAG compliance requires regular continuous monitoring, periodic risk and security assessments, control testing, and evidence collection. Organizations must periodically review and update authorization packages and demonstrate remediation of identified risks.

How would SmartSuite support Canada CSAG?

SmartSuite supports Canada CSAG by enabling organizations to assign and track control ownership, link controls to risk registers, and automate evidence collection. The platform facilitates control testing, remediation tracking, audit readiness, and consolidated reporting to maintain continuous compliance and transparency for regulators and stakeholders.

NEXT STEP

Put CRI Profile into action with SmartSuite

Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.

Explore in SmartSuite
chevron_forward
View all Frameworks
chevron_forward