Navigating the CAN/DGSI 104 Audit Preparation Process
The CAN/DGSI 104 standard outlines cybersecurity requirements for organizations in Canada. Achieving and maintaining compliance with this standard requires a robust and well-documented security program. This Learning Module guides you through the essential steps of the CAN/DGSI 104 audit preparation process, providing insights into what auditors expect and how to navigate each stage successfully.
1. Policy Development:
-
Foundation: The cornerstone of your compliance journey lies in developing comprehensive and well-defined security policies. These policies should address all the controls outlined in the CAN/DGSI 104 standard.
-
Guidance and Interpretation: While templates can be helpful, they should be used as a guide. Utilize the guidance and interpretation provided by the 123 Audit Prep software to ensure you have all your documentation properly prepared. This will help you tailor your policies to your specific business needs and risk profile.
-
Focus on Evidence: Remember that policies alone are insufficient. You must collect evidence demonstrating that these policies are implemented and effectively functioning within your organization.
2. Evidence Collection:
-
Identify Critical Controls: Carefully examine each control within the CAN/DGSI 104 standard and determine the evidence required to demonstrate compliance. This may include:
-
Documented procedures: Step-by-step instructions for carrying out security tasks.
-
System configurations: Screenshots, logs, and reports that demonstrate security settings and configurations.
-
Incident response plans: Documentation of your organization's plan for handling security incidents.
-
Training records: Proof that employees have received training on security awareness and best practices.
-
Vulnerability scans: Reports of security assessments and penetration tests.
-
-
Maintain Records: Ensure all evidence is properly documented, organized, and easily accessible for audit review.
3. Triggering the Audit Process:
-
Contact Your Auditor: Once you have developed your policies and collected sufficient evidence, contact your chosen auditing body.
-
Initiate Stage 1 Audit: The first stage involves submitting all your policies and supporting evidence to the auditor for review.
4. Stage 2 Audit:
-
On-Site Assessment: This is the core of the audit process. The auditor will conduct a thorough review of your policies, procedures, and evidence.
-
Interactive Session: Expect an interactive session where the auditor will ask questions, examine your systems, and require you to demonstrate specific functionalities.
-
Audit Findings: At the conclusion of the audit, the auditor will provide you with their findings, which may include:
-
Observations: Areas for improvement that do not require immediate action.
-
Minor Nonconformities: Issues that must be addressed within a specified timeframe (usually within 12 months).
-
Major Nonconformities: Critical issues that require immediate attention and may halt the audit process until resolved.
-
5. Corrective Action Plan:
-
Address Nonconformities: Develop a comprehensive corrective action plan to address all identified minor nonconformities.
-
Submit and Review: Submit your corrective action plan to the auditor for review and approval.
6. Certification and Ongoing Maintenance:
-
Certificate Issuance: Upon successful completion of the audit and approval of your corrective action plan, you will be awarded a CAN/DGSI 104 certificate.
-
Annual Audits: To maintain certification, you will undergo annual surveillance audits to ensure ongoing compliance with the standard.
What to Expect from the Auditors:
-
Thoroughness: Auditors will meticulously examine your policies, procedures, and evidence to ensure they meet the requirements of the CAN/DGSI 104 standard.
-
Objectivity: Auditors will maintain an objective and unbiased approach throughout the audit process.
-
Guidance: While they will assess your compliance, auditors can also provide valuable guidance and recommendations for improving your security posture.
Key Takeaways:
-
The CAN/DGSI 104 audit process requires a proactive and well-planned approach.
-
Strong policies, comprehensive evidence collection, and a commitment to continuous improvement are crucial for successful compliance.
-
By diligently following these steps and maintaining a strong security posture, you can successfully navigate the CAN/DGSI 104 audit process and achieve and maintain certification.
Disclaimer: This Learning Module provides general information and should not be considered legal or professional advice. Please consult with your 123 Cyber security advisors for specific guidance related to the CAN/DGSI 104 standard and the audit process.
​
---
​
This training series is based on the CAN/DGSI 104 NATIONAL STANDARD OF CANADA Baseline cyber security controls for small and medium sized organizations (typically less than 500 employees), the Canadian Centre for Cyber Security controls and the National Institute of Standards and Technology (NIST).
​
This tutorial is a guideline for best practices, but you are encouraged to review your company's password policy to ensure you are following your organization's procedures.
​
---
​