The Canadian Cyber Security Tool

The Canadian Cyber Security Tool (CCST) and The Canadian Cyber Security Tool 2.0 (CCST 2.0) are virtual self-assessment tools developed by Public Safety Canada (PS) in collaboration with the Communications Security Establishment and its Canadian Centre for Cyber Security (Cyber Centre). The tools are specifically designed for Canadian Critical Infrastructure (CI) owners and operators to take part in voluntary, short, and easy to use self-assessments that provides the participant with an overview of their organization's operational resilience and cyber security posture, as well as comparative results across their sector.

CCST and CCST 2.0

The original CCST is designed for organizations that wish to perform a basic virtual assessment of their cyber security resiliency. It consists of 38 questions and provides an assessment of the organization's technical and program approach to cyber security. Approximate time to complete is one hour.

The CCST 2.0 is a "deeper dive" into the organizational approach to cyber security. It includes an expanded overall set of just over 100 targeted questions designed to assess the organization's technical and program approaches to cyber security. In addition, it provides direct mapping to the National Institute for Standards and Technology (NIST) cyber security framework, with additional ratings for each NIST function. Approximate time to complete is two hours.

Who can take part in the self-assessment

The CCST was created specifically with Canadian CI owners and operators in mind. If you would like to know if your organization falls within this CI category, please see Critical Infrastructure Partners for more information.

How they work

The CCST and the CCST 2.0 are assessments of an organization's programs and practices that includes questions related to cyber incidents the organization has experienced, as well as questions related to technical and program resilience.

Each self-assessment is divided into specific and clearly defined categories that are complemented by supporting web links that provide additional guidance and information.

Adding on to the success of the CCST, the CCST 2.0 presents the respondent with a series of questions and a group of associated answers for each of the questions. Each of the chosen answers will aid in indicating the organization's overall level of cyber resiliency. Once the survey is submitted, a report will be provided within five business days.

After the self-assessment

Upon completion, participants will receive a report which will provide them with advice and guidance related to each cyber security theme discussed throughout the tool. Participants will also receive a score, based on comparative results from other organization's responses.

How it helps your organization

In addition to post-self-assessment results and a comparative overview of the organization's cyber security posture, participants will also receive advice and guidance related to improving their cyber security resiliency in relation to the assessed areas.

Once completed, the results will be used to understand the cyber security posture of Canadian industries, and assist PS and the Cyber Centre in tailoring the next generation of products and services to address the cyber security needs of Canada's Critical Infrastructure.

To request access to the CCST or the CCST 2.0

If you think your organization would benefit from the CCST or a more in-depth assessment like the CCST 2.0, please contact us to request a username and password or for additional information.

The results of this self-assessment will be made available only to designated members of Public Safety Canada and the Canadian Centre for Cyber Security, who are responsible for program administration and the development of the national cyber security database.

All self-assessment responses will be treated as confidential, but will remain subject to the provisions of the Access to Information Act.

With those obligations in mind, the self-assessment has been designed to avoid collecting identifying information such as names, organizations, email addresses or IP addresses.

CI Talks: Canadian Cyber Security Tool


Hello and welcome to CI Talks. Today we will be talking about the Canadian Cyber Security Tool, otherwise known as the CCST.

Are you interested in making tangible improvements to your organization's cyber resilience? Do you want to ensure that your organization has the right balance of knowledge and control to ensure a cyber-secure working environment? Are you unsure where to start?

Public Safety Canada offers a suite of both physical and cyber assessments for critical infrastructure organizations. With the onset of the COVID-19 pandemic, we re-examined our approach to these assessments to redefine this important engagement.

Rooted in collaboration with the Canadian Center for Cyber Security, the CCST was developed and is now available to Canadian organizations across the 10 CI sectors.

The CCST is an easy to use, voluntary, online, cyber security self-assessment. It takes less than an hour to complete, and provides participants with comparative results on their organization's performance against other peer entities within the same sector. Organizations that participate in the CCST are provided with a unique set of login credentials and the self-assessment was designed to avoid collecting identifying information such as names, organizations, email addresses or IP addresses.

The tool is designed for organizations to assess their cyber security programs and practices across three separate categories: Organizational Information, Technical Resilience, and Program Resilience. Each category is preceded by a brief explanation of the question set's layout, and points to guidance and information, including the Canadian Centre for Cyber Security's publication, Baseline Cyber Security Controls for Small and Medium Organizations. There are no questions in the CCST that identify the organizations.

Representation from all sections of an organization should be present, in person or virtually, or consulted to provide input when responding to the assessment, as the survey is designed to assess the programs and practices of the organization as a whole.

Once an organization has completed the CCST, they are provided with a report that includes advice and guidance related to each cyber security theme, an entity-specific score, and comparative results from other organizations' within the same sector and subsector.

Eligibility for the tool is open exclusively to Canadian members of the 10 critical infrastructure sectors, and some of our partners, such as academia.

Organizations wishing to complete the CCST can find more information by visiting the Canadian Cyber Security Tool webpage on, or contact Public Safety Canada's Cyber Engagements team at:

Date modified: