Logo with a bright green maple leaf above the text ITSG-33.

A guide to ITSG-33 (Information Technology Security Guidance 33)

Cyber security has become a national priority for governments and organizations around the world. As cyberattacks continue to increase in frequency and sophistication, organizations are expected to implement structured security programs that not only protect information assets but also demonstrate sound governance, risk management, and operational resilience.

 

In Canada, government departments and many organizations that work with the public sector rely on ITSG-33 (Information Technology Security Guidance 33) as one of the country’s most comprehensive information security guidance documents. Developed by the Canadian Centre for Cyber Security, ITSG-33 provides a risk-based approach for securing information systems throughout their lifecycle.

 

Unlike many cyber security frameworks that focus primarily on technical controls, ITSG-33 combines governance, risk management, security control selection, implementation, continuous monitoring, and ongoing authorization into a unified methodology. It helps organizations make informed security decisions while ensuring that information systems remain protected against evolving threats.

 

Although ITSG-33 was developed primarily for Canadian federal departments and agencies, its principles are increasingly adopted by contractors, service providers, critical infrastructure organizations, and private-sector businesses that work with government entities or want to strengthen their cyber security governance.

 

Implementing ITSG-33 can be challenging, particularly for organizations managing multiple compliance requirements such as ISO 27001, SOC 2, PCI DSS, NIST Cybersecurity Framework, PIPEDA, or provincial privacy regulations. Manual compliance processes often lead to fragmented documentation, duplicate work, and limited visibility into security risks.

 

This comprehensive guide explains what ITSG-33 is, how it works, its key components, implementation best practices, and how organizations can simplify security governance through a modern Governance, Risk, and Compliance (GRC) platform.

 

 

What is ITSG-33?

 

Information Technology Security Guidance 33 (ITSG-33) is a cyber security guidance document published by the Canadian Centre for Cyber Security. It provides organizations with a standardized, risk-based methodology for securing information systems throughout their lifecycle.

 

Rather than prescribing a one-size-fits-all set of controls, ITSG-33 encourages organizations to evaluate their own risks, determine the appropriate level of protection, implement suitable security controls, and continuously monitor those controls over time.

 

The guidance combines internationally recognized security practices with Canada’s government security requirements, making it one of the foundational cyber security references for federal information systems.

 

Why ITSG-33 matters

 

Organizations today operate in increasingly complex digital environments that include cloud computing, remote work, artificial intelligence, third-party suppliers, and interconnected systems. These environments introduce new cyber security risks that require structured governance rather than isolated technical solutions.

 

ITSG-33 helps organizations:

 

  • Strengthen cyber security governance.
  • Improve risk management.
  • Protect sensitive information.
  • Support operational resilience.
  • Improve audit readiness.
  • Enhance security decision-making.
  • Establish continuous monitoring practices.

 

For organizations supporting Canadian government operations, following ITSG-33 also demonstrates alignment with recognized national cyber security guidance.

 

Who should use ITSG-33?

 

Although ITSG-33 was developed primarily for Canadian federal government departments and agencies, its guidance benefits many other organizations.

 

These include:

 

  • Government departments.
  • Crown corporations.
  • Government contractors.
  • Critical infrastructure operators.
  • Financial institutions.
  • Technology providers.
  • Cloud service providers.
  • Defence organizations.
  • Healthcare organizations.
  • Organizations managing sensitive information.

 

Private-sector organizations frequently adopt ITSG-33 principles to strengthen internal security governance even when formal adoption is not mandatory.

 

Objectives of ITSG-33

 

The guidance is designed to help organizations achieve several important objectives.

 

Protect information systems

 

Organizations should implement appropriate safeguards that protect information systems from unauthorized access, modification, disclosure, destruction, or disruption.

 

Support risk-based decision making

 

Security investments should be based on organizational risk rather than applying identical controls to every system.

 

This enables more effective allocation of security resources.

 

Improve governance

 

ITSG-33 promotes executive accountability, structured decision-making, and clearly defined security responsibilities across the organization.

 

Enable continuous security

 

Cyber security is treated as an ongoing process rather than a one-time implementation project.

 

Organizations are expected to continuously monitor, review, and improve security controls.

 


 

The two components of ITSG-33

 

ITSG-33 consists of two major components that work together throughout the information system lifecycle.

 

Security risk management

 

The first component focuses on security risk management.

 

Organizations should identify information assets, assess threats and vulnerabilities, evaluate business impacts, determine acceptable risk levels, and select appropriate security controls.

 

This process ensures security decisions remain aligned with organizational objectives.

 

Security control catalog

 

The second component provides a comprehensive catalog of security controls that organizations can select based on identified risks.

 

Rather than requiring every control, ITSG-33 promotes tailoring security controls according to system sensitivity and business requirements.

 

Understanding the ITSG-33 risk management process

 

One of the strengths of ITSG-33 is its structured risk management methodology.

 

Step 1: Categorize the information system

 

Organizations begin by determining the sensitivity and criticality of the information system.

 

Factors typically include:

 

  • Confidentiality.
  • Integrity.
  • Availability.

 

This categorization influences subsequent security decisions.

 

Step 2: Select security controls

 

Based on the system categorization and identified risks, organizations select appropriate security controls from the ITSG-33 catalog.

 

Control selection should reflect business needs, regulatory obligations, and threat exposure.

 

Step 3: Implement controls

 

Selected controls are implemented through policies, procedures, technologies, and operational practices.

 

Implementation should be documented to support future reviews and audits.

 

Step 4: Assess security controls

 

Organizations evaluate whether implemented controls operate effectively.

 

Assessments may include:

 

  • Technical testing.
  • Vulnerability assessments.
  • Configuration reviews.
  • Internal audits.
  • Penetration testing.

 

Assessment results support ongoing risk management.

 

Step 5: Authorize the system

 

Senior leadership determines whether the residual risk associated with the information system is acceptable for operation.

 

Authorization decisions should be documented and periodically reviewed.

 

Step 6: Continuous monitoring

 

Security monitoring continues throughout the system lifecycle.

 

Organizations should regularly evaluate:

 

  • Control effectiveness.
  • Emerging threats.
  • Configuration changes.
  • Vulnerabilities.
  • Risk exposure.

 

Continuous monitoring supports continual improvement.

 

ITSG-33 security control families

 

The ITSG-33 security control catalog covers a broad range of cyber security domains.

 

Examples include:

 

Access control

 

Organizations should ensure users receive appropriate access based on business responsibilities while limiting unauthorized access.

 

Audit and accountability

 

Systems should generate logs that support monitoring, investigations, and compliance activities.

 

Configuration management

 

Organizations should establish controlled processes for managing system changes and maintaining secure configurations.

 

Incident response

 

Documented procedures should enable organizations to detect, investigate, respond to, and recover from cyber security incidents.

 

Risk assessment

 

Organizations should continuously evaluate cyber security risks affecting information systems.

 

System and communications protection

 

Controls should protect information during storage, processing, and transmission.

 

Security assessment and authorization

 

Organizations should periodically evaluate control effectiveness before approving system operation.

 

Contingency planning

 

Business continuity and disaster recovery capabilities should support operational resilience during disruptive events.

 

Benefits of implementing ITSG-33

 

Organizations implementing ITSG-33 often experience significant operational and governance improvements.

 

These benefits include stronger risk management, improved security governance, better visibility into information systems, enhanced executive oversight, reduced cyber security risks, improved audit readiness, and stronger regulatory alignment.

 

The framework also encourages continuous improvement, helping organizations remain resilient as threats evolve.

 

Common challenges with ITSG-33 implementation

 

Although ITSG-33 provides comprehensive guidance, implementation can be challenging.

 

Many organizations struggle with maintaining accurate system inventories, documenting security controls, coordinating activities across multiple departments, and continuously monitoring compliance.

 

Organizations managing several compliance frameworks simultaneously often duplicate work because controls are documented separately for each framework.

 

Manual evidence collection and spreadsheet-based tracking further increase administrative burden.

 

ITSG-33 and other security frameworks

 

ITSG-33 complements several internationally recognized security frameworks.

 

Organizations commonly align ITSG-33 with:

 

ISO 27001

 

ISO 27001 provides a certifiable Information Security Management System that complements ITSG-33’s risk-based approach.

 

NIST Cybersecurity Framework

 

Both frameworks emphasize governance, risk management, security controls, and continuous improvement.

 

SOC 2

 

Technology providers often combine SOC 2 with ITSG-33 principles to strengthen security governance.

 

PCI DSS

 

Organizations processing payment card information frequently integrate PCI DSS controls into broader governance programs.

 

PIPEDA

 

Privacy compliance under PIPEDA benefits from the strong security governance promoted by ITSG-33.

 

Mapping common controls across multiple frameworks reduces duplication while improving consistency.

 

Best practices for ITSG-33 implementation

 

Organizations should begin by establishing executive sponsorship and defining governance responsibilities.

 

Accurate asset inventories, regular risk assessments, documented security policies, employee awareness training, vendor risk management, continuous monitoring, and periodic internal audits all contribute to successful implementation.

 

Rather than viewing ITSG-33 as a technical project, organizations should integrate it into enterprise governance and risk management activities.

 

Automation further improves implementation by reducing manual effort while increasing visibility across security programs.

 

How CyberArrow GRC simplifies ITSG-33 implementation

 

CyberArrow GRC helps organizations centralize governance, cyber security, risk management, and compliance activities within a single platform.

 

Instead of managing ITSG-33 through spreadsheets and disconnected documentation, organizations can automate governance processes while improving operational visibility.

 

Centralized governance

 

CyberArrow enables organizations to manage policies, procedures, controls, risks, and governance activities through structured workflows.

 

Security risk management

 

Organizations can identify, assess, monitor, and mitigate cyber security risks using centralized dashboards and automated reporting.

 

Compliance monitoring

 

CyberArrow allows organizations to manage ITSG-33 alongside ISO 27001, NIST, SOC 2, PCI DSS, PIPEDA, and other cyber security frameworks from a single platform.

 

Automated evidence collection

 

The platform reduces audit preparation time by organizing documentation, maintaining audit trails, and collecting compliance evidence automatically.

 

Executive reporting

 

Leadership teams gain real-time visibility into compliance status, security maturity, risk exposure, remediation activities, and governance performance through comprehensive dashboards.

 

Why organizations trust CyberArrow GRC

 

Organizations across the United States, Europe, Africa, Asia, and the Middle East trust CyberArrow GRC to simplify complex governance, risk, and compliance programs.

 

The platform enables organizations to automate compliance activities, strengthen cyber security governance, centralize policy management, improve audit readiness, and manage multiple regulatory frameworks from a single solution.

 

Its scalable architecture supports organizations of all sizes as they strengthen their cyber security posture and operational resilience.

 

See what our clients have to say about CyberArrow GRC:

 

Emirates Testimonial

Conclusion

 

ITSG-33 provides one of Canada’s most comprehensive approaches to information security governance. By combining structured risk management, security control selection, continuous monitoring, and executive oversight, the framework enables organizations to build resilient information systems that can adapt to evolving cyber security threats.

 

Whether your organization is supporting Canadian government operations, managing critical infrastructure, or simply looking to strengthen its cyber security program, ITSG-33 provides a practical methodology for improving security governance and reducing organizational risk.

 

Successfully implementing ITSG-33 requires more than technical controls. It demands effective governance, continuous monitoring, structured risk management, policy management, and strong executive visibility.

 

CyberArrow GRC helps organizations simplify ITSG-33 implementation by centralizing governance, automating evidence collection, strengthening risk management, and maintaining continuous compliance across multiple cyber security frameworks.

 

Trusted by some of the world’s biggest brands across the US, Europe, Africa, Asia, and the Middle East, CyberArrow empowers organizations to build mature cyber security governance programs while reducing manual effort and improving long-term operational resilience.

 


 

FAQs

 

What is ITSG-33?

ITSG-33 (Information Technology Security Guidance 33) is a cyber security guidance document developed by the Canadian Centre for Cyber Security. It provides a risk-based approach to securing information systems by helping organizations identify security risks, select appropriate security controls, implement governance processes, and continuously monitor their cyber security posture throughout the system lifecycle.

 

Is ITSG-33 mandatory for all organizations in Canada?

No. ITSG-33 is primarily intended for Canadian federal government departments and agencies, as well as organizations that provide services to the Government of Canada. However, many private-sector organizations also adopt ITSG-33 to strengthen their cyber security governance, improve risk management, and align with recognized security best practices, particularly when working with government clients or managing sensitive information.

 

How can CyberArrow GRC help organizations implement ITSG-33?

CyberArrow GRC helps organizations simplify ITSG-33 implementation by centralizing governance, risk management, policy management, compliance monitoring, automated evidence collection, and audit-ready reporting. The platform also enables organizations to manage ITSG-33 alongside ISO 27001, NIST Cybersecurity Framework, SOC 2, PCI DSS, PIPEDA, and other cyber security and compliance frameworks from a single dashboard, reducing manual effort while improving visibility, operational resilience, and continuous compliance.

Avatar photo
CyberArrow team