This crosswalk maps the seven obligation areas of the Critical Cyber Systems Protection Act (CCSPA), enacted June 16, 2026 as Part 2 of Bill C-8, against ISO 27001:2022, NIST CSF 2.0, and CPCSC's ITSP.10.171 in a single master table. A team holding any of the three frameworks can see which CCSPA obligations their existing program already supports and which it does not touch.
Last updated: July 2026. The CCSPA is enacted but not yet in force. This crosswalk will be revised as coming-into-force orders and supporting regulations are published.
The CCSPA crosswalk at a glance
- What it maps: seven CCSPA obligation areas against ISO 27001:2022, NIST CSF 2.0, and CPCSC's ITSP.10.171
- Strongest overlap: protection of critical cyber systems, where the technical control catalogues map nearly control-for-control
- No framework analogue: compliance with confidential Governor in Council directions
- The consistent gap: regulator-facing duties, the 90-day program filing, 72-hour incident reporting to the CSE Cyber Centre, and records kept in Canada
- ITSP.10.171: the standard behind CPCSC; adapts NIST SP 800-171r3 into 97 controls across 17 families
- Status: enacted but not yet in force; mappings are indicative planning aids, not conformity claims
For the full story of what the law is and who it reaches, see the Bill C-8 and CCSPA guide. For the obligation list in statutory detail, see the CCSPA cybersecurity program requirements breakdown.
How does the CCSPA map to ISO 27001, NIST CSF 2.0, and ITSP.10.171?
The table below maps each obligation area to the clauses, controls, functions, and families that carry equivalent work. ITSP.10.171 is the standard behind CPCSC, Canada's defence supply chain certification. Where a framework has no meaningful analogue, the cell says so.
| CCSPA obligation area | CCSPA duty (as enacted) | ISO 27001:2022 | NIST CSF 2.0 | CPCSC ITSP.10.171 |
| Program establishment and governance | Establish a cyber security program within 90 days of designation, provide it to the regulator, review it annually, notify the regulator of changes | Clauses 4-7 (context, leadership, planning, support), 9.3 (management review); A.5.1 policies, A.5.2 roles, A.5.31 legal requirements, A.5.35 independent review | GOVERN: GV.OC, GV.RM, GV.RR, GV.PO, GV.OV | Planning (PL, 03.15); Security Assessment and Monitoring (CA, 03.12) |
| Risk assessment | Program must set out reasonable steps to identify and manage cyber security risks | Clauses 6.1.2, 8.2 (risk assessment), 6.1.3, 8.3 (risk treatment); A.5.7 threat intelligence | IDENTIFY: ID.AM, ID.RA; GOVERN: GV.RM | Risk Assessment (RA, 03.11) |
| Supply-chain and third-party risk | Program must address supply-chain and third-party risks; standing duty to take reasonable steps to mitigate any such risk as soon as it is identified | A.5.19-A.5.22 supplier relationships and agreements, ICT supply chain, supplier monitoring; A.5.23 cloud services | GOVERN: GV.SC (all subcategories) | Supply Chain Risk Management (SR, 03.17); System and Services Acquisition (SA, 03.16) |
| Incident detection and reporting | Program must set out steps to detect incidents and minimize their impact; duty to report incidents to the CSE Cyber Centre within a period set by regulation (capped at 72 hours) and immediately notify the regulator | A.8.15 logging, A.8.16 monitoring; A.5.24-A.5.28 incident management; A.5.29-A.5.30 continuity | DETECT: DE.CM, DE.AE; RESPOND: RS.MA, RS.AN, RS.CO, RS.MI; RECOVER: RC.RP | Incident Response (IR, 03.06); Audit and Accountability (AU, 03.03); System and Information Integrity (SI, 03.14) |
| Protection of critical cyber systems | Program must set out reasonable steps to protect critical cyber systems from compromise | A.5.15-A.5.18 access control; A.8.7-A.8.9 malware, vulnerabilities, configuration; A.8.13-A.8.14 backup, redundancy; A.8.20-A.8.24 network security, cryptography | PROTECT: PR.AA, PR.AT, PR.DS, PR.PS, PR.IR | Access Control (AC, 03.01); Identification and Authentication (IA, 03.05); Configuration Management (CM, 03.04); System and Communications Protection (SC, 03.13); System and Information Integrity (SI, 03.14); Physical Protection (PE, 03.10) |
| Directions compliance | Duty to comply with confidential Governor in Council cyber security directions within the specified time; disclosing a direction's existence or contents is an offence | No direct analogue; A.5.31 and A.5.36 (legal and policy compliance) are the nearest hooks | No direct analogue; GV.OC-03 (legal and regulatory requirements managed) is the nearest hook | No direct analogue; Planning (PL, 03.15) partially |
| Record-keeping | Duty to keep prescribed records in Canada: program implementation, every reported incident, supply-chain mitigation steps, measures under directions | Clause 7.5 documented information; A.5.33 protection of records | No dedicated category; documentation is implicit across functions | Audit and Accountability (AU, 03.03); evidence expectations across all 17 families. No residency requirement |
How should you read this crosswalk, and what can it not claim?
This CCSPA ISO 27001 mapping is directional: each cell identifies where equivalent work lives, not where compliance is achieved. Three limits matter.
- Regulations do not exist yet. The CCSPA's program content, incident-reporting particulars, mitigation steps, and record-keeping details will all be prescribed by regulation. A crosswalk built in July 2026 maps the Act, not the eventual rulebook.
- Framework scope and statutory scope differ. An ISO 27001 certificate covers the ISMS boundary an organization chose, while CCSPA obligations attach to critical cyber systems supporting a vital service, a boundary the operator does not get to negotiate.
- Voluntary instruments versus enforced law. The frameworks are voluntary instruments assessed by auditors and assessors; the CCSPA is enforced by regulators holding audit powers and administrative monetary penalties of up to $15 million per violation, with each day of a continuing violation counting as a separate violation.
Used within those limits, the mapping does real work. It tells a team which parts of a CCSPA program can be assembled from controls that already run, which parts need deepening, and which parts must be built from nothing. If CPCSC is unfamiliar territory, the CPCSC certification guide explains the regime, and the Bill C-8 versus CPCSC comparison explains why Canada now has two federal cyber mandates that share DNA but bind different populations.
How does the CCSPA program duty map to ISO 27001, NIST CSF, and CPCSC?
ISO 27001 is the only one of the three frameworks that requires a managed, auditable program as a condition of certification, which makes it the natural scaffold for the CCSPA's central duty. Clauses 4 through 7 force an organization to define scope, secure leadership commitment, plan against risk, and resource the system; clause 9.3 forces management to review it. That is recognizably the same shape as the CCSPA requirement to establish a cyber security program and review it annually.
NIST CSF 2.0 added the GOVERN function in 2024 for the same reason: outcomes without ownership do not survive contact with operations. ITSP.10.171 covers the ground through its Planning and Security Assessment and Monitoring families, where the System Security Plan plays the role of the program document.
Where all three fall short is the regulator relationship. The CCSPA requires the program to be established within 90 days of designation, provided to the sector regulator, and kept current with the regulator notified of changes. No framework produces a filing, a deadline, or a notification duty.
An ISO 27001 certificate is strong evidence that a program exists; it is not the program the regulator receives, scoped to the systems the designation covers. Teams that treat the certificate as the finish line are standing in what we call the Program Gap, and the CCSPA has now written that gap into statute.
How does CCSPA risk assessment compare to the frameworks?
All three frameworks require risk assessment in a form a CCSPA program can reuse; what changes is the object the risk is measured against. ISO 27001 clauses 6.1.2 and 8.2 assess risk to the confidentiality, integrity, and availability of information within the ISMS scope. ITSP.10.171's Risk Assessment family (03.11) assesses risk to specified information in defence supply chain systems. NIST CSF 2.0's ID.RA category, steered by the GV.RM risk management strategy, is deliberately object-neutral.
The CCSPA's object is narrower and higher-stakes: the risk that a critical cyber system is compromised in a way that interferes with the continuity or security of a vital service, whether that service is a telecommunications network, a pipeline, a reactor, a federally regulated carrier, a bank, or a clearing and settlement system.
A mature risk methodology transfers directly; the risk register it feeds needs to be re-scoped around service continuity rather than information assets alone. That re-scoping exercise, deciding which systems are critical cyber systems and tracing which failures would interfere with the vital service, is the first piece of genuinely new work the crosswalk identifies.
How does CCSPA supply-chain risk differ from the frameworks?
The CCSPA converts supply-chain risk management from a set of controls into a standing statutory duty that activates the moment a risk is identified. The frameworks provide the machinery: ISO 27001's A.5.19 through A.5.23 govern supplier relationships, agreements, the ICT supply chain, supplier monitoring, and cloud services; NIST CSF 2.0 elevated supply chain to its own GOVERN category, GV.SC; ITSP.10.171 carries the Supply Chain Risk Management and System and Services Acquisition families, both Level 2 territory under CPCSC, as covered in our CPCSC supply chain risk management breakdown.
The statutory duty runs further than any of them. A designated operator that identifies a supply-chain or third-party risk must take reasonable steps to mitigate it, must keep records in Canada of the steps taken, and faces penalties or prosecution for failing to act.
A framework asks whether a supplier management process exists; the Act asks what was done about the specific risk identified on the specific date, and expects the record to prove it. The commercial consequence lands on vendors: operators under this duty will push security requirements, audit rights, and incident-notification clauses downstream into contracts, which means companies selling into the six sectors will feel the CCSPA through procurement long before any regulator speaks to them. The Bill C-8 vendor security requirements analysis covers that flow-down in detail.
The consistent gap
Across all seven rows, the frameworks supply controls and method while the CCSPA adds duties owed to a regulator: a 90-day program filing, incident reporting to the CSE Cyber Centre inside a statutory 72-hour outer limit, obedience to confidential directions, and records held in Canada. No framework certificate produces any of these.
Where do the frameworks fall short on CCSPA incident reporting?
Incident reporting is where every framework falls furthest short of the CCSPA duty, because the frameworks govern internal incident management and the Act requires external regulatory reporting on a clock. The internal half maps cleanly: ISO 27001's A.5.24 through A.5.28 cover incident planning, assessment, response, learning, and evidence collection, with A.8.15 and A.8.16 supplying logging and monitoring; NIST CSF 2.0 dedicates DETECT and RESPOND to the same ground, including RS.CO for incident reporting and communication; ITSP.10.171's Incident Response family (03.06) requires incident handling and reporting channels.
The CCSPA half has no framework equivalent. A designated operator must report a cyber security incident to the Communications Security Establishment's Canadian Centre for Cyber Security within a period to be set by regulation, capped by statute at 72 hours, and must immediately notify its regulator that a report was made. The trigger is wider than most incident definitions: it captures incidents that interfere with, or could interfere with, the continuity or security of a vital service or the confidentiality, integrity, or availability of the critical cyber system. A near miss can be reportable.
ISO 27001's A.5.31 obliges an organization to identify its legal reporting requirements, but identifying a requirement and operating a severity-classification and escalation pipeline that reliably reaches a federal agency inside 72 hours are different capabilities. The second one has to be designed, staffed, and rehearsed, and no audit of the first one proves the second exists.
How well do the frameworks cover CCSPA system protection?
Protection is where the frameworks do the most work for a CCSPA program, because the technical control catalogues map nearly control-for-control. ISO 27001's Annex A supplies access control (A.5.15 through A.5.18), malware defence, vulnerability and configuration management (A.8.7 through A.8.9), backup and redundancy (A.8.13, A.8.14), and network security and cryptography (A.8.20 through A.8.24). NIST CSF 2.0's PROTECT function organizes the same ground into identity and access, awareness, data security, platform security, and infrastructure resilience. ITSP.10.171 distributes it across Access Control, Identification and Authentication, Configuration Management, System and Communications Protection, System and Information Integrity, and Physical Protection, which are also the six families expected at CPCSC Level 1; our ITSP.10.171 explainer breaks down each family.
The caution here is scope, not substance. Critical cyber systems in pipeline, nuclear, transportation, and clearing environments include operational technology, legacy platforms, and on-premises infrastructure that sit outside the cloud-native perimeter where compliance automation tends to live. A control catalogue that is fully implemented across a corporate IT environment may cover a fraction of the systems a designation will name. Mapping controls is the easy half; extending them into the environments that keep the vital service running is where protection programs earn their keep.
Do any frameworks cover CCSPA directions compliance?
No framework anticipates confidential government orders, and no mapping can manufacture an equivalent. Under the CCSPA, the Governor in Council may issue cyber security directions requiring a designated operator to take specified measures within a specified time. Directions are confidential; disclosing the existence or contents of one is itself an offence. The nearest framework hooks are ISO 27001's A.5.31 and A.5.36, which require legal obligations to be identified and met, and NIST CSF 2.0's GV.OC-03, which expects legal and regulatory requirements to be understood and managed. ITSP.10.171 has nothing closer than its Planning family.
What an operator can build in advance is the capability, not the compliance: a defined intake channel for government communications, a need-to-know handling procedure that satisfies the confidentiality offence, and a change-management path that can implement an externally imposed measure on a deadline without broadcasting why. That capability resembles the machinery organizations build for handling lawful-access demands or regulator examinations more than it resembles anything in a control catalogue. It costs little to design now and a great deal to improvise under a live direction.
How do the frameworks handle CCSPA record-keeping?
Every framework demands documentation; none demands that records reside in Canada. ISO 27001's clause 7.5 governs documented information and A.5.33 protects records; ITSP.10.171 generates evidence expectations across all 17 families and dedicates the Audit and Accountability family to accountability records; NIST CSF 2.0, as an outcome framework, assumes documentation without mandating any particular repository.
The CCSPA is more specific on both content and geography: designated operators must keep records of the implementation of the cyber security program, every incident reported, the steps taken to mitigate supply-chain and third-party risks, and the measures taken under any direction, and they must keep those records in Canada, in the manner and place regulations will prescribe.
For teams whose audit evidence lives in a GRC platform or a cloud tenancy, this is a configuration question worth answering early: where does the evidence physically reside, and can residency be fixed to a Canadian region? Platforms like Vanta, Drata, and Secureframe are well suited to carrying a custom CCSPA control set once the regulations land, and centralized evidence collection makes the implementation record the Act demands far easier to produce. The platform handles the collection; deciding what constitutes the record of program implementation for a regulator remains program design work.
What must you build beyond the frameworks?
Read across all seven rows and the pattern is consistent: the frameworks supply controls and method, while the CCSPA demands a program with duties owed to a regulator, and the difference between those two things is the whole game.
A certificate proves an auditor was satisfied at a point in time about a scope the organization defined. The CCSPA asks for a filed program covering systems the government designates, a reporting pipeline that reaches a federal agency inside a statutory window, obedience to orders that cannot be discussed, and records on Canadian soil that prove all of it. Frameworks are the raw material of that program, not its substitute.
Regulator-facing program discipline at the tier the CCSPA is aimed at has a distinct shape: the program document is a living artifact the overseer reads, incident escalation is rehearsed against real clocks, and evidence is organized for the examiner before the examiner asks. That discipline, more than any individual control, is what the six sectors are now being asked to institutionalize.
How do you use this crosswalk?
The crosswalk becomes useful when it drives a sequence rather than a filing cabinet. For an organization that is plausibly in a Schedule 1 sector, or that sells to operators who are, the work between now and the coming-into-force order looks like this:
- Baseline against the table. Load the CSV into your GRC platform or risk register and tag each CCSPA obligation area with the controls your current ISO 27001, NIST CSF, or CPCSC program already evidences. Teams starting from SOC 2 can bridge through our SOC 2 to CPCSC mapping guide first.
- Scope the statutory boundary. Identify which systems would qualify as critical cyber systems supporting the vital service, and compare that boundary against your ISMS or assessment scope. Gaps in scope matter more than gaps in controls.
- Build the regulator-facing artifacts no framework produces. A program document structured for filing, an incident-reporting runbook that assumes a 72-hour outer limit to the CSE Cyber Centre, a directions-handling procedure, and a Canadian-resident evidence repository.
- Assign ownership of the regulatory calendar. Someone on the team should own watching the Canada Gazette for the coming-into-force order, Schedule 2 designations, and draft regulations, because the 90-day program clock starts at designation, not at awareness.
- Coordinate mandates if you hold more than one. Organizations in both the defence supply chain and a Schedule 1 sector should sequence CPCSC and CCSPA work so shared families are built once; the Bill C-8 versus CPCSC comparison maps the overlap.
Organizations that do this before designation treat the 90-day deadline as an administrative step. Those that start at designation discover that a program, unlike a spreadsheet, cannot be produced in a quarter. And because designated operators push these requirements into their contracts, vendors who can answer a CCSPA-shaped questionnaire from an existing program keep deals moving while competitors stall in security review.
If your organization operates in one of the six CCSPA sectors, or sells to designated operators and needs to get ahead of the flow-down, we run a CCSPA readiness gap assessment that maps your existing ISO 27001, SOC 2, or CPCSC program against the seven obligation areas in this crosswalk and returns a prioritized build list for the pieces no framework covers. Book a scoping call to see if it fits.
Close Your CCSPA Program Gap
We map your existing program to the CCSPA and build an effective security program around the gaps no framework covers.
Frequently Asked Questions
Does holding an ISO 27001, NIST CSF, or CPCSC certificate make an operator CCSPA compliant?
No. These mappings are indicative planning aids, and no certificate against any of the three frameworks constitutes CCSPA compliance. The frameworks cover the control substance of a program well, but none produces the regulator-facing duties: the 90-day program filing, incident reporting to the CSE Cyber Centre, directions compliance, and records kept in Canada.
Which CCSPA obligation has no framework equivalent?
Compliance with cyber security directions. No framework anticipates confidential Governor in Council orders, and disclosing a direction's existence is itself an offence. The nearest hooks are ISO 27001's A.5.31 and A.5.36, NIST CSF 2.0's GV.OC-03, and ITSP.10.171's Planning family, but none manufactures an equivalent capability.
Where do the frameworks overlap most with the CCSPA?
Protection of critical cyber systems, where the technical control catalogues map nearly control-for-control: ISO 27001's Annex A access, malware, vulnerability, configuration, backup, network, and cryptography controls; NIST CSF 2.0's PROTECT function; and ITSP.10.171's six CPCSC Level 1 families. The caution is scope, extending controls to operational technology, not substance.
What is ITSP.10.171 and how does it relate to CPCSC?
ITSP.10.171 is the standard behind CPCSC, Canada's defence supply chain certification. It adapts NIST SP 800-171r3 into 97 controls across 17 families. In this crosswalk it carries equivalent work for most CCSPA obligation areas, though it has no direct analogue for directions compliance and no Canadian records-residency requirement.
Do any of these frameworks require records to be kept in Canada?
No. Every framework demands documentation: ISO 27001's clause 7.5 and A.5.33, ITSP.10.171's Audit and Accountability family, and NIST CSF's implicit documentation. None mandates residency. The CCSPA requires records of program implementation, every reported incident, supply-chain mitigation steps, and measures taken under directions to be kept in Canada.
How does the CCSPA incident-reporting duty differ from framework incident management?
The frameworks govern internal incident management: planning, detection, response, and learning. The CCSPA adds external reporting, requiring a report to the CSE Cyber Centre within a regulation-set period capped at 72 hours, plus immediate regulator notification. The trigger is wide enough that a near miss can be reportable.
Ready to Start Your Compliance Journey?
Get a clear, actionable roadmap with our readiness assessment.
About the Author
Former security architect for Bank of Canada and Payments Canada. 20+ years building compliance programs for critical infrastructure.
Ready for CPCSC Level 1?
Score your readiness across the 6 expected control families. Free.
Take the Scorecard