The Gaming Boardroom

Where the gambling industry comes to think

Cyber security and privacy risk management: A lifecycle approach – Canadian Centre for Cyber Security

Steve Tyler Exec Content

Cyber security and privacy risk management: A lifecycle approach – Canadian Centre for Cyber Security

Summary

This guidance from the Canadian Centre for Cyber Security is part of a series on cyber security and privacy risk management using a lifecycle approach. It provides definitions of assurance activities and security & privacy controls, and offers a controls and assurance activities catalogue (ITSP.10.033) that practitioners can use as a foundation to select, tailor and allocate measures across systems and organisations. A suggested organisational profile for medium impact environments is noted as coming soon. The document was last modified on 2026-03-31.

Key Points

  • Defines assurance activities and security/privacy controls to support a lifecycle approach to risk management.
  • Presents a controls and assurance activities catalogue (ITSP.10.033) for practical selection and tailoring.
  • Intended as a foundational resource for allocating controls across systems and organisational levels.
  • Helps organisations align security and privacy measures with business activities and risk appetite.
  • Includes reference to an upcoming suggested organisational profile for medium-impact systems.
  • Published by the Canadian Centre for Cyber Security — an authoritative source for Canadian public-sector and critical infrastructure guidance.

Content summary

The publication outlines the components of a lifecycle approach to cyber security and privacy risk management. It describes assurance activities (what to test and verify) and the catalogue of controls (what to implement), and explains how practitioners can combine and adapt these elements to meet organisational needs. The material is designed to be practical: use the catalogue to build tailored control sets, map assurance activities to those controls, and demonstrate how they support confidentiality, integrity and availability while protecting privacy.

Links and references include the detailed controls catalogue (ITSP.10.033) and a note about a forthcoming medium-impact profile (ITSP.10.033-1). The guidance is aimed at those responsible for designing, implementing or auditing cyber and privacy risk controls.

Context and relevance

This guidance matters because it translates high-level risk management principles into an actionable catalogue and assurance language that organisations can adopt. It supports trends such as privacy-by-design, integrated security/privacy governance, and demonstrable controls for regulatory or procurement requirements. For CISOs, security architects, privacy officers and auditors, the document is a practical reference to standardise control selection and assurance across programmes.

Why should I read this

Look — if you deal with security or privacy risks, this is the tidy toolkit you didn’t know you needed. It bundles definitions, a controls catalogue and assurance activities so you can stop guessing which controls matter and start mapping them to your systems. Quick win: saves time when building control sets or preparing for audits.

Author style

Punchy and no-nonsense: this is a practitioner’s reference. If your role touches controls or compliance, treat this as a go-to manual. If you don’t, skim the key points — they’re a fast way to get up to speed.

Source

Source: https://cyber.gc.ca/en/guidance/cyber-security-privacy-risk-management