The Gaming Boardroom

Where the gambling industry comes to think

Security and privacy controls and assurance activities catalogue (ITSP.10.033) – Canadian Centre for Cyber Security

Steve Tyler Exec Content

Security and privacy controls and assurance activities catalogue (ITSP.10.033) – Canadian Centre for Cyber Security

Summary

March 2026. Practitioner series. This catalogue (ITSP.10.033) from the Canadian Centre for Cyber Security provides a comprehensive set of security and privacy controls and associated assurance activities. It explains the structure and organisation of controls, implementation approaches and robustness levels, and groups controls into families such as Access control, Awareness and training, Incident response and Supply chain risk management. The document is designed for practitioners to map requirements to controls and to select assurance activities that support risk management and compliance.

Key Points

  • The catalogue links security and privacy requirements to concrete controls and assurance activities to support implementation and verification.
  • Controls are organised into families (for example Access control; Assessment, authorisation and monitoring; System and communications protection) to aid navigation and application.
  • Guidance covers implementation approaches and how to scale control robustness according to assessed risk.
  • Intended audience includes practitioners, risk managers, security leads and compliance teams responsible for cyber security and privacy risk.
  • The publication includes supporting figures (e.g. Figure 1) and a works cited section to help align with other standards and references.

Content summary

The document opens with purpose, scope and audience, then sets out concepts and structure: how requirements, controls and assurance activities relate. It defines the organisation of controls and assurance activities and describes implementation approaches and robustness considerations. The core of the catalogue enumerates control and assurance activity families covering operational and management areas (from Access control to Supply chain risk management), offering a reference practitioners can use to select, justify and evidence controls within their risk management lifecycle.

Context and relevance

This catalogue is timely given increasing regulatory scrutiny on privacy and the growing complexity of cyber threats and supply chains. Organisations can use it to align internal controls with national best practice, strengthen assurance processes and demonstrate due diligence to regulators and partners. It is especially relevant for those needing a structured, standards-aligned control set to support assessments, authorisations and monitoring.

Why should I read this?

Short answer: if you look after security, privacy or risk this is a tidy referee’s notebook for what to do and how to prove you did it. Cuts out the faff of hunting through multiple sources and gives a ready-made family breakdown you can map straight onto systems, audits and supplier checks.

Source

Source: https://cyber.gc.ca/en/guidance/cyber-security-privacy-risk-management/itsp10033