CAN/DGSI 104:2021 / Rev 1: 2024

This Standard specifies a minimum set of cyber security controls intended for small and medium organizations which typically have less than 500 employees. NOTE 1: Organizations with more than 500 employees may also benefit from leveraging this standard as a starting point to improve their cyber security posture. They will have to evaluate whether their unique situations warrant additional cyber security investments or not. NOTE 2: Organizations (regardless of size) that handle personally identifiable information, financial, sensitive, or private information, have high-availability requirements of their systems or supply into high-risk sectors (such as critical infrastructure or military) may require additional cyber security controls and requirements beyond the scope of this document. Each organization would need to make this evaluation for themselves. NOTE 3: While it is encouraged that organizations always consider physical security as a key aspect of their cyber security program, given the complexity and resources required, it is out of scope of this Standard.