Home · Standards · ITSG-33 — Canadian Centre for Cyber Security IT Security Risk Management

Standard · ITSG-33

ITSG-33 — Canadian Centre for Cyber Security IT Security Risk Management

IT Security Guidance Publication 33 (ITSG-33) — IT Security Risk Management: A Lifecycle Approach — is the foundational risk-management framework for the Government of Canada, published by the Canadian Centre for Cyber Security (a part of the Communications Security Establishment). Federal departments procuring ITAD services typically reference ITSG-33 in their RFPs. For Maxicom federal-department engagements, ITSG-33 alignment is the operational baseline.

Request a Quote Contact

ITSG-33 scope and application

ITSG-33 applies to all federal departments and agencies procuring IT services where cyber risk is in scope. ITAD engagements are in scope. The framework references NIST SP 800-53 controls plus Canadian-government-specific controls; the catalogue is harmonised with U.S. federal practice for cross-border interoperability.

Operator vetting under ITSG-33

ITSG-33 requires personnel security commensurate with the data classification handled. Federal Maxicom engagements use cleared operators (Reliability or Secret clearance per engagement), background-checked, NDA-bound, escort-trained. Per-engagement cleared-operator pool documented.

Federal department engagement profile

Federal departments produce predictable retiring volumes through Public Services and Procurement Canada (PSPC) procurement vehicles. Programme-level engagement model. NDA-bound. Witness destruction standard. On-site or cleared-area destruction protocols.

Treasury Board IT Asset Disposition Policy

Treasury Board of Canada Secretariat issues IT Asset Disposition guidance that complements ITSG-33. Asset categorisation, sanitisation, environmental disposition. Maxicom certificates reference both ITSG-33 and the Treasury Board guidance for federal engagements.

Reviewed by the Maxicom compliance desk. Last updated April 2026.

Operates to NIST 800-88 · PIPEDA · OSFI B-13 · NAID-grade · IEEE 2883-2022

References

Authoritative references

Primary sources for the standards and frameworks referenced on this page. Maxicom maps every engagement to these recognised authorities.

Frequently asked questions

Are your operators cleared for federal Canadian engagements?

Yes — Reliability or Secret clearance per engagement profile. Cleared-operator pool documented; per-engagement assignment.

How does ITSG-33 compose with PIPEDA?

PIPEDA applies to personal information regardless of whether ITSG-33 also applies; ITSG-33 covers the broader cyber risk management. Both compose; Maxicom certificates satisfy both.

What about classified-material destruction?

On-site cleared-area destruction with witness; per-asset certificate; chain-of-custody under cleared protocols. Specific to engagement classification level.

A photograph of the rack works. A spreadsheet works better. CAD settlement, against PO.

Sell IT — Start an RFQ — 90 seconds → Request a service WhatsApp +1 437-996-2283

purchase@maxicom.ca · per engagement SLA