Directive on Security Management

Aims to achieve efficient, effective and accountable management of security within departments and agencies.
Date modified: 2019-07-01

Supporting tools

Mandatory procedures:

More information


Print-friendly XML
The Directive on Security Management and its Mandatory Procedures took effect on July 1, 2019. It replaced the Directive on Departmental Security Management, as well as the Operational Security Standard - Business Continuity Planning (BCP) Program, the Operational Security Standard on Physical Security, the Operational Security Standard - Readiness Levels for Federal Government Facilities, and the Operational Security Standard: Management of Information Technology Security (MITS).

Appendix D: Mandatory Procedures for Business Continuity Management Control

D.1 Effective date

  • D.1.1These procedures take effect on July 1, 2019.

D.2 Procedures

  • D.2.1These procedures provide details on the requirements to support the deputy head accountability.
  • D.2.2Procedures are as follows:
    • D.2.2.1Business continuity management practices: Define, document and maintain departmental business continuity management practices, addressing:
      1. Processes for conducting business impact analysis and for developing business continuity plans, measures and arrangements;
      2. Coordination of business continuity management with security event management and emergency management activities;
      3. Processes and timelines for providing awareness and training and for testing business continuity plans, measures and arrangements;
      4. Coordination with partners and other stakeholders; and
      5. Processes and timelines for review and maintenance of business impact analysis and business continuity plans, measures and arrangements.
    • D.2.2.2Business impact analysis: Define departmental business continuity management requirements for all departmental services and activities supporting continued availability of services and associated assets that are critical to the health, safety, security or economic well-being of Canadians or to the effective functioning of government, based on an analysis of the potential impacts of disruption:
      • D. a security category to services and activities commensurate with the degree of injury that could reasonably be expected as a result of their interruption or degradation, and, where appropriate, group services and activities of equivalent criticality (see Appendix J: Standard on Security Categorization);
      • D. with clients (for services provided to another department) and other stakeholders who may be affected by disruptions in departmental services or activities, to inform them of continuity requirements, strategies and priorities;
      • D. information to the Treasury Board of Canada Secretariat, on a regular basis or when requested, regarding the department’s identified critical services and activities;
      • D. business continuity management requirements, expressed as maximum allowable downtime, minimum service levels, recovery time objectives and recovery point objectives;
      • D. continuity strategies and recovery priorities;
      • D. supporting resources, including employees, contractors, suppliers, information and assets such as information systems, materiel and facilities, including where the department relies on or supports another organization in delivering a service or activity; and
      • D. any existing operational plans that support business continuity management requirements.
    • D.2.2.3Business continuity plans, measures and arrangements: Establish business continuity plans, measures and arrangements based on the results of the business impact analysis.
    • D.2.2.4Awareness and training: Provide awareness and training to all individuals, including specialized training for individuals directly involved in the implementation of business continuity plans, in accordance with departmental practices.
    • D.2.2.5Testing: Conduct regular testing of business continuity plans to ensure an acceptable state of preparedness, in accordance with departmental practices.
    • D.2.2.6Monitoring and corrective actions: Review and maintain business impact analysis and business continuity plans, measures and arrangements, while considering changes in services, activities, resources or threat environment, based on the results of tests and the activation of plans, to ensure business continuity management practices continue to meet the needs of the department.
Date modified: