Under active development — Content is continuously updated and improved

Home / Frameworks / OSFI B-13

OSFI B-13 v2022

Official SCF Download

Canadian OSFI Technology and Cyber Risk Management

Framework data extracted from the Secure Controls Framework (SCF) v2025.4 Set Theory Relationship Mapping (STRM) files, licensed under CC BY-ND 4.0 . Attribution required per license terms.

SCF Official Site License Terms

81 All

1 — Governance and Risk Management (9 controls)

1Governance and Risk Management Outcome

1.1Accountability and Organizational Structure

1.1.1Senior Officer Accountability

1.1.2Organizational Structure and Risk Culture

1.2Strategic Technology and Cyber Plan

1.2.1Strategic Plan Elements

1.3Technology and Cyber Risk Management Framework

1.3.1RMF Establishment and Review

1.3.2RMF Elements

2 — Technology Operations and Resilience (35 controls)

2Technology Operations and Resilience Outcome

2.1Technology Architecture Framework

2.1.1IT Architecture Governance Principles

2.1.2Secure and Resilient Architecture Design

2.2Technology Asset Management

2.2.1Asset Management Standards

2.2.2Asset Inventory and Classification

2.2.3Configuration Management

2.2.4Secure Asset Disposal

2.2.5Technology Currency Monitoring

2.3Technology Project Management

2.3.1Project Management Framework

2.4System Development Life Cycle

2.4.1SDLC Framework Controls

2.4.2Security-by-Design in SDLC

2.4.3Integrated Application Security

2.4.4Acquired Software Security Assessment

2.4.5Secure Coding Practices

2.5Change and Release Management

2.5.1Change Management Controls

2.5.2Segregation of Duties

2.5.3Change Record Traceability

2.6Patch Management

2.6.1Patch Management Process

2.7Technology Incident Management

2.7.1Incident and Problem Management Standards

2.7.2Incident Response Procedures

2.7.3Problem Management and Root Cause Analysis

2.8Technology Service and Capacity Management

2.8.1Service Management Standards

2.8.2Performance and Capacity Monitoring

2.9Enterprise Disaster Recovery Program

2.9.1Disaster Recovery Planning

2.9.2Disaster Recovery Dependencies

2.9.3Disaster Recovery Testing

3 — Cyber Security (32 controls)

3Cyber Security Outcome

3.0Cyber Security Overview

3.1Cyber Security Identification and Assessment

3.1.1Threat Assessment

3.1.2Intelligence-Led Testing

3.1.3Vulnerability Assessment

3.1.4Data Classification and Protection

3.1.5Threat Intelligence and Information Sharing

3.1.6Threat Modeling and Hunting

3.1.7Security Awareness and Reporting

3.1.8Cyber Security Risk Profile

3.2Preventive Cyber Security Controls

3.2.1Secure-by-Design Practices

3.2.2Cryptographic Controls

3.2.3Critical Asset Protection

3.2.4Multi-Layer Defence Controls

3.2.5Data Protection Controls

3.2.6Vulnerability Remediation

3.2.7Identity and Access Management

3.2.8Security Configuration Baselines

3.2.9Application Security Testing

3.2.10Physical Access Management

3.3Security Detection and Monitoring

3.3.1Security Event Logging

3.3.2Security Information and Event Management

3.3.3Alert Triage and Response

3.4Cyber Incident Response and Recovery

3.4.1Incident Escalation and Coordination

3.4.2Cyber Incident Taxonomy

3.4.3Incident Management Playbooks

3.4.4Cyber Incident Response Team

3.4.5Forensic Investigation and Post-Incident Review

A — Introduction and Applicability (5 controls)

A.2Guideline Structure

A.3Domain Outcomes

A.4Related Guidance