As of May 31, 2025, CSA Z246.1 will be in effect in Alberta, joining British Columbia where it is already enforced. Many organizations are finding compliance easier due to existing programs of similar design and maturity. However, those subject to the 2021 version of CSA Z246.1 may face challenges in meeting compliance. For organizations with less mature cybersecurity programs, there are viable options to consider. Both CSA Z246.1 and ISO 27001 utilize the Plan-Do-Check-Act (PDCA) cycle, a proven model for business operations and continuous improvement across various industries. While both standards follow the PDCA framework, they have distinct requirements.
The 2021 version of CSA Z246.1 elaborates on cybersecurity requirements, expanding beyond the Information Technology and ICS security mandates of prior versions. This elaboration may necessitate additional guidance to mitigate risks effectively.
ISO standards, including ISO 27001, also leverage the PDCA framework, facilitating a seamless transition to ISO standards where applicable. For example, Clause 5: Security Risk Management can be modeled after ISO 31000, and Clause 10: Security Incident Management can be modeled after ISO/IEC 27035.
ISO 27001 compliance offers access to an international community with extensive experience. Experience includes developing, implementing, and operating similar programs across diverse industries. Although CSA Z246.1 is specific to the oil and gas sector, management system are practiced globally. Example industries include power, finance, health, retail, and manufacturing industries.
The following chart illustrates the similarities between Clause 5: Security Risk Management in CSA Z246.1 and ISO 27001:
This comparison is merely an example and should be customized to reflect your organization’s specific requirements. While there is no one-size-fits-all solution, adopting a proven approach can simplify the development of a new business arm.
Other management systems, such as NIST, offer strengths but may lack the depth of guidance on people and processes required for CSA Z246.1. Regardless of the chosen management system, CSA Z246.1 and ISO 27001 requirements are clear yet allow for interpretation. The increased focus on cybersecurity in the 2021 version of CSA Z246.1 may present challenges in finding precedents to build upon. While the Canadian Energy Regulator (CER) is highly supportive, licensees are ultimately responsible for their own compliance and must justify their decisions. Statements like “Because they told me so” or “I heard others are doing it this way” will not suffice for proper program justification.
ISO 27001 is a credible and reliable alternative to greenfield programs due to decades of evolution and maturity. Numerous industry experts and resources are available to guide the implementation of an Information Security Management System (ISMS) program, which can be adapted to CSA Z246.1. Both ISO 27001 and CSA Z246.1 requirements must be integrated with appropriate business needs.
Developing compliance programs involves assessing them prior to formal audits. These assessments are typically informal and offer consultations, whereas audits have binary outcomes of pass or fail without consultation. Modeling a compliance program from greenfield solutions may require more justification and resources. While greenfield projects foster creativity and fewer constraints, they can also be overwhelming and resource-intensive.
In conclusion, licensees have several options for compliance with CSA Z246.1: greenfield solutions, templating existing internal programs, or adopting ISO 27001. Consider your organization’s requirements, resources, expertise, culture, structure, constraints, business goals, and other factors critical to your business. Answering these questions will support your decision-making process. While there may be overlaps with other organizations, ensure your requirements are integrated into your unique program. Just as no two businesses are truly alike, neither are their supporting programs.
If reinventing the wheel makes sense due to unique requirements, then pursue that path. However, if there are no stringent requirements preventing your organization from modeling after ISO 27001, give it strong consideration.
#simpligrc #csaz246 #iso27001 #grcprogram #greenfieldprojects #cer #canadaenergyregulator
