IIROC Cybersecurity Self-Assessment Tool for IIROC Firms

Type: Education Notice
Distribute internally to:
Cybersecurity & Technology
Internal Audit
Legal and Compliance
Regulatory Accounting
Senior Management


Cybersecurity & Technology


IIROC has developed a cybersecurity self-assessment tool (self-assessment tool) primarily for small and medium- sized IIROC firms. The purpose of the self-assessment tool is to help IIROC firms identify areas of strength and weakness based on their information security practices. The scope encompasses most practices at IIROC firms that affect cybersecurity.


Regular self-assessments1 are a critical component of a firm’s cybersecurity program. They help firms and organizations identify gaps and vulnerabilities in their cybersecurity controls and strengthen and enhance the overall cybersecurity posture and maturity of the firm.

IIROC required mandatory self-assessments of all our member firms in 2016 and again, in 2018. The results provided both IIROC and the firms useful information about the posture and maturity of firms and the industry. The results helped guide IIROC’s future responses and educational initiatives, and helped firms identify areas of improvement and enhancement.

Following the success of the past self-assessments and considering the importance of regular self-assessments, IIROC developed a free self-assessment tool to encourage IIROC firms to continuously evaluate and assess their cybersecurity posture.

We engaged Deloitte, who developed and facilitated the mandatory self-assessments in 2016 and 2018, to develop the new self-assessment tool. A working group of IT and security experts from small and medium-sized IIROC firms tested and provided feedback to IIROC and Deloitte to help make the self-assessment tool relevant, easy-to-use, accessible, and useful for IIROC firms.

What framework is the self-assessment tool based on?

The self-assessment tool is based on the NIST Cybersecurity Framework version 1.1 and Cybersecurity Maturity Model Certification (CMMC) 1.0 and parts of version 2.0.2 The easy-to-use questionnaire identifies capabilities that should be in place for various domains, and will help firms highlight areas of weakness to improve upon.

What are IIROC’s expectations around the use of the self-assessment tool?

The use of the self-assessment tool is voluntary. However, given the ever-growing threat of cyberattacks and risk of cyber breaches, we strongly recommend that all firms conduct a cybersecurity self-assessment as often as needed but at least once every two years to assess their posture and maturity and identify any critical gaps.

How can I get the self-assessment tool?

The self-assessment tool is available to IIROC firms. The firm’s UDP, CFO or CCO can request a copy of the self-assessment tool from IIROC by filling out this form.

How do I complete the self-assessment tool?

These are the steps to follow:

  1. Fill out the Categorization Survey. The categorization survey will identify which tier3 of firm you are today and accordingly, which questions need to be answered.
  2. Fill out the Threat Risk Profile to identify areas of concern based on potential threats to your organization.
  3. Fill out the CMMC Questionnaire by checking the practices and controls that you use to manage information security risk.

What reporting or results will the self-assessment tool provide?

The results of the self-assessment will provide an indication of the relative risk associated with the collection of cybersecurity measures protecting the IIROC firm being assessed.

These results will be summarized in three main reports:

  • Domain area by Risk
  • Assessment results by Domain
  • Assessment results by Capability

How can I get more information on how to use the self-assessment tool?

You can get further information on the self-assessment tool by

  1. watching a short instructional video to provide guidance on how to use the self-assessment tool.
  2. sending questions on the self-assessment tool to [email protected]
  3. referring to the Cybersecurity & Technology section of our website for additional guides and resources that will help IIROC firms protect themselves and their clients against cybersecurity threats and attacks.
  • 1Refer to NIST’s Guide for Conducting Risk Assessments
  • 2IIROC will review and update the tool every two years to incorporate any material changes to the NIST framework and/or CMMC.
  • 3According to the NIST Cybersecurity Framework, “Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework.” It is important to note that Tiers do not represent maturity levels. Tiers are meant to support organizational decision-making to manage cybersecurity risk, as well as identify which dimensions of the organization are higher priority and could receive additional resources. Progression to higher Tiers is encouraged when a cost-benefit analysis indicates a feasible and cost-effective reduction of cybersecurity risk. Please refer to IIROC’s Cyber Governance Guide for information on the Operating Tier Framework.

Welcome to CIRO.ca!

We have a new look! You can find the Canadian Investment Regulatory Organization (CIRO) at CIRO.ca with our fresh look and feel.

You can now find new publications published by CIRO since January 1, 2023 on CIRO.ca. If you are looking for past notices or bulletins published by MFDA or IIROC, you can find those on our legacy websites. Enforcement related content will continue on those websites as well.

You can now find previous Annual Reports and Enforcement Reports on CIRO.ca, along with Halts and Resumption, and our ePublications sign up (for all previous MFDA and IIROC subscriber lists).

We will continue moving items off MFDA and IIROC in 2023/2024. Stay tuned for future updates.