This Annex is part of a series of guidelines on information technology (IT) security risk management that
the Communications Security Establishment Canada (CSEC) issues under the Information Technology
Security Guidance publication number 33 (ITSG-33) to help Government of Canada (GC) departments
and agencies implement, operate, and maintain dependable information systems.
The ITSG-33 guidelines describe an IT security risk management process that includes activities at two
distinct levels: the departmental level and the information system level.
This Annex suggests an information system security implementation process (ISSIP). The goal of ISSIP
is to help IT projects implement security solutions in information systems that satisfy the security
objectives of confidentiality, integrity, and availability of the departmental business activities that
information systems support. For the purposes of this Annex, an IT project is defined as a temporary
endeavour undertaken to implement a new information system, or to implement significant changes to an
existing information system. It implies that each IT project ends when the new information system has
been implemented or has been altered and an IT operations organization has assumed operational
Adherence to the ITSG-33 guidelines has many benefits for departments, including compliance with the
overall risk management strategy and objectives established by Treasury Board of Canada Secretariat
(TBS), addressing key aspects of IT security in an efficient manner, and consistently and cost-effectively
managing IT security risks.