Field notes &
playbooks.

A security framework developed by the AICPA that defines how service organizations should handle customer data based on five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. Most enterprise buyers require vendors to be SOC 2 compliant.

Type I assesses security controls at a single moment — a snapshot. Type II evaluates controls over a period (typically 3–12 months) to verify they operate consistently. Most companies start with Type I and progress to Type II.

The 2022 revision of ISO’s information security management system (ISMS) standard. Widely used outside North America and increasingly required by European and Asian enterprise buyers. Includes 93 controls across 4 themes.

Released in 2024, NIST CSF 2.0 is the updated U.S. National Institute of Standards and Technology cybersecurity framework. Adds the Govern function to the original five (Identify, Protect, Detect, Respond, Recover) and covers 106 subcategories.

Canada’s federal privacy law governing how private-sector organizations collect, use, and disclose personal information during commercial activities. Applies to every business operating in Canada. Requires consent, safeguards, and breach notification.

A security model that assumes no user or device is trusted by default, regardless of whether they’re inside the network perimeter. Every access request is verified, authenticated, and authorized. Often summarized as "never trust, always verify."

The principle that data is subject to the laws of the country where it’s physically stored. Critical for Canadian federal, provincial, and regulated-industry organizations that must keep data inside Canadian borders and out of US CLOUD Act reach.

The discipline of managing digital identities — users, service accounts, machine identities — and controlling their access to systems and data. Core practices include SSO, MFA, RBAC, PAM, and periodic access reviews.

A security mechanism requiring two or more verification factors to access a resource. Factors fall into three categories: something you know (password), something you have (phone, token), something you are (biometric). MFA is the single highest-ROI control for most organizations.

A vulnerability assessment scans for known weaknesses and produces a prioritized list. A penetration test attempts to actively exploit weaknesses to determine real-world impact. Pen tests are slower and more expensive but reveal chained attack paths that VAs miss.