How to Build a Cybersecurity Risk Framework From Scratch
Forty-three percent of Canadian organizations were targeted in a cyber attack in the past twelve months. Of those hit, 74% who faced ransomware paid the ransom. These are not abstract statistics — they represent organizations without a structured risk framework absorbing costs that a defined process would reduce. If you are responsible for security governance at your organization and you do not have a formal risk framework in place, this post is for you.
What a Risk Framework Actually Is
A cybersecurity risk framework is not a policy document. It is not a checklist. It is a repeatable process for identifying what you need to protect, assessing what threatens it, deciding what to do about it, and monitoring whether your decisions are working.
The Canadian Centre for Cyber Security’s ITSG-33 — the Government of Canada’s primary risk management standard — defines this as a lifecycle: Define, Deploy, Monitor and Assess, and Identify. ITSG-33 is mandatory for federal departments and agencies, but the lifecycle approach it describes applies equally to any organization handling sensitive data.
For smaller organizations, the CCCS Baseline Cyber Security Controls for Small and Medium Organizations offers a practical starting point aligned with the same principles, without the overhead of a full government implementation.
Step 1: Define What You Are Protecting
Start with an asset inventory. You need to know what data your organization holds, where it lives, who accesses it, and what systems it passes through. This is not optional groundwork — it is the foundation of every decision that follows.
Classify your assets by sensitivity and business impact. Personal information governed by PIPEDA, financial records, operational systems, and customer data each carry different risk profiles. You assess risk against these classifications, not against your infrastructure in the abstract.
Step 2: Identify and Assess Threats
Once you know your assets, map threats to them. The CCCS National Cyber Threat Assessment 2025-2026 identifies ransomware as the leading threat to Canadian critical infrastructure, with state-sponsored actors from the People’s Republic of China representing the most sophisticated threat to Canadian organizations. Your threat profile will differ based on your sector, but the NCTA gives you a credible baseline for prioritization.
Threat assessment has two components: likelihood and impact. A threat that is highly probable but low-impact does not demand the same response as one that is rare but organization-ending. Your risk scoring needs to account for both, and your decisions need to be traceable back to that scoring.
Step 3: Select and Implement Controls
With assessed risks in hand, you choose controls. ITSG-33 provides a security control catalogue mapped to risk levels. For non-government organizations, NIST CSF 2.0 — which CCCS explicitly aligns with — organizes controls across six functions: Govern, Identify, Protect, Detect, Respond, and Recover.
The Govern function is where many organizations shortchange themselves. Governance means someone owns this. Roles are assigned. Accountability is documented. Without governance, controls get implemented and then drift as systems change and people move on.
Prioritize controls by residual risk. After you account for existing measures, which risks remain above your acceptable threshold? Those get addressed first. Organizations that try to implement everything at once typically implement nothing well.
Step 4: Monitor Continuously
A framework is not a project. It is an ongoing process. Controls degrade. Threats evolve. Systems change. Monitoring closes the loop between what you decided and what is actually happening.
ITSG-33 structures monitoring at two levels: departmental (organizational security posture) and information system (specific technical controls). You need both. Executive-level risk reporting and technical monitoring serve different audiences and feed different decisions.
Security now averages 19.5% of total IT budgets across Canadian organizations in 2026, up from 17% in 2025. Organizations that invest in continuous monitoring and security automation report average breach costs of CA$5.19 million, versus CA$8.53 million for those operating without it. Monitoring is not overhead — it is how you protect your investment in controls.
Step 5: Assign Ownership and Train for the Role
A risk framework without qualified ownership fails at implementation. The people responsible for running this process need structured knowledge in risk assessment methodology, control selection, and governance reporting.
The Certified Information Security Risk Manager (CISRM) certification from Mile2 trains security professionals specifically in risk management processes — from threat and vulnerability assessment through control implementation and continuous monitoring. It is built for the person who owns this work, not for someone who is learning about risk in the abstract.
For professionals responsible for managing the broader security program in which risk management sits, the Certified Information Systems Security Manager (CISSM) builds on risk knowledge with program management, policy development, and reporting to leadership.
The Framework Is a Decision Tool
Every step of a cybersecurity risk framework is a decision: what matters, what threatens it, what to do, and whether it is working. Organizations that formalize this process make better decisions faster. They spend on the right controls. They report accurately to leadership. They respond to incidents with documented playbooks rather than improvised reactions.
Building a framework from scratch takes time. But you are not starting from nothing — CCCS guidance, ITSG-33, and the CCCS Baseline Controls give Canadian organizations a credible foundation. Your job is to apply them to your specific environment, document your decisions, and keep the process running.
That is what risk management looks like in practice.
