CPCSC Level 2 Control

Last updated June 25, 2026

03.02.02Awareness and training

CPCSC Level 2 03.02.02: Role-Based Training

Apply role-based training to make sure people understand their responsibilities before they handle specified information for CPCSC Level 2 readiness. This guide separates the official ITSP.10.171 control language from practical implementation, evidence, auditor questions, and related controls.

Open Level 2 Guide Browse Level 2 Controls

Formal Control Language

Official ITSP.10.171 wording for 03.02.02. Use the Cyber Centre publication and contract requirements as the source of truth for certification, assessment, or procurement submissions.

  • Provide role-based security and privacy training to organizational personnel: before authorizing access to the system or specified information, before performing assigned duties, and [Assignment: organization-defined frequency] thereafter
  • when required by system changes or following [Assignment: organization-defined events]
  • Update role-based training content [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]

Contains information sourced from Government of Canada material used under the Open Government Licence - Canada.

What This Means In Plain English

Role-Based Training is part of the CPCSC Level 2 Awareness and training family. This is about proving people understand the behaviours expected of them before they handle specified information or perform privileged work.

For a founder, CISO, engineer, or compliance owner, the practical question is whether role-based training is visible in real operating evidence: a setting, workflow, ticket, log, approval, review, or exception record that can survive an external assessment.

Level 2 is different from Level 1 because the evidence has to survive an external assessment. A policy statement helps, but the stronger answer is a record that shows who did the work, when it ran, what system setting or workflow enforced it, and how exceptions were handled.

How To Implement It

1

Define the in-scope systems, owners, users, vendors, and data flows affected by role-based training.

2

Assign baseline training to all in-scope personnel, add role-based training for admins and delivery teams, and keep completion records tied to onboarding and annual refreshes.

3

Translate the formal requirement into one or two operating procedures: who performs it, how often, where it is recorded, and who approves exceptions.

4

Configure the relevant systems so the control is enforced by identity, endpoint, cloud, network, ticketing, monitoring, vendor, or documentation workflows rather than memory.

5

Keep evidence in a consistent folder, GRC system, ticket queue, or audit workspace so an assessor can trace the control from requirement to implementation to review.

Evidence Normally Gathered

Role-Based Training: training assignments.

Role-Based Training: completion reports.

Role-Based Training: role-based training material.

Role-Based Training: onboarding records.

Role-Based Training: annual refresh records.

Role-Based Training: owner assignment and review cadence.

Role-Based Training: exception, remediation, or POA&M records when the control is not fully implemented.

Common Auditor Questions

Where is role-based training implemented in the in-scope environment?

Who owns role-based training, and how do they know it is operating?

Show the evidence that proves role-based training ran during the assessment period.

What happens when role-based training fails, is bypassed, or has an exception?

How does this control connect to the system security plan, risk register, POA&M, and related CPCSC controls?

Sources

Source and attribution.

Formal control language is sourced from the Canadian Centre for Cyber Security ITSP.10.171 publication. CPCSC Level 2 assessment context references the Government of Canada CPCSC program overview and ITSP.10.171-01 assessment guidance.

CPCSC Program OverviewITSP.10.171ITSP.10.171-01Open Government Licence - Canada