IM/IT standards frequently asked questions

Last updated on December 17, 2025

Get answers to common IM/IT standards questions.

Standards and policies

What is the difference between an IM/IT Standard and Information Security Policy or Core Policy?

A policy is a statement of intent, whereas a standard is a convention or requirement. As an example, a policy may state that "you must encrypt sensitive traffic" and a corresponding standard may specify to use "128-bit SSL encryption."

Contact for questions related to Information Security Policy or IM/IT Standards.
Contact for questions relating to Chapter 12 of Core Policy.

What if I am unable to comply with a standard or policy?

In some cases, agencies are unable to comply with a standard or policy or require more time to come into compliance. In this instance, they must submit an Exemption Request.

Before submitting, please review the Exemption FAQs. Once you have reviewed the FAQs, you can submit your Exemption Request.

How are standards developed?

Connected Services BC (CSBC) is responsible for leading the development, maintenance and communication of government-wide IM/IT architectures and standards. Details about this process can be found in the Standards Development Lifecycle document.

Where can I get previous versions of standards?

Current standards can be reviewed online
To request copies of previous versions, email us

Exemptions

What is the difference between exemptions to IM/IT Standards and exemptions to Information Security Policy or Chapter 12 of Core Policy?

The submission process is the same for an exemption to a standard or a policy. CSBC staff work collaboratively to process every Exemption Request.

How do I know if I need an exemption?

To determine if you need an exemption you may refer to this guide. If you are still unsure, please email us.

Once you have determined that a Request for Exemption is required, complete one or more of the following, as appropriate to your request:

An approved DBN from the initiating Ministry to their MCIO for approval of the exemption - REQUIRED
Statement of Acceptable Risk (SoAR) - REQUIRED
- Security Threat and Risk Assessment (STRA)
Approval from your: Ministry Information Security Officer (MISO) and Ministry Chief Information Officer (MCIO)
Privacy Impact Assessment (PIA)
Completed request form

Who can submit an exemption? What approvals do I need?

Only core government staff can submit an exemption; however, they can do it on behalf of contractors. You will need to include approval from your Ministry Information Security Officer and Ministry Chief Information Officer.

After submitting an exemption, how can I find the status?

After submitting your Exemption Request, you can log in to track it or you can email us.

How long will it take to process my exemption?

Exemption Request processing times will vary depending on the complexity of the request, but you should expect an initial response within two business days. We are working on streamlining this process and will update this page during the process.

Email us for more information: CITZAS@gov.bc.ca

Did you find what you were looking for?

The B.C. Public Service acknowledges the territories of First Nations around B.C. and is grateful to carry out our work on these lands. We acknowledge the rights, interests, priorities, and concerns of all Indigenous Peoples - First Nations, Métis, and Inuit - respecting and acknowledging their distinct cultures, histories, rights, laws, and governments.

More topics