IM/IT Standards Frequently Asked Questions


Standards & Policies

What is the difference between an IM/IT Standard and Information Security Policy or Core Policy?

A policy is a statement of intent, whereas a standard is a convention or requirement. As an example, a policy may state that "you must encrypt sensitive traffic" and a corresponding standard may specify to use "128-bit SSL encryption".  Contact us directly via email for questions related to Information Security Policy or  IM/IT Standards. For questions on Chapter 12 of Core Policy, contact

What if I am unable to comply with a standard or policy?

In some cases, agencies are unable to comply with a policy or standard or need more time to come into compliance. If so, they must request an exemption from the policy or standard. Before submitting an exemption, please review the exemption FAQs. Once you have reviewed the FAQs, you can request an exemption.

How are standards developed?

The Office of the Chief Information Officer (OCIO) is responsible for leading the development, maintenance and communication of government-wide IM/IT architectures and standards. Details about this process can be found in the standards development lifecycle document.

Who oversees standards?

The Architecture and Standards Review Board (ASRB) is responsible for reviewing and recommending for approval to the OCIO and the CIO Council proposed architecture and standards and changes to existing architecture and standards. Details about the ASRB's purpose, how it is organized and how it operates can be found in the ASRB operations document.

Where can I get previous versions of standards?

The current standards are online; however, over time, standards can become obsolete. For your reference, we have made available the previous version of the standard document (PDF, 1.6MB).



What is the difference between exemptions to IM/IT Standards and exemptions to Information Security Policy or Chapter 12 of Core Policy?

The submission process is the same for an exemption to a Standard or a Policy. The OCIO staff work collaboratively to process an exemption request.

How do I know if I need an exemption?

To determine if you need an exemption you may refer to this guidance. If you are still unsure, please contact us.

What will I need to include with my exemption?

Note: a  Privacy Impact Assessment and a Security Threat and Risk Assessment are not required for exemptions to Section 12.3.5 of Chapter 12 of Core Policy.

Who can submit an exemption? What approvals do I need?

Only core government staff can submit an exemption; however, they can do it on behalf of contractors. You will need approval from your Ministry Information Security Officer and Ministry Chief Information Officer (pdf).

After submitting an exemption, how can I find the status?

We're in the process of developing an application for you to submit your exemptions. It will provide you with the ability to see the status of your exemption. In the interim, please contact us.

How long will it take to process my exemption?

Within 1 week, somebody will contact you. We are in the process of developing an application that will immediately notify you of your exemption being submitted.

Exemption processing times may vary. Here are some rough guidelines:

  • Devices or Network: 2 weeks to 1 month
  • Identity Services: 1 to 2 months
  • Security, Cryptography, BCeID: 2-3 months