Independent assessment, inspection, and certification for information security, AI governance, and cybersecurity.
Laws create obligations. Standards provide the management system. Certification provides independent evidence. This is the map.
Our accredited scope covers the certifications and inspections most critical to technology organizations. For standards beyond those listed, contact us.
Third-party certification of your ISMS. Risk-based approach to protecting information assets through governance, controls, and continuous improvement. Annex A controls span organizational, people, physical, and technological domains.
Certification for organizations developing, providing, or using AI. Governance, risk management, lifecycle controls, responsible AI, and monitoring. First certifiable international AI standard.
Government of Canada baseline cybersecurity for SMEs. Thirteen control areas including incident response, access control, patching, malware protection, security awareness.
Inspection-based assessment for Canada's defence supply chain. Cybersecurity practice verification. SCC IBAP accredited per ISO/IEC 17020.
Searchable reference across the Canadian technology regulatory landscape. Our chatbot can answer detailed questions on any item listed.
Information Security Management System. Risk-based controls, governance, and continuous improvement. Three-year certification cycle.
AI Management System. Governance, risk, lifecycle controls, responsible AI, and monitoring. First certifiable AI standard.
Government of Canada SME cybersecurity certification. 13 baseline control areas. SCC-accredited third-party.
Defence supply chain cybersecurity inspection. ISO/IEC 17020 accredited. Federal program oversight.
Governs private-sector commercial activities. Consent, safeguards, breach notification, accountability. Applies where no substantially similar provincial law exists.
BC PIPA, Alberta PIPA, and Quebec Law 25. Each substantially similar to PIPEDA for intra-provincial activities. Law 25 adds enhanced breach rules and mandatory PIAs.
Artificial Intelligence and Data Act (AIDA) and the AI and Data Companion Regulation (AIMS) under Bill C-27. Would regulate high-impact AI systems. Not yet enacted. Maps to ISO 42001.
Privacy information management extension to 27001. Maps controls to PIPEDA and GDPR requirements.
Cloud security controls (27017) and cloud PII protection (27018). Both extend 27002 for cloud environments.
Control implementation guidance (27002) and risk management processes (27005). Supporting standards for 27001 certification.
Business continuity management (22301) and IT service management (20000-1). Additional management system standards for technology organizations.
Federal public-sector privacy. Collection, use, disclosure constraints for government institutions. Access and correction rights.
Identify, Protect, Detect, Respond, Recover. Voluntary framework. Maps to ISO 27001 controls.
AI risk management (Govern, Map, Measure, Manage) and international AI governance principles. Voluntary reference frameworks.
Attestation report based on Trust Services Criteria. Issued by CPA firms. Not a certification. Primarily North American.
Risk-based AI regulation. Prohibited, high-risk, limited, minimal categories. International reference point for AI governance.
Prioritized security controls by maturity (CIS) and IT governance framework (COBIT). Complementary to management system standards.
Structured, transparent, independent. Select a program and click each stage.
Structural separation between assessment and decision functions. Two-year cooling-off period for prior consulting relationships. Conflict-of-interest screening on every engagement.
Certification decisions are made by qualified personnel who did not conduct the audit. This separation is a non-negotiable accreditation requirement.
AICT does not provide consulting, implementation, or advisory services. This separation is a structural requirement of our accreditation, not a policy choice.
Formal processes with defined timelines, independent review, and escalation paths. Open to any person or organization. Submit complaints to complaints@aictglobalservices.com or appeals to appeals@aictglobalservices.com.
Search the AICT certificate register by organization name, certificate number, or standard. This register is updated on issuance, suspension, or withdrawal of any certificate. Inspection results under ISO/IEC 17020 are reported directly to clients and are not listed in this register.
Access AICT's public disclosure documents. These policies are maintained as part of our quality management system.
Whether exploring certification for the first time or looking for a technology-focused alternative, we will help you understand scope, timeline, and requirements.