ThreeShield delivers compliance assessments and implementations across 16 major frameworks - from Canadian-specific regulations like Alberta HIA and Bill C-8 CCSPA to global standards like HIPAA, SOC 2, PCI DSS, CMMC, and ISO 27001. Every engagement includes Lavawall® continuous monitoring.
Every compliance framework page explains all three options. Choose the level that fits your team's capacity.
Use Lavawall®'s GRC module to monitor your compliance posture against any supported framework continuously. Automated evidence collection, live compliance scoring, and AI-generated reports. Ideal for lean IT teams and MSPs with internal security capacity.
Learn About Lavawall®Lavawall® platform plus CISSP/CISA guidance - gap assessment, prioritized remediation roadmap, policy development support, and quarterly review calls. MSP partners can white-label and deliver this to their clients.
Get Supported EngagementThreeShield manages the full compliance program - from initial scoping to formal CISSP/CISA-executed assessment to ongoing monitoring and annual reassessment. findings methodology (typically 200+ findings) from government and Fortune 50 experience.
Book AssessmentCanada's Critical Cyber Systems Protection Act. Mandatory for telecom, banking, nuclear, pipelines, and transportation.
⚠️ Up to $15M/day penaltiesHIA compliance for Alberta healthcare custodians - physicians, PCNs, pharmacists, health tech affiliates.
BC Personal Information Protection Act and health sector privacy for BC healthcare organizations.
Canada's federal private-sector privacy law and its pending update - mandatory breach notification, security safeguards.
Affects all Canadian businessesCybersecurity framework for accounting firms and CPA-regulated entities. Big-4 engagement experience on our team.
For Ontario government entities, municipalities, hospitals, school boards, and critical infrastructure.
Canadian Investment Regulatory Organization cybersecurity guidance for registered dealers and advisors.
BC Financial Services Authority technology risk expectations for BC credit unions, insurers, and financial planners.
Critical Infrastructure Protection for North American bulk electric system operators - Canada and US.
Security Rule, Privacy Rule, and Breach Notification. Applies to Canadian Business Associates of US healthcare entities.
Canadian companies often overlookedAICPA Trust Services Criteria. The de facto security certification for SaaS companies and service organizations.
Enterprise deal requirementPayment card security for merchants and service providers. All SAQ types - A through D.
Mandatory for US DoD contractors. Canadian companies in NORAD/NATO/DND supply chain increasingly affected.
Contract eligibility requirementIG1, IG2, IG3. The most practical cybersecurity framework and the baseline for most cyber insurance requirements.
10-20% insurance savingsGovern, Identify, Protect, Detect, Respond, Recover. Global standard for cybersecurity risk governance.
International ISMS standard. Required for European market access, government procurement, and enterprise supply chains.
General Data Protection Regulation. Applies to any organization processing EU residents' data - including Canadian companies with EU customers.
⚠️ Up to €20M / 4% global revenueNetwork & Information Security Directive 2. Mandatory for 18 critical sectors across the EU. 24-hour early warning + 72-hour detailed notification.
Expanded from 7 to 18 sectorsNCSC-backed certification required for UK government contracts. Five foundational controls. Delivered through ThreeShield Information Security Ltd (UK).
Required for UK public sector contractsThreeShield's free compliance scoping call identifies which frameworks your business is obligated to follow, which are worth pursuing for business development, and what your highest-priority gaps are. No commitment required.
Book Free Compliance Scoping CallAlso see our Training Programs for staff and executive cybersecurity education