OSFI’s I-CRT: 90-Day Readiness Checklist

OSFI’s Intelligence-led Cyber Resilience Testing (I-CRT) is one of the most demanding cyber assessments a Canadian financial institution can face. It is not a compliance checkbox, a routine penetration test, or a tabletop exercise; instead, I-CRT is designed to answer the question of, "Can your organization withstand a realistic, intelligence-driven cyberattack against what matters most?"

For institutions approaching an OSFI-supervised I-CRT cycle (or proactively preparing for one), meaningful readiness is achievable within 90 days if the effort is focused, executive-backed, and disciplined.

Today's guide breaks down what “ready” actually means... and how to get there.

What Does Being "I-CRT Ready" Entail?

Before diving into timelines, it’s critical to reset expectations. Being ready for I-CRT does not mean:

• Having zero vulnerabilities

• Guaranteeing the Red Team won’t succeed

• Passing without findings

Instead, readiness means:

• Your Critical Business Functions (CBFs) are clearly defined, defensible, and mapped

• Governance, risk controls, and decision authority are in place

• Detection, response, and recovery processes are real, not theoretical

• Your team can safely run a live, intelligence-led attack simulation without losing control

OSFI doesn't prioritize whether attackers get in; instead, its focus is on how your organization responds when they do.

Your I-CRT 90-Day Readiness Model

A practical 90-day I-CRT readiness program typically breaks down into three phases:

• Days 1 to 30: Foundation and governance

• Days 31 to 60: Threat, control, and response readiness

• Days 61 to 90: Validation, dry runs, and gaps validation

Each phase builds on the last.

Days 1–30: Build a Governance-First I-CRT Foundation

1. Validate Services

In the first 30 days, experts advise that you should:

• Validate which services are truly critical to financial stability, customers, or market confidence

• Clearly define impact tolerance (time, data loss, operational disruption)

• Identify people, processes, technology, and third parties that support each CBF

• Ensure executive and board-level alignment on what is “in scope”

2. Establish the I-CRT Control Group

The Control Group is the single most important success factor in I-CRT. This small, trusted group owns risk, secrecy, and decision-making throughout the exercise.

By Day 30, your team should:

• Appoint a Control Group Coordinator (CGC) with authority and availability

• Define clear escalation and stop/pause criteria

• Formalize “need-to-know” membership (keep it small)

• Align Legal, Risk, IT, and Security teams on rules of engagement

3. Test Operational Secrecy

I-CRT depends on surprise. If word leaks internally, detection and response results are meaningless.

Early actions include:

• Defining how the exercise will be referenced internally (code name, neutral language)

• Restricting calendar entries, tickets, and documentation visibility

• Establishing communication rules for vendors and internal teams

Days 31–60: Prepare for Realistic Attack and Real Response

1. Cement Detection and Response

In this phase, experts recommend to prioritize:

• SOC alert triage and escalation paths

• Incident command structure and authority

• Decision-making under pressure

• Legal, communications, and executive engagement triggers

Example questions to ask during this phase include, but are not limited to:

• How long does it take for a suspicious alert to reach a human?

• Who decides if an incident is “material”?

2. Validate Logging, Visibility, and Telemetry

Red Teams thrive in blind spots. I-CRT will expose them quickly.

During this phase:

• Confirm logging coverage across identity, endpoints, networks, and cloud

• Validate log retention and access for investigators

• Test whether analysts can actually reconstruct attacker activity

6. Align with third parties and critical vendors

Many CBFs depend on outsourced or cloud services. If your third parties aren’t ready, neither are you.

Actions to take:

• Identify which vendors are in scope for CBFs

• Confirm escalation and incident notification paths

• Ensure contracts and SLAs support active testing scenarios

Days 61–90: Validate, Rehearse, and Close Gaps

1. Run a Trial Purple Team

Before an I-CRT, mature organizations run limited-scope rehearsals to validate assumptions without burning secrecy.

This can include:

• Simulated ransomware or identity compromise scenarios

• Walkthroughs of decision-making and communications

• Validation of tooling and access for responders

8. Stress-Test Governance.

Next, it is advised to test:

• Control Group decision speed

• The ability to pause or stop activity

• Coordination between Security, IT Ops, Risk, Legal, and Executives

If decisions stall or authority is unclear, resolve it immediately. OSFI will notice hesitation more than technical gaps.

9. Define Your Team's Remediation Mindset

I-CRT findings are inevitable. What matters is how you respond to them.

Before execution:

• Agree on how findings will be prioritized

• Define ownership for remediation tracking

• Align on how outcomes will be communicated to OSFI and internal stakeholders

Common Mistakes That Derail I-CRT Readiness

Across institutions, the same issues appear repeatedly:

• Treating I-CRT like a penetration test

• Over-scoping

• Letting secrecy erode due to internal curiosity

• Ignoring non-technical response functions (namely Legal, Communications, and Executives)

• Assuming detection equals response

Avoiding these pitfalls is often more impactful than adding new security controls.

Conclusion

Getting ready for I-CRT in 90 days is less about technology and more about organizational discipline. Institutions that succeed treat I-CRT as a leadership-led resilience exercise, not a security team project.

If you can clearly answer:

• What matters most?

• Who decides under pressure?

• How quickly can we detect, respond, and recover?

Your team is closer to I-CRT readiness than you may think.

Reach out today to take the next step towards being ready for OSFI's I-CRT.