1. Live Monitoring of ITSG-33 Technical Controls on AWS, GCP and Azure
ITSG-33, HIPAA, SOC-2.
Compliance. Automated. Continuous.
Audit-Ready.
Features
Iron Fort replaces manual workflows with real-time dashboards, AI policy checks, and live security control monitoring.
🔍
Automated Profile Selection for ITSG33
Smart selection of security controls based on your system profile.
Explore More
🤖
AI Driven ConOps Analyzer
Automated analysis of Concept of Operations documents for security requirements.
Explore More
Automated Compliance
Automated ITSG-33 Compliance & ConOps Analysis
Benefits of Iron Fort
Iron Fort: Built for ITSG33-Covered Entities & Business Associates
Iron Fort simplifies ITSG33 compliance by automating technical controls tracking, and using AI-enabled analysis for management and operational controls. Replace spreadsheets and sharepoint lists with real-time dashboards, AI-powered ConOps analysis, and automated evidence collection - all mapped to ITSG33's Technical, Management, and Operational controls.
-
-
2. AI-Based ConOps and Document Analysis & Recommendations
-
3. Risk Assessments, Analytics, Approval Workflows- in One Platform
At-a-glance
ITSG-33 Compliance Made Easy for Governments, Crown Corporations, SaaS Vendors, Startups, and Cybersecurity Firms.
1. Automated ITSG-33 Compliance Monitoring
Simplify ITSG-33 compliance from policy creation to audit readiness. Iron Fort automates evidence gathering, controls and control set approval tracking, and standardization of control based on Statement of Sensitivity. It aligns policies to the Security, Privacy, and Breach Notification Rules - so your team stays ready, always.
-
✅
Prebuilt ITSG33 Control Profiles
Out-of-the-box control profiles for Protected B Medium-Medium, Protected A Low-Low, Cloud IaaS, PaaS, and customized profile for internal and external SaaS solution.
-
✅
Customizable ITSG-33 Profile for Interim and Partial ATO's Templates
Quick-start templates mapped to ITSG-33's required technical, management, and operational controls.
-
✅
Role-Based Training & Attestations
Deliver staff-specific HIPAA training and capture signed attestations for audit defense.
-
✅
Automated Reviews & Sign-Offs
Track evidence updates, approvals, and revision history with built-in accountability.
-
✅
Audit-Ready Documentation Hub
Centralized storage for all Concept of Operations (ConOps), evidence, logs, and processes and procedures - always current, always exportable.
2. Risks & PoAM Management & Continuous SA&A Readiness
Go beyond checklists. Iron Fort automates evidence tracking, system-level risk analysis, and audit evidence collection - so you're ready when on-request or selective ATO audits.
-
✅
Risks Register and Tracking
Dynamically track ITSG-33, and security related Risks to systems based on data sensitivity, infrastructure, application and security control, and threat level.
-
✅
Plan of Actions Milestones (PoAM)
Keep up to date on your organization's identified Plan of Action Milestones (PoAM) with automated tracking and reporting.
-
✅
Real-Time and Continuous ITSG-33 Gap Monitoring
Detect control gaps (e.g. MFA, encryption, access logs) before they lead to a breach.
-
✅
Actionable Assessment Reports
Get PDF and Markdown exportable SA&A ma with risk scoring, control coverage, and remediation priorities.
-
✅
Tamper-Proof Audit Recordkeeping
Store all evidence, logs, policies, and attestations in a secure, versioned repository.
3. Intelligent Evidence Collection & Workforce Compliance Tracking
Iron Fort helps you maintain compliance by automatically collecting audit-ready evidence and tracking workforce training - across all administrative, technical, and physical safeguards.
-
✅
Role-Based Training Module Integration
Deliver required security awareness training tailored to job roles, with embedded attestations.
-
✅
Track Completion & Attestations
Monitor staff participation, quiz scores, and attestation status - all exportable for SA&A audits.
-
✅
AI-Powered Evidence Extraction
Pull system logs, access records, and control evidence directly from your tech stack - no spreadsheets.
-
✅
Centralized Audit Trail Management
Maintain secure logs of training, policies, and evidence to meet ITSG-33's information management requirements.
-
✅
Compliance Alerts & Gaps
Get notified when training is overdue, evidence is missing, or a policy is out of date.
Frequently Asked Questions
Questions About our Iron Fort?
We have Answers!
What is Iron Fort and how does it help with Protected B Medium-Medium compliance?
Iron Fort is a compliance automation platform that helps federal, provincial and municipal governments, and non-governmental organizations and their vendors meet the requirements of the ITSG-33 framework. It replaces manual compliance processes with real-time safeguard monitoring, and AI-powered policy reviews, and automated evidence collection for audits and investigations.
Does Iron Fort support Canada ITSG-33 and Protected B Medium-Medium?
Iron Fort's Canada ITSG-33 Product is designed to help organizations comply with the ITSG-33 framework include Protected B Medium-Medium (PBMM), Protected B High Value Assets (PBHVA), as well as, Protected A Low-Low (PALL) classifications. It provides predefined and customizable ITSG-33 Control Profiles to assess applications, and infrastructure environments up to Protected Medium-Medium.
How can I automate ConOps Analysis management and updates?
Iron Fort includes pre-built AI Policy Analysis tool that automates the review of your existing Concept Of Operations (ConOps) for completeness, accuracy, and control-related compliance. It flags missing technical, management, or operational controls and helps ensure your documentation stays aligned with ConOps Analysis and ITSG-33 implementation guidance.
What's the best way to track my ITSG-33 and PBMM compliance?
Iron Fort provides a centralized compliance tracking Dashboard and a built-in Analytics engine that allows you to track expiring, expired or missing Authority to Operate (ATO) and stores signed ATOs with timestamps and audit metadata. This helps you stay compliant with ITSG-33's Application and infrastructure management obligations and prepare for SA&A audits reviews.
Does Iron Fort collect HIPAA, SOC-2, and ITSG-33 audit evidence automatically?
Yes. Iron Fort integrates with your cloud and on-prem systems to automatically pull required evidence for technical controls using a built-in controls evaluator. Furthermore, it also includes an AI-powered evidence extractor that analyzes uploaded policy, procedure, architecture, and Concept Of Operations document to sight evidence for controls.
How does Iron Fort help with HIPAA OCR audit, and SA&A readiness?
For HIPAA, Iron Fort maps your controls and evidence directly to the HIPAA audit protocol published by the Office for Civil Rights (OCR). For Canada's ITSG-33, Iron Fort provides ready-to-go profiles for PBMM, PBHVA, PALL, PB-SaaS, and PB-Cloud profiles. The platform generates exportable audit and assessment reports, and maintains records of training, architecture, risk, concept of operations, and action milestones - key artifacts requested during investigations.
Does Iron Fort support PBHVA and other ITSG-33 profiles?
Iron Fort includes predefined ITSG-33 Control Profiles for various system types and classifications, including Protected B High Value Assets (PBHVA). It also includes pre-defined controls profile for Protected A Low Low (PALL), Protected B Cloud Apps, and Protected B SaaS Profiles.
Is Iron Fort suitable for small practices or just large enterprises and Government departments?
Iron Fort supports SOC2, a ITSG-33 and HIPAA compliance for small practices, SaaS vendors, MSOs, startups, not just large enterprises and Government departments. Whether you're managing five people or five locations, Iron Fort helps you reduce risk and automate your compliance posture.
Is Iron Fort available for purchase using Canada's RFSA or SLSA?
Yes, Iron Fort is available for purchase using Canada's RFSA and SLSA programs. Iron Fort is currently being used at few federal government departments already. Additionally, Iron Fort certified partners can help organizations implement Iron Fort within an air-gapped or internally managed infrastructure (ex: Data Centre)