Cyberattacks on small and mid-sized businesses in Singapore are accelerating. CSA's Cyber Essentials Mark exists to give every organisation — regardless of size — a clear, structured path to baseline cybersecurity. If you've been putting this off, the window of "optional" is closing fast.
This guide covers everything: what the certification requires, how much it costs, what funding CSA provides, and exactly how Security Pulse maps to every domain in the framework. No fluff — just what you need to make a decision and act on it.
What is the Cyber Essentials Mark?
The Cyber Essentials Mark is a national cybersecurity certification developed by the Cyber Security Agency of Singapore (CSA) under the SG Cyber Safe Programme. It provides a structured framework for organisations to implement fundamental cybersecurity measures and protect against common cyber threats.
The certification was significantly enhanced in 2025. The updated Cyber Essentials (2025) now covers four pillars:
Classical Cybersecurity
Core IT security controls covering endpoints, networks, access, and incident response
Cloud Security
Secure cloud adoption, SaaS management, and shared responsibility compliance
OT Security
Safeguarding industrial control systems and operational technology environments
AI Security
Best practices for securing AI-driven applications and mitigating AI-specific risks
The certification is valid for 2 years and is assessed through a desktop review and verification of your self-assessment by an independent assessor from a CSA-appointed certification body.
Who needs the Cyber Essentials Mark?
The short answer: if you operate a business in Singapore and use any digital systems, this certification is built for you. CSA designed Cyber Essentials specifically for organisations of all sizes — including small and mid-sized businesses that are prime targets for cyberattacks.
SMBs and Startups
Any Singapore-registered business handling digital data or operating IT systems. No size exemption — a 5-person company has the same risk exposure as a large enterprise.
Government Vendors
Increasingly required for government tenders and procurement. If you sell to the Singapore government, certification gives you a competitive edge.
Healthcare Entities
HIA entities and HIMS vendors have dedicated sub-schemes (co-developed by MOH and CSA) with sector-specific requirements.
ICT Vendors
Pre-approved vendors under IMDA's SMEs Go Digital programme have a specific sub-scheme co-developed by IMDA and CSA.
Companies Using Cloud/AI
The 2025 enhancement means if you use cloud services, OT systems, or AI tools, you now need to address these in your certification scope.
International Companies
Singapore's global trust reputation means this certification signals credibility to clients, investors, and partners across Asia and beyond.
How to get certified: Step by step
The certification process is straightforward, but don't underestimate the preparation required. Here's the realistic timeline:
Assess your current posture
Download CSA's self-assessment template and evaluate your organisation against the 9 security domains. Identify gaps between your current practices and the requirements.
1–2 weeksImplement required controls
Address gaps identified in Step 1. This includes configuring security tools, documenting policies, establishing processes, and training staff. Every "shall" statement must be met.
2–8 weeks (varies)Prepare supporting documents
Gather evidence: scoping statement, organisation chart, asset inventories, policy documents, training records, configuration screenshots, and other artefacts required by each clause.
1–2 weeksEngage a certification body
Select one of CSA's appointed certification bodies. Submit your completed self-assessment and supporting documents for review. Certification charges differ between providers.
1–2 weeksDesktop review and verification
An independent assessor reviews your self-assessment, verifies your documentation, and confirms that your organisation meets all requirements. This is a desktop-based review, not an on-site audit.
2–4 weeksCertification awarded
Upon successful verification, you receive the Cyber Essentials Mark — valid for 2 years. You're listed in CSA's Directory of Certified Organisations and can use the certification mark in your marketing.
Certification valid 2 yearsThe self-assessment process
CSA provides an official self-assessment template (Excel spreadsheet) that guides you through the evaluation. Here's how it works:
Step 1: Complete the questionnaire
The self-assessment template contains clauses across 9 security domains. Each clause is marked as a requirement ("shall" — mandatory) or recommendation ("should" — best practice). You must meet all requirements to pass.
Step 2: Gather supporting artefacts
Each clause lists suggested artefacts — documented evidence that proves your implementation. These include asset inventories, policy documents, configuration screenshots, training records, and network diagrams.
Step 3: Review your results
The template automatically computes your results. If any "shall" requirement is marked "No", you fail that domain. All requirements must be "Yes" to pass. Recommendations are tracked separately.
Step 4: Submit to certification body
Once your self-assessment is complete and all requirements are met, submit the template along with your supporting documents to your appointed certification body for verification.
The 9 security domains
Cyber Essentials evaluates your organisation across 9 domains. Each contains mandatory requirements and recommended best practices. Here's what each domain covers:
A.1 Assets: People Equip employees to be the first line of defence
Key requirements:
- Establish cybersecurity awareness and data protection training for all employees
- Develop cyber hygiene practices and guidelines for daily operations
- Include measures to mitigate incidents from human factors — phishing vigilance, social engineering awareness, safe browsing
- Differentiate training by role (senior management, IT staff, general employees)
- Conduct awareness initiatives at least annually
For cloud, OT, and AI pillars: Additional training must cover cloud shared responsibility, OT-specific security practices, and governance of business-critical data when using AI tools.
A.2 Assets: Hardware & Software Know what you have and protect it
Key requirements:
- Maintain an up-to-date asset inventory of all hardware and software, including third-party vendors
- Include cloud-based assets (SaaS, IaaS, PaaS subscriptions) and AI tools in inventory
- Remove unauthorised or end-of-support (EOS) assets
- Implement an authorisation process for onboarding new hardware/software
- Ensure secure disposal of hardware with confidential data
Review frequency: Asset inventory should be reviewed at least bi-annually (twice per year).
A.3 Assets: Data Know what data you have, where it is, and secure it
Key requirements:
- Identify and maintain an inventory of business-critical data
- Include cloud-stored data locations, CSP details, and cloud service regions
- Track data sets used as input to or generated by AI tools
- Establish processes to protect business-critical data (encryption, access controls)
- Implement measures to prevent data leakage — control use of data in external AI tools
- Secure disposal of physical media containing sensitive data
A.4 Secure/Protect: Virus & Malware Protection Protect from malicious software
Key requirements:
- Install virus and malware protection on all endpoints (laptops, desktops, servers, virtual environments)
- Configure automatic scanning of files upon access
- Enable automatic updates for signature files
- Deploy and configure firewalls for network, systems, and endpoints
- Ensure employees install only authorised software and use trusted network connections
- Establish procedures for reporting suspicious emails or attachments
For cloud: Verify CSP has implemented virus/malware protection per shared responsibility model. Scan files ingested into cloud services.
A.5 Secure/Protect: Access Control Control access to data and services
Key requirements:
- Maintain and manage an inventory of all accounts (user, admin, third-party, service)
- Implement approval processes for granting and revoking access
- Enforce role-based access — employees access only what's needed for their role
- Disable shared, duplicate, obsolete, and dormant accounts
- Change all default passwords; enforce strong passphrases (12+ characters)
- Lock accounts after multiple failed login attempts
- Implement MFA for admin access to important systems and databases
- Enforce physical access controls for IT assets
Review frequency: Account reviews should be carried out at least quarterly.
A.6 Secure/Protect: Secure Configuration Use secure settings for hardware and software
Key requirements:
- Enforce security configurations for desktops, servers, routers, and other assets
- Replace or upgrade insecure configurations and weak protocols (e.g., use HTTPS, disable FTP)
- Disable or remove unused features, services, and applications
- Ensure third parties protect their own environments used for service delivery
- Enable audit logging for security-relevant events
- Enable automatic lock/session logouts after 15 minutes of inactivity
For cloud and AI: Implement CSP-published secure configuration best practices and apply them to AI deployment environments.
A.7 Update: Software Updates Keep software on devices and systems current
Key requirements:
- Prioritise critical or important updates for operating systems and applications
- Implement security patches as soon as possible — especially for known exploited vulnerabilities
- Conduct compatibility tests before installing updates
- Enable automatic updates for critical patches where feasible
For cloud: Verify CSP's responsibility for patching per shared responsibility model.
A.8 Backup: Back Up Essential Data Back up and store data securely
Key requirements:
- Identify and back up business-critical data and systems
- Perform backups regularly, aligned with business requirements
- Protect backups from unauthorised access
- Store backups separately and isolated from the operating environment
- Automate backup processes where feasible
- Test backups at least bi-annually to ensure effective restoration
For cloud: Back up cloud data separately (e.g., on-premises or different cloud storage). Don't rely solely on your CSP's backup.
A.9 Respond: Incident Response Be ready to detect, respond to, and recover
Key requirements:
- Establish an up-to-date incident response plan covering common cybersecurity and data incidents
- Include cloud-specific, OT-specific, and AI-specific incident scenarios
- Communicate the plan to all employees with access to IT assets
- Conduct post-incident reviews and incorporate lessons learned
- Review the incident response plan at least annually
Critical: Without an incident response plan, your organisation will waste precious hours during a breach figuring out what to do — time that directly translates to damage.
Who gives the certification?
The Cyber Essentials certification is administered by certification bodies appointed by CSA. You cannot self-certify. The process requires independent verification by an assessor from the appointed certification body.
If you lack in-house cybersecurity expertise, CSA's CISO-as-a-Service (CISOaaS) programme connects you with cybersecurity consultants who can act as your Chief Information Security Officer, helping you develop a cybersecurity health plan and work towards certification. Funding support is available for eligible SMEs.
Benefits of getting certified
Government tender eligibility
Increasingly a prerequisite for Singapore government procurement. Certification gives you access to contracts that uncertified competitors cannot bid on.
Discounted cyber insurance
Certified organisations are eligible for discounted rates from insurers including Blackpanda, Delta Underwriting, Protos Labs, and QBE Insurance Singapore.
Google Cybersecurity Certificate scholarships
Organisations that have appointed a certification body are eligible for Google Cybersecurity Certificate scholarships for their teams.
Structured security foundation
The framework provides a clear, practical approach to cybersecurity — no guesswork about what controls to implement first.
Customer and partner trust
The certification mark signals to clients, partners, and investors that your organisation takes cybersecurity seriously — a tangible differentiator in sales conversations.
SME Cybersecurity Excellence Award
Certified SMEs can apply for the SME Cybersecurity Excellence Award, a collaboration between CSA and the Association of Trade & Commerce (ATC).
CSA funding support
CSA provides direct funding support to encourage organisations to get certified. This support is deducted from the certification fees charged by the certification body — you pay less upfront.
Cyber Essentials (2025) — CSA Funding Support
| Endpoints | Classical Cybersecurity | Cloud / OT / AI Security* |
|---|---|---|
| 1–5 | SGD 250 | SGD 50 per pillar |
| 6–10 | SGD 250 | — |
| 11–20 | SGD 350 | SGD 50 per pillar |
| 21–50 | SGD 450 | SGD 50 per pillar |
| 51–100 | SGD 600 | SGD 100 per pillar |
| 101–200 | SGD 650 | SGD 100 per pillar |
* Funding for cloud, OT, and AI security is per digital technology pillar. For example, if you certify for both cloud and AI security with 21–50 endpoints, you receive SGD 450 + SGD 50 + SGD 50 = SGD 550 total.
Additionally, NCSS member organisations can access subsidies under the Tech-and-GO! consultancy programme.
How Security Pulse maps to Cyber Essentials
Security Pulse covers the technical controls required across all 9 Cyber Essentials domains. Here's how our platform maps to each requirement area — and what it means for your certification journey:
| Domain | Requirement | Security Pulse Capability |
|---|---|---|
| A.1 People | Cybersecurity awareness training, cyber hygiene practices | Security awareness programme tracking, phishing simulation dashboards, training compliance reporting |
| A.2 Hardware & Software | Asset inventory, EOS management, authorisation process | Automated asset discovery across endpoints and cloud services, real-time inventory with EOS alerts, software authorisation workflows |
| A.3 Data | Data inventory, protection measures, leakage prevention | Data classification scanning, cloud data mapping, DLP policy monitoring, sensitive data exposure alerts |
| A.4 Virus & Malware | Endpoint protection, firewall, trusted connections | Endpoint detection and response (EDR) monitoring, firewall configuration auditing, network security posture management |
| A.5 Access Control | Account management, MFA, password policies, access reviews | Identity and access monitoring, MFA enforcement tracking, dormant account detection, privileged access alerts, automated access reviews |
| A.6 Secure Config | Security configurations, logging, weak protocols | Configuration compliance scanning, audit log monitoring, weak protocol detection, security baseline drift alerts |
| A.7 Software Updates | Patch management, critical updates | Vulnerability scanning, patch status dashboards, critical CVE alerts, update compliance tracking |
| A.8 Backup | Backup schedules, isolated storage, testing | Backup status monitoring, backup failure alerts, recovery testing reminders, cloud backup verification |
| A.9 Incident Response | Incident response plan, detection, recovery | Real-time threat detection, automated incident workflows, response playbooks, post-incident reporting, evidence collection for PDPC/CSA |