If Cyber Essentials is the baseline, Cyber Trust is where serious organisations prove their security maturity. For businesses with significant digital operations — cloud infrastructure, customer data, interconnected systems — baseline controls aren't enough. Threats are more sophisticated, the attack surface is wider, and the stakes are higher.

CSA's Cyber Trust Mark is the advanced certification that signals to clients, partners, regulators, and investors that your organisation doesn't just check boxes — it manages cyber risk systematically. This guide covers everything you need to get there.

What is the Cyber Trust Mark?

The Cyber Trust Mark is a national cybersecurity certification developed by the Cyber Security Agency of Singapore (CSA). It is published as Singapore Standard SS 712:2025 ("Tiered cybersecurity standards for organisations") under the Singapore Standardisation Programme.

Unlike Cyber Essentials (which covers baseline hygiene), Cyber Trust uses a risk-based approach. It guides organisations to understand their specific risk profile and implement cybersecurity measures commensurate with that risk. The result is a certification that reflects the actual depth and maturity of your security programme.

Cyber Essentials vs Cyber Trust — at a glance

Cyber Essentials
  • Baseline cybersecurity controls
  • 9 fixed domains
  • Self-assessment + desktop verification
  • Valid for 2 years
  • No annual audit
  • Suited for all organisations
  • Funding: SGD 250–650
Cyber Trust
  • Risk-based cybersecurity framework
  • 5 tiers with 10–22 domains each
  • Document review + implementation audit
  • Valid for 3 years
  • Annual audit required
  • For organisations with extensive digital operations
  • Funding: SGD 1,375–2,250

The Cyber Trust Mark was enhanced in 2025. The updated framework now covers four pillars beyond classical cybersecurity:

Classical Cybersecurity

Core IT security: governance, risk management, asset management, access control, incident response

Cloud Security

Secure cloud adoption, data protection, shared responsibility model compliance

OT Security

Industrial control system security, IT/OT convergence, Purdue model considerations

AI Security

AI governance, adversarial threat mitigation, data integrity for AI systems

The certification is valid for 3 years, with yearly audits to verify ongoing compliance. The assessment covers both documentation review and implementation effectiveness — this is not a paper exercise.

Who needs the Cyber Trust Mark?

Cyber Trust is designed for organisations with more extensive digitalised business operations — those where the risk level demands more than baseline controls. If any of the following describes your organisation, Cyber Trust is the certification you should be pursuing:

Organisations with critical data

You process customer PII, financial data, health records, or other sensitive information at scale. A breach would cause significant harm.

Organisations with complex IT

You operate multi-cloud infrastructure, hybrid environments, interconnected systems, or manage significant third-party vendor relationships.

Organisations targeting enterprise clients

Your customers or partners require evidence of advanced cybersecurity maturity — not just baseline compliance but demonstrated risk management.

Organisations pursuing ISO 27001

Cyber Trust maps to ISO/IEC 27001:2022. Achieving Cyber Trust can accelerate your ISO 27001 journey, and vice versa.

Regulated industries

Financial services, healthcare, critical infrastructure — industries where regulatory requirements demand demonstrable cybersecurity maturity.

Organisations ready to move beyond Cyber Essentials

You've achieved Cyber Essentials and want to demonstrate a higher level of cybersecurity preparedness. Cyber Trust is the natural next step.

What's new in the enhanced Cyber Trust (2025)?

The Cyber Trust (2022) version was retired in February 2026 and replaced by the enhanced Cyber Trust (2025). The key changes:

Cloud Security pillar added: Addresses secure cloud adoption, data sovereignty, cloud service provider management, and shared responsibility compliance.
OT Security pillar added: Covers industrial control system protection, IT/OT network segmentation, and physical-digital convergence risks.
AI Security pillar added: Addresses AI-specific vulnerabilities, governance of AI tools, adversarial attack mitigation, and data integrity for AI-driven applications.
ISO 27001 mapping published: CSA now provides an official cross-mapping between Cyber Trust (2025) and ISO/IEC 27001:2022, making it easier to align certifications.

The 5 cybersecurity preparedness tiers

Cyber Trust organises cybersecurity preparedness into 5 tiers, each with an increasing number of domains. Your organisation uses CSA's risk assessment framework to identify which tier is appropriate based on your risk profile.

Tier 1 Foundational
10 domains

Basic cybersecurity preparedness. Minimum controls for organisations with limited digital exposure.

Tier 2 Developing
13 domains

Expanded controls for organisations with moderate digital operations. Adds governance and risk management depth.

Tier 3 Established
16 domains

Comprehensive controls for organisations with significant digital infrastructure. Includes supply chain and business continuity.

Tier 4 Advanced
19 domains

Advanced security programme with proactive threat management. For organisations with high-value targets and complex environments.

Tier 5 Leading
22 domains

Industry-leading cybersecurity maturity. The highest level of preparedness, demonstrating excellence in security governance and operations.

Choosing your tier: You don't need to aim for Tier 5. CSA's risk assessment framework helps you identify the tier that matches your organisation's actual risk profile. A consulting firm handling sensitive client data might need Tier 3, while a fintech processing payments might require Tier 4 or 5. The goal is proportionate protection.

How to get certified: Step by step

Cyber Trust certification is more rigorous than Cyber Essentials. The assessment covers not just documentation but implementation effectiveness. Here's the process:

1

Risk assessment

Use CSA's Cyber Trust risk assessment framework to determine your organisation's risk profile and appropriate cybersecurity preparedness tier (Tier 1–5). This determines the scope and depth of your certification.

1–2 weeks
2

Self-assessment

Complete CSA's self-assessment template against the domains required for your tier. Evaluate your implementation status for each requirement and gather supporting evidence.

2–3 weeks
3

Implement controls and close gaps

Address any gaps between your current posture and the requirements. This may involve deploying security tools, writing policies, configuring systems, and training staff.

4–12 weeks (varies)
4

Engage a certification body

Select one of CSA's appointed certification bodies. Submit your self-assessment and supporting documentation. Discuss scope, timeline, and fees.

1–2 weeks
5

Certification audit

An independent assessor conducts a thorough review — both document verification AND implementation effectiveness assessment. Unlike Cyber Essentials, this is not just a desktop review. The assessor verifies that controls are actually working.

2–6 weeks
6

Certification awarded

Upon successful verification, you receive the Cyber Trust Mark — valid for 3 years with yearly audits. You're listed in CSA's Directory of Certified Organisations.

Certification valid 3 years

Annual audits

Maintain your certification with yearly verification audits. These confirm your controls remain effective and your security programme adapts to evolving threats.

Ongoing — yearly

The self-assessment and audit process

The Cyber Trust assessment is a two-phase process that goes deeper than Cyber Essentials:

Phase 1

Document review and verification

The certification body reviews your self-assessment, policies, procedures, and supporting documentation. This confirms that your security programme is properly documented and governance is in place.

Phase 2

Implementation and effectiveness

The assessor verifies that documented controls are actually implemented and working. This may involve reviewing system configurations, testing controls, interviewing staff, and examining evidence of ongoing operations.

This is not a paper exercise. The assessor will test whether your controls actually work — not just whether you've documented them. A beautifully written incident response plan that's never been tested won't pass. Security tools that are deployed but misconfigured won't pass. Start with genuine implementation, not documentation.

Who gives the certification?

Like Cyber Essentials, the Cyber Trust certification is administered by certification bodies appointed by CSA. You cannot self-certify.

Finding your certification body: Visit CSA's "How to get certified" page for the current list of appointed certification bodies. Certification charges and time needed differ between providers and by scope of certification.

CSA's CISO-as-a-Service (CISOaaS) programme is also available for organisations progressing from Cyber Essentials to Cyber Trust. If you've already achieved Cyber Essentials or have good cyber hygiene, CISOaaS consultants can help you develop a cybersecurity health plan and work towards Cyber Trust certification. Funding support is available for eligible SMEs.

Benefits of getting certified

Cybersecurity leadership positioning

Cyber Trust is the benchmark for advanced cybersecurity capabilities. It positions your organisation as an industry leader in security excellence — a powerful differentiator in competitive markets.

Strengthened security and resilience

The structured framework fortifies your posture across IT, cloud, OT, and AI systems. This isn't theoretical — it directly reduces your exposure to evolving cyber threats.

Customer and investor trust

Certification reinforces trust with clients, partners, and investors. It demonstrates a proactive commitment to cybersecurity — not just a reactive response to incidents.

Discounted cyber insurance

Certified organisations are eligible for discounted rates from insurers including Blackpanda, Delta Underwriting, Protos Labs, and QBE Insurance Singapore.

Google Cybersecurity Certificate scholarships

Organisations that have appointed a certification body for Cyber Trust are eligible for Google Cybersecurity Certificate scholarships.

Future-proof your business

The enhanced framework provides guidance on emerging risks — cloud, OT, AI — ensuring your organisation stays secure as the threat landscape evolves.

CSA funding support

CSA provides significantly more funding support for Cyber Trust than for Cyber Essentials — reflecting the higher investment required. This funding is deducted directly from the certification body's fees.

Funding deadline: Current funding support is available until 6 February 2028. Applies only to the first successful Cyber Trust certification per organisation. Only SMEs and Non-Profit Organisations (NPOs) incorporated in Singapore are eligible.

Cyber Trust (2025) — CSA Funding Support

Endpoints Classical Cybersecurity Cloud / OT / AI Security*
1–10SGD 1,375SGD 225 per pillar
11–20SGD 1,375SGD 225 per pillar
21–50SGD 1,625SGD 225 per pillar
51–100SGD 1,875SGD 225 per pillar
101–200SGD 2,250SGD 450 per pillar

* Funding for cloud, OT, and AI security is per digital technology pillar. For example, certifying for classical + cloud + AI security with 51–100 endpoints: SGD 1,875 + SGD 225 + SGD 225 = SGD 2,325 total funding support.

How Security Pulse maps to Cyber Trust

Cyber Trust's risk-based framework demands more than point solutions. Security Pulse provides integrated, continuous security operations that map to Cyber Trust domains across all tiers:

Cyber Trust Domain What's Required Security Pulse Capability
Cyber Governance Security policies, risk management framework, board-level oversight Security posture dashboards, compliance status reporting, executive-ready risk summaries
Cyber Risk Management Risk identification, assessment, treatment, and monitoring Continuous risk scoring, vulnerability prioritisation, threat intelligence integration, risk trend analysis
Cyber Education Cybersecurity awareness training, role-based education Security awareness programme tracking, phishing simulation dashboards, training compliance monitoring
Asset Management Hardware, software, data, and cloud asset inventories Automated asset discovery, real-time inventory management, cloud service mapping, EOS tracking
Access Control Identity management, MFA, privileged access, account reviews Identity monitoring, MFA enforcement tracking, privileged access alerts, dormant account detection, automated access reviews
Cyber Threat & Incident Management Threat detection, incident response, recovery 24/7 threat detection, automated incident workflows, response playbooks, forensic evidence collection, post-incident reporting
System Security Secure configuration, patch management, vulnerability management Configuration compliance scanning, patch status dashboards, vulnerability scanning, security baseline monitoring
Resilience Business continuity, backup, disaster recovery Backup status monitoring, recovery testing alerts, business continuity dashboards
Third-Party Risk Vendor security assessment, supply chain risk Third-party security monitoring, vendor risk scoring, SaaS security posture assessment
Cloud Security Cloud posture management, shared responsibility, data sovereignty Cloud security posture management (CSPM), misconfiguration detection, cloud access monitoring
The bottom line: Cyber Trust demands continuous security operations — not a one-time effort. Security Pulse provides the always-on monitoring, automated controls, and compliance reporting that makes both initial certification and annual audits manageable without a large security team.

Related resources