Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
  1. Home
  2. News & Events
  3. Press Releases
  4. CSA’s Cyber Essentials and Cyber Trust Marks expanded to Include Cloud Security, Artificial Intelligence and Operational Technology
Press Releases

CSA’s Cyber Essentials and Cyber Trust Marks expanded to Include Cloud Security, Artificial Intelligence and Operational Technology

15 April 2025

The Cyber Security Agency of Singapore (CSA) launched the expanded Cyber Essentials and Cyber Trust certification marks today, to include coverage of cloud security, artificial intelligence (AI) security, and operational technology (OT) security areas. This was announced by Mr Tan Kiat How, Senior Minister of State for Digital Development and Information and for National Development, at a launch event attended by about 120 guests from the cybersecurity industry, trade associations and Small and Medium Enterprises (SMEs).

2. This expansion is necessary as organisations in Singapore are increasingly implementing more areas of digital technology1 that go beyond classical cybersecurity2, which also means more digital pathways for threat actors to exploit. In the expanded Cyber Essentials, organisations can find guidance on measures to protect themselves against the most common cyberattacks related to cloud, AI and OT. For Cyber Trust, these three new areas have been added to its assessment templates of risk and cybersecurity preparedness, as well as the treatment of risk. The expansion simplifies cybersecurity requirements in the new areas for organisations, especially SMEs, and make the adoption of good cyber hygiene practices easier.

3. Attaining the Cyber Essentials or Trust mark demonstrates an organisation’s commitment to robust cybersecurity practices, enhancing its reputation and trust among customers. CSA is assessing the possibility of requiring organisations that are given access to sensitive data to obtain these marks, before they can be licensed or bid for government contracts. Government may also take the lead to incorporate cybersecurity considerations in its procurement decisions. SMEs can get help with implementing cybersecurity measures aligned to the Cyber Essentials mark from CSA’s Chief Information Security Officer (CISO) as-a-Service scheme. CSA offers up to 70 per cent co-funding for eligible SMEs to engage cybersecurity consultancy services.

Cloud Computing

4. Organisations can now take reference from the expanded Cyber Essentials content to secure their cloud usage. For example, organisations should refer to the cloud shared responsibility model in determining the scope of work with its cloud service provider as well as ensure that its cloud-using employees put in place measures to secure user-level settings in the cloud.

5. As for Cyber Trust, organisations are guided through a list of cloud-related risk scenarios to make their own cybersecurity assessments according to their risk profile. For example, in one scenario, the attacker exploits insecure Application Programming Interface (API) in the organisation’s cloud service and gains unauthorised access to the organisation’s data or disrupts the delivery of its cloud services.

Artificial Intelligence

6. Organisations who use or plan to use AI can take reference from the expanded Cyber Essentials content on how to utilise AI securely. For example, under the “Assets” category, which focuses on the need for organisations to know their own software assets, it provides guidance on how an organisation can have visibility on third-party AI tools used by its employees but not provided by the organisation (also known as Bring Your Own AI). Organisations should mitigate the associated risks as any compromise could lead to leakage of confidential data.

7. As for Cyber Trust, an example of a risk scenario is one where an attacker exploits a weakness in an insecure Large Language Model (LLM) used by the organisation and injects malicious content as prompts to manipulate the behaviour of the LLM.

Operational Technology

8. The expanded Cyber Essentials will guide organisations on how to secure their OT environment, as well as to manage OT/IT convergence securely. For example, as OT typically has longer investment cycles than information technology (IT), OT environments could have older devices and/or systems that may not support strong access control measures such as secure passphrases. Organisations should thus put in compensating controls such as physical access control or network segmentation.

9. As for Cyber Trust, an example of a risk scenario is one where an organisation’s OT vendor connects its laptop, which had been infected by malware from another customer’s network, to the organisation’s OT network and infects it.

Cyber Essentials in Action

10. At the launch event today, over 20 guests from SMEs took part in an incident response scenario role-play game developed by CSA. Called “Cyber Essentials in Action”, participants were each assigned a role, such as SME owner, communications manager or IT manager. In their respective teams, they were then given game cards with common cybersecurity incident scenarios and a range of action options, of which they had to identify the correct ones. CSA has incorporated this game into its suite of free cybersecurity toolkits for organisations to engage their staff in a more novel way.

11. Please refer to Annex A for an infographic which outlines the changes in the expanded Cyber Essentials and Trust. For more information on how to get certified, please refer to this.



1As reported in the Infocomm Media Development Authority (IMDA)’s Singapore Digital Economy Report 2024

2Classical cybersecurity typically refers to the measures that secure and protect information technology assets. Cloud, AI and OT cybersecurity are not considered as part of classical cybersecurity.

For media queries, please contact:

Tan Yi Shu

Senior Manager, Comms & Engagement Office

H/P: 9741 3025

Email: tan_yi_shu@csa.gov.sg

About the Cyber Security Agency of Singapore

Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cyber security awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes.

CSA is part of the Prime Minister’s Office and is managed by the Ministry of Digital Development and Information. For more news and information, please visit www.csa.gov.sg.

Back to top