Singapore Cyber Essentials 2025: A Service Provider's Guide to Building a Certification Practice

Singapore’s Cyber Essentials mark has been around since 2022. Most IT service providers in Singapore know it exists. Far fewer have built a service around it.

That’s about to change.

On April 15, 2025, the Cyber Security Agency of Singapore (CSA) overhauled the framework — expanding it to cover cloud security, AI security, and operational technology. The 2022 version is now retired. Every organisation seeking certification in Singapore today is assessed under the new 2025 standard. And the February 2026 deadline that let companies straddle both versions has passed.

If you’re an IT service provider or MSP in Singapore, this is the moment to move. Here’s what changed, what it means for your clients, and how to structure a practice around it.

---

Why Cyber Essentials Is Back in the News

Singapore’s Senior Minister of State for Digital Development, Tan Kiat How, addressed 120 executives at the April 2025 launch event at the National Library. His message was direct: digitalisation is expanding the attack surface, and SMEs are the primary target.

The data backs that up. Phishing cases in Singapore surged 49% in 2024, hitting over 6,100 reported incidents — up from 4,100 the year before. Twelve percent of those attacks used AI-generated content, according to CSA’s Singapore Cyber Landscape 2024/2025 report. More than 8 in 10 organisations experienced a cyber incident in the most recent Singapore Cybersecurity Health Report.

Despite that, fewer than 500 businesses hold the Cyber Essentials mark today. Out of more than 300,000 companies in Singapore.

That gap is the market. And the 2025 expansion gives service providers a concrete, deliverable service to offer clients who know they need to close it.

---

What Changed in Cyber Essentials 2025

The core framework still runs across five domains: Identify, Protect, Secure Updates, Backup, and Respond. The 2025 version raises the bar on each, then adds three new optional modules that are billable, auditable, and in demand.

Patching: 14-Day Hard Deadline

The old framework allowed flexible update schedules. The 2025 standard mandates that critical security patches are applied within 14 days of release. That’s a policy-driven requirement, not a best-practice suggestion. For service providers managing endpoints, it means automated patching workflows and documented evidence — not ad hoc updates.

Backup: Ransomware-Specific Requirements

“We have backups” no longer passes. The 2025 standard requires designated ransomware recovery copies with encryption at rest, encryption in transit, and defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). If you’re running backup-as-a-service for clients, this is a direct upsell into documented, tested, auditor-ready backup configurations.

Incident Response: Documentation Required

Clients must have a formal IR plan with defined RTOs and RPOs — not a template downloaded from the internet, but something they’ve actually reviewed and tested. Auditors check this. If you offer managed security services, incident response documentation is part of what your clients now need from you.

Cloud Security Add-On

Over 30% of Singapore SMEs use cloud services. The new cloud module covers how organisations secure their cloud environments — not just that they’re on AWS or Azure, but that they’ve configured it properly, control access, and understand the shared responsibility model. This is an audit-ready service most IT providers already deliver informally. The 2025 framework lets you formalise it.

AI Security Add-On

Shadow AI — employees using ChatGPT, Claude, or other AI tools without authorisation — is now a documented risk category under Cyber Essentials 2025. The framework requires controls to detect and govern unauthorised AI use. Most clients have no idea what AI tools their staff are using or what data is being fed into them. If you can assess and address that, you have a service that didn’t exist 18 months ago.

OT Security Add-On

For clients in manufacturing, logistics, or facilities management with legacy operational technology, the OT module addresses supply chain risk and vulnerabilities in old industrial devices connected to modern networks. If you serve those sectors, this is a specialisation worth building.

---

What Clients Actually Need From You

The Cyber Essentials process runs through CSA-approved auditors. Your role as a service provider is to get clients ready before the auditor arrives — and keep them ready afterward.

Here’s the standard engagement flow:

Scoping. Define what systems, users, and environments fall within the certification boundary. Clients often underestimate this — cloud accounts, personal devices, and SaaS tools are all potentially in scope.

Self-assessment. CSA publishes self-assessment templates for each sub-scheme. Walk through it with the client. Identify gaps before the auditor does.

Gap remediation. Fix what’s broken — patching cycles, backup configs, missing IR documentation, uncontrolled admin access. This is where the billable work sits.

Documentation. Produce the artefacts auditors expect: asset inventories, patch logs, backup test records, IR plans, acceptable use policies.

Audit submission. Connect the client with a CSA-approved certification body and guide them through the process.

Ongoing compliance. Cyber Essentials isn’t a one-time assessment. Controls need to be maintained. That’s a recurring managed service.

Sub-Schemes Worth Knowing

CSA co-developed targeted sub-schemes with other government agencies:

• Cyber Essentials for ICT Vendors (with IMDA) — applies to pre-approved vendors under SMEs Go Digital. If your clients sell IT products or services to SMEs via the government programme, this is the path.
• Cyber Essentials for HIA Entities (with MOH) — for organisations covered under the Health Information Act.
• Cyber Essentials for HIMS Vendors (with MOH) — for clinic management system and health IT vendors.

If you serve clients in healthcare or technology distribution, these sector-specific paths are your entry point.

---

The Business Case for Building This Service

The economics are straightforward.

First-time applicants get subsidised. CSA grants offset a significant portion of certification costs for SMEs under the SG Cyber Safe Programme. That removes the price objection. You’re not asking clients to spend money they don’t have — the government is helping fund it.

The mark creates procurement advantages. Ascent Solutions, an IT firm quoted in the Straits Times’ April 2025 coverage of the launch, said the Cyber Trust mark directly opened doors to larger tenders and reduced friction with partner referrals. The same logic applies at the SME level with Cyber Essentials. If your clients sell to enterprise buyers or bid for government contracts, the mark matters.

The controls are managed services in disguise. Patch management, backup verification, incident response planning, asset inventory — these aren’t new services. They’re what competent MSPs already do. Cyber Essentials is the framework that lets you charge properly for them, bundle them into a named product, and attach a government-backed trust mark to the outcome.

The market is almost entirely untouched. 500 certified businesses out of 300,000 companies. The firms that move now will own the referral networks, case studies, and pricing benchmarks for years.

---

Where the Content Gap Is

Search “Cyber Essentials Singapore MSP” today. You’ll find a gated guide from 6clicks (requires an email form), an SME-focused guide from Arkshield (not written for service providers), and professional services pages from Big Four firms with no operational depth.

There is no ungated, practitioner-grade guide explaining how to actually run Singapore Cyber Essentials as a service. That’s the gap. And it’s the same gap your business can own in client conversations.

---

How GetCybr Supports Singapore Service Providers

Running Cyber Essentials across multiple clients requires structure you can’t build in spreadsheets.

GetCybr is built for service providers running structured compliance programmes across a book of clients. For a Cyber Essentials practice in Singapore, that means:

Assessment templates mapped to the 2025 framework. Run a standardised gap analysis across each client. Know where every client stands against the five core domains and the three add-on modules.

Gap reports clients can act on. Clear output showing what needs fixing and why — before an auditor arrives. Reduces back-and-forth, speeds up client sign-off.

Policy and documentation library. The IR plans, backup policies, asset inventory templates, and acceptable use policies that auditors check. Pre-built, customisable, and tied to client records.

Multi-client visibility. See the certification status of every client in one view. Know who’s ready, who’s at risk, and where to focus your team’s time.

Recurring compliance tracking. Cyber Essentials doesn’t end at certification. Controls need to stay in place. GetCybr gives clients a live view of their compliance posture and gives your team the data to catch drift before it becomes a finding.

This is what turns a one-time certification engagement into a recurring managed compliance service.

Talk to us about building your Cyber Essentials practice in Singapore

---

What to Do Next

If you’re an IT service provider or MSP serving Singapore SMEs:

1. Map your current clients to Cyber Essentials 2025. Start with the CSA self-assessment template on csa.gov.sg. Identify who has gaps across the five core domains. That’s your pipeline.

2. Build a service package. Pre-assessment, gap remediation, documentation, audit support, ongoing monitoring. Price it as a managed service, not a project.

3. Identify sub-scheme clients. ICT vendors, healthcare entities, and HIMS vendors have more direct certification paths — and more defensible niches for your practice.

4. Leverage the subsidies. First-time SME applicants qualify for CSA grants. Use that to remove the cost objection and get clients moving.

5. Build the case study fast. The first service provider to publish a credible Singapore Cyber Essentials case study in a given vertical owns the search results for that niche. Move before your competitors do.

The market is open. The certification is funded. The framework is clear.

---

Oussama Louhaidia is a CISO and vCISO advisor, and founder of GetCybr — an AI-powered GRC platform built for MSPs and vCISOs. GetCybr helps service providers run structured compliance programmes across their client base.