Cyber Security Essentials Certification

CSA Cybersecurity Cyber Essentials mark Certification

Demonstrate your commitment to cybersecurity with implementation of cyber hygiene practices

Demonstrate your commitment to cybersecurity with implementation of cyber hygiene practices

Funding support available from CSA

Cyber-attacks continue to dominate headlines worldwide, exposing enterprises to significant risk and placing them under intense scrutiny with regulators, investors, and customers. Having systems and processes to secure your business is imperative to mitigate the risk of financial loss, loss of sensitive data, operational downtime and more.

WHAT IS CSA CYBER ESSENTIALS MARK?

The Cyber Essentials mark is a cybersecurity certification, developed by Cyber Security Agency of Singapore (CSA), for organisations that are embarking on their cybersecurity journey. It serves to recognise that the organisation has put in place good cyber hygiene practices to protect their operations and their customers against common cyber attacks.

The Cyber Essentials mark is targeted at organisations with limited IT and/or cybersecurity expertise and resources to dedicate towards protecting IT assets and personnel.

The Cyber Essentials mark is a self-declaration assessment with CSA guided foundational concepts of generally acceptable cybersecurity posture in Singapore. Enterprises can benefit from the framework by implementing the recommended cybersecurity practices in Assets, Secure/Protect, Update, Backup and Respond. 

WHY SHOULD AN ORGANISATION APPLY FOR CSA CYBER ESSENTIALS MARK CERTIFICATION?

While strengthening the cybersecurity of an organisation is necessary, these cyber security practices must be up to the mark. The CSA  cyber security essentials certification is a testament to your organisation’s commitment to secure IT operations. An organisation can gain the following benefits from achieving the certification:

  • Affords preparedness against common cyber threats
  • Ensure cybersecurity of the organisation is prioritized
  • Implement the primary measures for cyber security
  • Validation of your cybersecurity strategy

The CSA Cyber Essentials mark serves as recognition that the organisation has established good cyber hygiene practices to safeguard its business operations and clients from common cyberattacks. The Cyber Essentials self-assessment option protects your company from the most frequent hacking attempts. Organisations should apply for the CSA Cyber Essentials scheme if they have limited IT and/or cybersecurity knowledge and funds to dedicate to safeguarding IT resources and employees.

A versatile cyber security essentials certification partner like TÜV SÜD can help you delve into the specifics of a cyber security strategy.

WHAT WILL BE ASSESSED FOR THE CSA CYBER ESSENTIALS MARK?

CSA Cyber Essentials mark's self-assessment consists of the following cybersecurity controls and measures:

 

  • CATEGORY: ASSETS
    • People – Equip employees with the know-how to be the first line of defence
    • Hardware and software – Know what hardware and software the organisation has and protect them
    • Data – Know what data the organisation has, where they are, and secure the data

     

  • CATEGORY: SECURE/PROTECT
    • Virus/Malware Protection – Protect from malicious software like viruses and malware
    • Access control – Control access to the organisation's data and services
    • Secure configuration – Use secure settings for the organisation's hardware and software

     

  • CATEGORY: UPDATE
    • Software updates – Update software on devices and systems

     

  • CATEGORY: BACKUP
    • Back up essential data – Backup the organisation's essential data and store them offline

     

  • CATEGORY: RESPOND
    • Incident response – Be ready to detect, respond to, and recover from cyber incidents

     


TÜV SÜD IS YOUR TRUSTED PARTNER IN CSA CYBER ESSENTIALS CERTIFICATION

TÜV SÜD’s experienced auditors possess the accreditation and expertise to conduct Cyber Essentials mark, and Cyber Trust mark audits across industries and locations. Our status as an independent certification body ensures that the TÜV SÜD certification mark is accepted worldwide, making it a powerful tool for distinguishing your company in the market. By being certified by TÜV SÜD, you can demonstrate your accountability to protecting your organisation and your customer’s cyber safety at hand.

TÜV SÜD PSB provides a one-stop solution to support enterprises on a full suite of cybersecurity services such as:

  • Data Protection Trustmark
  • ISO 27001 Information Security Management
  • ISO 27701 Privacy Information Management
  • ISO 27017 and ISO 27018 Cloud Security
  • SS 584 Multi-Tier Cloud Services
  • Cyber Security Code of Practice (CCoP) compliance audit
  • Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) System Certification
  • Payment Card Industry Data Security Standard
  • Vulnerability Assessment & Penetration Testing
  • CSA Cybersecurity Labelling Scheme (CLS) Certification
  • CSA Cybersecurity Certification Cyber Trust mark

APPLICATION PROCESS

Here is application and certification process for enterprises interested in CSA Cyber Essentials mark

 

CSA Cyber Essentials Mark Application Process

 

FREQUENTLY ASKED QUESTIONS

  • What is the validity of the CSA Cyber Essentials mark?

    The CSA Cyber Essentials mark is valid for two years upon successful completing the Cyber Essentials certification. 

     

  • Are supporting documents required for self-declared CSA Cyber Essentials mark?

    Enterprises interested in CSA Cyber Essentials mark are required to submit relevant documents to TÜV SÜD PSB for verification and recommendation, based on the Cyber essentials requirements.

     

  • What is the mode of audit for CSA Cyber Essentials mark?
    The CSA Cyber Essentials mark is a desktop review.
  • What should I prepare before applying for Cyber Essentials mark?

    Companies should be familiar with the cyber essentials security controls and measures aligned with the Cyber Essentials mark’s requirements as per Q1. They are required to have relevant and quality documents to be submitted for the Cyber Essentials self-assessment to be reviewed.

     

  • Is there any training available for the Cyber Essentials mark?

    Training is available for companies who are interested to learn more or to be certified for the Cyber Essentials mark. A discounted bundle deal is available for companies who are keen to train and certify with TÜV SÜD. Click here for more details.

  • How long does it take to be certified for CSA Cyber Essentials mark?

    The overall estimated timeline based on best scenario* for CSA Cyber Essentials mark is one month from the date of notice to the certification award. 

    *Best scenario is when enterprises have proactively and timely submitted all the relevant documents from the 1st submission date without requiring additional time.

  • Are there any government grants available?

    Yes, funding support is available for companies and the subsidy amount is determined by the profile of the companies which is shown as follows:

    Quantity of End-points

    Maximum Level of Funding Support from CSA

    To be deducted from the certification fees charged by certification bodies

    1 - 10

    S$250

    11 - 20

    S$350
    21 - 50 S$450
    51 - 100 S$500

    101 - 200

    S$550

  • Will I be penalised if I cannot complete the self-assessment or am unable to provide supporting documents?
    Companies will be given a maximum of 3 reminders with a reasonable timeline to provide relevant and quality documents before their application are rejected. Please note that only 1st eligible applications will be eligible for the funding support.
  • What are the technical control requirements to obtain Cyber Security Essentials Certification?

    The following provisions safeguard the organisation from malicious software:

    1. Equipping endpoints with anti-malware programmes to help identify attacks on the organisation's environment.
    2. Using scanners for viruses and malware to look for potential cyberattacks.
    3. Enabling automatic updates or setting up their anti-malware programme to automatically update signature files or something similar to find new malware.
    4. Setting up anti-malware programmes to scan the files automatically.
    5. Installing firewalls to secure networks that include computers, servers, and laptops.
    6. Formatting a software firewall that leads to initiating the firewall for all endpoints in the organisation.
    7. Verifying firewall configurations and rules once a year is crucial to safeguard the organisation's internet-facing assets.
    8. Employees must install or access only authorised software and attachments from reputable or official sources.
    9. Staff members must understand the importance of using secure network connections when accessing company data or official email.
    10. Employees must immediately alert the IT team and/or senior management to any suspicious email or attachment.

     

  • Why is employee training an important requirement for obtaining Cyber Security Essentials Certification?

    Since cyber attackers use social engineering techniques to target employees for their motives, employees serve as the organisation's first layer of protection. A weak link in the staff is usually the culprit in security breaches. Therefore, all employees within the organisation must be appropriately trained to recognise these strategies, counteract them, and disclose any suspected incidents through the cyber essentials scheme.

     

  • What are the prerequisite procedures needed to obtain Cyber Security Essentials Certification?

    The following provisions prepare you to identify, address, and recover from cybersecurity incidents:

    1. The organisation must establish a basic incident response plan to serve as a roadmap for handling common cybersecurity incidents.
    2. The organisation's employees with access to IT resources and/or environment must be aware of the incident response plan.
    3. Strengthen and enhance the incident response plan. The organisation should conduct a post-incident review and incorporate learnings.
    4. The incident response plan should be reviewed at least once a year as a good practice.

     

  • What is an end-point?

    An end-point is a remote computing device that communicates back and forth with a network to which it is connected. Examples of end-points include: 

    • Desktops 
    • Laptops 
    • Smartphones 
    • Tablets 
    • Servers 
    • Workstations 
    • Internet-of-things (IoT) devices 

    The number of end points within your organisation is a cost parameter for this certification. 

Next Steps

Site Selector