What is CSA Cyber Essentials Mark?
Funding support available from CSA
Cyber-attacks continue to dominate headlines worldwide, exposing enterprises to significant risk and placing them under intense scrutiny with regulators, investors, and customers. Having systems and processes to secure your business is imperative to mitigate the risk of financial loss, loss of sensitive data, operational downtime and more.
The Cyber Essentials mark is a cybersecurity certification, developed by Cyber Security Agency of Singapore (CSA), for organisations that are embarking on their cybersecurity journey. It serves to recognise that the organisation has put in place good cyber hygiene practices to protect their operations and their customers against common cyber attacks.
The Cyber Essentials mark is targeted at organisations with limited IT and/or cybersecurity expertise and resources to dedicate towards protecting IT assets and personnel.
The Cyber Essentials mark is a self-declaration assessment with CSA guided foundational concepts of generally acceptable cybersecurity posture in Singapore. Enterprises can benefit from the framework by implementing the recommended cybersecurity practices in Assets, Secure/Protect, Update, Backup and Respond.
What's new in the enhanced CSA Cyber Essentials certification?
In April 2025, CSA introduced the expanded Cyber Essentials certification mark, broadening its scope to help organisations strengthen their defences against evolving cyber threats. The enhanced framework now includes essential security controls and best practices across three key areas:
- Cloud security: Ensuring secure cloud adoption and management to protect critical data and services
- Operational Technology (OT) security: Safeguarding industrial control systems from cyber threats
- AI security: Implementing best practices for securing AI-driven applications and mitigating AI-specific vulnerabilities
The expanded Cyber Essentials offers clear guidance on measures organisations can take to defend against common cyberattacks targeting cloud infrastructure, OT environments, and AI applications.
Why should an organisation apply for CSA Cyber Essentials Mark Certification?
While strengthening the cybersecurity of an organisation is necessary, these cyber security practices must be up to the mark. The CSA cyber security essentials certification is a testament to your organisation’s commitment to secure IT operations. An organisation can gain the following benefits from achieving the certification:
- Affords preparedness against common cyber threats
- Ensure cybersecurity of the organisation is prioritized
- Implement the primary measures for cyber security
- Validation of your cybersecurity strategy
The CSA Cyber Essentials mark serves as recognition that the organisation has established good cyber hygiene practices to safeguard its business operations and clients from common cyberattacks. The Cyber Essentials self-assessment option protects your company from the most frequent hacking attempts. Organisations should apply for the CSA Cyber Essentials scheme if they have limited IT and/or cybersecurity knowledge and funds to dedicate to safeguarding IT resources and employees.
A versatile cyber security essentials certification partner like TÜV SÜD can help you delve into the specifics of a cyber security strategy.
Get started with TÜV SÜD
Start your product security journey with us today.What will be assessed for the CSA Cyber Essentials Mark?
CATEGORY: ASSETS
- People – Equip employees with the know-how to be the first line of defence
- Hardware and software – Know what hardware and software the organisation has and protect them
- Data – Know what data the organisation has, where they are, and secure the data
CATEGORY: SECURE/PROTECT
- Virus/Malware Protection – Protect from malicious software like viruses and malware
- Access control – Control access to the organisation's data and services
- Secure configuration – Use secure settings for the organisation's hardware and software
CATEGORY: UPDATE
- Software updates – Update software on devices and systems
CATEGORY: BACKUP
- Back up essential data – Backup the organisation's essential data and store them offline
CATEGORY: RESPOND
- Incident response – Be ready to detect, respond to, and recover from cyber incidents
TÜV SÜD is your trusted partner in CSA Cyber Essentials Certification
TÜV SÜD’s experienced auditors possess the accreditation and expertise to conduct Cyber Essentials mark, and Cyber Trust mark audits across industries and locations. Our status as an independent certification body ensures that the TÜV SÜD certification mark is accepted worldwide, making it a powerful tool for distinguishing your company in the market. By being certified by TÜV SÜD, you can demonstrate your accountability to protecting your organisation and your customer’s cyber safety at hand.
TÜV SÜD PSB provides a one-stop solution to support enterprises on a full suite of cybersecurity services such as:
- SS 714 Data Protection Trustmark (DPTM)
- ISO 27001 Information Security Management
- ISO 27701 Privacy Information Management
- ISO 27017 and ISO 27018 Cloud Security
- SS 584 Multi-Tier Cloud Services
- Cyber Security Code of Practice (CCoP) compliance audit
- Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) System Certification
- Payment Card Industry Data Security Standard
- Vulnerability Assessment & Penetration Testing
- CSA Cybersecurity Labelling Scheme (CLS) Certification
- CSA Cybersecurity Certification Cyber Trust mark
Application Process
Here is application and certification process for enterprises interested in CSA Cyber Essentials mark
Frequently asked questions
What is the validity of the CSA Cyber Essentials mark?
The CSA Cyber Essentials mark is valid for two years upon successful completing the Cyber Essentials certification.
Are supporting documents required for self-declared CSA Cyber Essentials mark?
Enterprises interested in CSA Cyber Essentials mark are required to submit relevant documents to TÜV SÜD PSB for verification and recommendation, based on the Cyber essentials requirements.
What is the mode of audit for CSA Cyber Essentials mark?
The CSA Cyber Essentials mark is a desktop review.
What should I prepare before applying for Cyber Essentials mark?
Companies should be familiar with the cyber essentials security controls and measures aligned with the Cyber Essentials mark’s requirements as per Q1. They are required to have relevant and quality documents to be submitted for the Cyber Essentials self-assessment to be reviewed.
How much does it cost to certify for the Cyber Essentials mark with TÜV SÜD?
Certification Fees for Cyber Essentials (2025)
Quantity of End-Points
|
Cyber Essentials (2025) Certification Fee | |||||||
| Classical Cybersecurity [2] | Add-on Digital Technologies |
Maximum Level of Support from CSA [3] | ||||||
| OT Security[1],[2] | AI Security[1],[2] | Cloud Security[1],[2] | ||||||
|
1 - 10 |
$500 | + $0 |
+ $0 | + $0 | $250 | |||
|
11 - 20 |
$600 | + $0 | + $0 | + $0 | $350 | |||
|
21 - 50 |
$700 | + $0 | + $0 | + $0 | $450 | |||
| 51 - 100 | $800 | + $0 | + $0 | + $0 | $600 | |||
| 101 - 200 | $1,000 | + $0 | + $0 | + $0 | $650 | |||
| 201 – 500 (in increments of 100 end-points) | + $0 | + $0 | + $0 | + $0 | Funding support is available up to 1st 200 end-points only. | |||
| 501 and above (in increments of 100 end-points) | + $0 | + $0 |
+ $0 | + $0 | ||||
| Quantity of End-Points | Classical Cybersecurity[2] | Cyber Essentials for ICT Vendors[1], [2] | OT Security[1],[2] | AI Security[1],[2] | Cloud Security[1],[2] | Maximum Level of Support from CSA | ||
| 1- 10 | $500 | +$400 | + $0 | + $0 | + $0 | $250 | ||
| 11 - 20 | $600 | +$400 | + $0 | + $0 | + $0 | $350 | ||
| 21 - 50 | $700 | +$400 | + $0 | + $0 | + $0 | $450 | ||
| 51 - 100 | $800 | +$400 | + $0 | + $0 | + $0 | $600 | ||
| 101 - 200 | $1,000 | +$400 | + $0 | + $0 | + $0 | $650 | ||
| 201 - 500 (in increments of 100 end-points) | $0 | +$100 | + $0 | + $0 | + $0 | Funding support is available up to 1st 200 end-points only | ||
| Quantity of End-Points | Cyber Essentials for Health Information Act (HIA) Entities | OT Security[1],[2] | AI Security[1],[2] | Cloud Security[1],[2] | Maximum Level of Support from CSA for HIA entities |
|||
| 1- 5 | $900 |
+ $0 | + $0 | + $0 | $250 | |||
| 6 - 10 | $900 | + $0 | + $0 | + $0 | $250 | |||
| 11 - 20 | $1,000 | + $0 | + $0 | + $0 | $350 | |||
| 21 - 50 | $1,150 | + $0 | + $0 | + $0 | $450 | |||
| 51 - 100 | $1,250 | + $0 | + $0 | + $0 | $650 | |||
| 101 - 200 | $1,450 | + $0 | + $0 | + $0 | $725 | |||
| 201 - 500 (in increments of 100 end-points) | $100 | + $0 | + $0 | + $0 | Funding support is available up to 1st 200 end-points only | |||
| Quantity of End-Points | Cyber Essentials for Health Information Management System (HIMS) Vendors | OT Security[1],[2] | AI Security[1],[2] | Cloud Security[1],[2] | Maximum Level of Support from CSA for HIMS Vendors |
|||
| 1- 5 | $1,000 |
+ $0 | + $0 | + $0 | $250 | |||
| 6 - 10 | $1,100 | + $0 | + $0 | + $0 | $300 | |||
| 11 - 20 | $1,300 | + $0 | + $0 | + $0 | $400 | |||
| 21 - 50 | $1,500 | + $0 | + $0 | + $0 | $500 | |||
| 51 - 100 | $1,700 | + $0 | + $0 | + $0 | $675 | |||
| 101 - 200 | $2,000 | + $0 | + $0 | + $0 | $725 | |||
| 201 - 500 (in increments of 100 end-points) | $100 | + $0 | + $0 | + $0 | Funding support is available up to 1st 200 end-points only | |||
Notes
[1] Certification fees are add-on fees to charges for Cyber Essentials (2025) – Classical Cybersecurity
[2] As submitted in Proposal and/or clarification(s)
[3] For first successful certification per eligible organisation – Organisations that had previously secured funding support for Cyber Essentials (2022) are not eligible
[4] For first successful certification per eligible organisation for each digital technology pillar (cloud security, OT security, AI security)
** Price includes a one-time complimentary re-assessment (if applicable).
** Price excludes GST
Is there any training available for the Cyber Essentials mark?
Training is available for companies who are interested to learn more or to be certified for the Cyber Essentials mark. A discounted bundle deal is available for companies who are keen to train and certify with TÜV SÜD.
How long does it take to be certified for CSA Cyber Essentials mark?
The overall estimated timeline based on best scenario* for CSA Cyber Essentials mark is one month from the date of notice to the certification award.
*Best scenario is when enterprises have proactively and timely submitted all the relevant documents from the 1st submission date without requiring additional time.
Are there any government grants available?
Yes, funding support is available for companies and the subsidy amount is determined by the profile of the companies which is shown as follows:
| Quantity of End-points |
Maximum Level of Funding Support from CSA To be deducted from the certification fees charged by certification bodies |
|
1 - 10 |
S$250 |
|
11 - 20 |
S$350 |
| 21 - 50 | S$450 |
| 51 - 100 | S$500 |
|
101 - 200 |
S$550 |
Will I be penalised if I cannot complete the self-assessment or am unable to provide supporting documents?
Companies will be given a maximum of 3 reminders with a reasonable timeline to provide relevant and quality documents before their application are rejected. Please note that only 1st eligible applications will be eligible for the funding support.
What are the technical control requirements to obtain Cyber Security Essentials Certification?
The following provisions safeguard the organisation from malicious software:
- Equipping endpoints with anti-malware programmes to help identify attacks on the organisation's environment.
- Using scanners for viruses and malware to look for potential cyberattacks.
- Enabling automatic updates or setting up their anti-malware programme to automatically update signature files or something similar to find new malware.
- Setting up anti-malware programmes to scan the files automatically.
- Installing firewalls to secure networks that include computers, servers, and laptops.
- Formatting a software firewall that leads to initiating the firewall for all endpoints in the organisation.
- Verifying firewall configurations and rules once a year is crucial to safeguard the organisation's internet-facing assets.
- Employees must install or access only authorised software and attachments from reputable or official sources.
- Staff members must understand the importance of using secure network connections when accessing company data or official email.
- Employees must immediately alert the IT team and/or senior management to any suspicious email or attachment.
Why is employee training an important requirement for obtaining Cyber Security Essentials Certification?
Since cyber attackers use social engineering techniques to target employees for their motives, employees serve as the organisation's first layer of protection. A weak link in the staff is usually the culprit in security breaches. Therefore, all employees within the organisation must be appropriately trained to recognise these strategies, counteract them, and disclose any suspected incidents through the cyber essentials scheme.
What are the prerequisite procedures needed to obtain Cyber Security Essentials Certification?
The following provisions prepare you to identify, address, and recover from cybersecurity incidents:
- The organisation must establish a basic incident response plan to serve as a roadmap for handling common cybersecurity incidents.
- The organisation's employees with access to IT resources and/or environment must be aware of the incident response plan.
- Strengthen and enhance the incident response plan. The organisation should conduct a post-incident review and incorporate learnings.
- The incident response plan should be reviewed at least once a year as a good practice.
What is an end-point?
An end-point is a remote computing device that communicates back and forth with a network to which it is connected. Examples of end-points include:
- Desktops
- Laptops
- Smartphones
- Tablets
- Servers
- Workstations
- Internet-of-things (IoT) devices
The number of end points within your organisation is a cost parameter for this certification.
