Singapore Cyber Hygiene Practice — Cybersecurity Code of Practice

Overview

The Singapore Cyber Hygiene Practice — Cybersecurity Act Section 26/TM-CC01 establishes baseline cybersecurity requirements for Critical Information Infrastructure (CII) operators in Singapore. The practice defines minimum security controls that CII owners must implement to maintain basic cyber hygiene protecting systems critical to Singapore’s essential services.

Issued under the Cybersecurity Act by the Cyber Security Agency of Singapore (CSA), TM-CC01 applies to owners of designated Critical Information Infrastructure including systems supporting essential services in sectors such as energy, water, banking, healthcare, and transportation. It mandates implementation of prescribed cybersecurity practices across defined control domains.

CII owners implement TM-CC01 by assessing current practices against mandated controls, implementing required security measures, and maintaining compliance evidence for CSA regulatory oversight. The practice integrates with broader NIST CSF and ISO 27001 aligned security programs.

Why it Matters

Singapore’s Cyber Hygiene Practice establishes mandatory baseline security controls protecting critical infrastructure supporting the nation’s essential services from cyber threats.

Key benefits include:

• Meet CII regulatory requirements

Comply with mandatory CSA requirements for Critical Information Infrastructure operators in Singapore.

• Protect critical services

Implement baseline controls protecting systems supporting Singapore’s essential services from cyber attacks.

• Demonstrate security governance

Show CSA organized security program implementation aligned with national cybersecurity requirements.

• Support resilience

Build security foundations supporting continuity of critical infrastructure operations during cyber incidents.

• Enable CSA oversight

Maintain compliance evidence supporting CSA audit and oversight activities under the Cybersecurity Act.

How it Works

TM-CC01 organizes baseline security requirements across control domains including asset management, access control, network security, patch management, configuration management, and incident response. CII owners implement prescribed controls, maintain documentation, and undergo periodic CSA assessments.

Organizations implement TM-CC01 by mapping current security controls against prescribed requirements, addressing gaps, implementing required measures, and maintaining compliance evidence for CSA review.

Key Elements

• Asset Management Controls

Requires inventory and management of hardware and software assets in CII environments.

• Access Control Requirements

Mandates access management controls protecting CII systems from unauthorized access.

• Patch and Configuration Management

Establishes requirements for timely patching and secure configuration of CII systems.

• Incident Response Obligations

Defines incident response requirements including CSA notification obligations.

Framework Scope

Singapore TM-CC01 applies to owners of designated Critical Information Infrastructure in Singapore across ten essential service sectors. Mandatory for all designated CII operators.

Framework Objectives

Singapore’s Cyber Hygiene Practice establishes baseline security controls protecting Critical Information Infrastructure supporting Singapore’s essential services.

• Implement mandatory baseline cybersecurity controls for CII operators
• Protect critical infrastructure supporting Singapore’s essential services
• Enable CSA oversight and regulatory compliance for CII owners
• Build security foundations supporting critical infrastructure resilience
• Align CII security practices with national cybersecurity standards

Common Framework Mappings

Mapped frameworks include:

ISO/IEC 27001

NIST Cybersecurity Framework

Singapore Cybersecurity Act

SOC 2