CSA Cyber Essentials · checked July 2026
The mark most tenders ask for, done in six days of work.
Cyber Essentials is Singapore's baseline cybersecurity mark, issued under a CSA scheme. Tenders ask for it. Supply chains ask for it. We get you audit-ready the way a school preps for an exam that matters: a syllabus, a schedule, and someone beside you who has done it before.
Readiness record · private issue
- Scheme
- CYBER ESSENTIALS
- Scope
- S$6,000 · SIX DAYS
- Consultant
- NAMED ON EVERY JOB
- Reviewed
- JUL 2026
Cyber Essentials readiness: S$6,000, six days of work, up to 70% co-funded for eligible SMEs. That's the whole sentence.
The Cyber Essentials Mark is a Government-recognised certification confirming baseline cybersecurity controls. Increasingly required for tenders and supplier due-diligence.
No cert, cannot even join the tender. That’s how it is now one. Six days we get you ready, grant covers up to 70%. Then go and win your deal.
What the tender is actually saying.
Procurement clauses name this mark in three usual ways. All three mean the same homework.
- "The supplier shall hold a valid Cyber Essentials certification issued by CSA."
-
You need the mark before award, or a dated plan to get it. Six days of work; start before you bid.
(say real: Cannot just promise 'coming soon'; they want the mark or a real date on paper. Start now and it's settled before you even bid.)
- "Vendors must demonstrate baseline cyber hygiene aligned to national standards."
-
Cyber Essentials is the recognised way to answer this line. The mark is the demonstration.
(say real: Sounds cheem, but it's just asking for Cyber Essentials without naming it. One mark answers the whole line.)
- "Suppliers handling company data must complete the attached security questionnaire."
-
The questionnaire maps almost one-to-one to the Cyber Essentials evidence pack. Do the mark once, answer questionnaires forever.
(say real: The questionnaire looks jialat, but your evidence pack already wrote the answers. After the first one, the rest is copy and paste.)
Got a clause that reads differently? Send us the paragraph and a consultant will translate it, free, usually the same day. Send the clause. You can also look an acronym up in the decoder, or read how one supplier handled a tight tender in this letter from the neighbourhood.
The whole standard is five areas.
Not five hundred.
-
Assets
Know what you have: the people, the laptops, the software, the data. Most gaps hide in the list nobody keeps.
-
Secure and protect
Anti-malware on, access controlled, settings hardened. The locks the auditor will actually rattle.
-
Update
Software patched on a schedule you can show, not a habit you describe.
-
Backup
The essential data backed up, and a restore you have actually tested once.
-
Respond
A one-page plan for the bad day: who calls whom, in what order, saying what.
Six days, planned before we start.
You see this schedule in the proposal, with names and dates on it. Days are working days of our time, usually spread over two to four weeks around your operations.
- Day 1
Scope and asset list. We walk your business, not a template.
- Day 2
Gap assessment against the standard, graded like a mock exam.
- Day 3
Policies and fixes, written in sentences your staff will read.
- Day 4
Technical remediation with your IT person or vendor.
- Day 5
Evidence pack assembled: every control, every proof, one folder.
- Day 6
Dry run of the assessment, then submission prepared together.
The money, counted out.
Two separate costs, both shown here. Nobody should discover a second invoice by surprise.
- Our readiness fee: S$6,000. Six days of consultant work. Up to 70% co-funding for eligible SMEs under CSA's CISOaaS programme.
- The certification body's audit fee, billed by them. CSA currently offsets S$250 to S$650 of it for first certifications, scaled by company size.
If the assessor finds a gap, we close it.
Audit-ready means every control evidenced, every document in place, and a dry run completed. If the certification body still finds a gap in scope we prepared, we fix it with you at no extra fee. It is in the engagement letter.
Certification requires evidence that controls are implemented and operating, assembled correctly the first time to avoid a failed assessment.
You can DIY, sure. But fail the audit, redo everything: waste time, waste money. We get it right the first round, so when the auditor come, no surprises.
Plain answers
What does the Cyber Essentials mark cost in total?
Our readiness fee is S$6,000 for six days of work; eligible SMEs can have up to 70% co-funded under CSA's CISOaaS programme. The certification audit is billed separately by a CSA-appointed certification body, and CSA currently offsets S$250 to S$650 of that fee for first certifications, with support running to 6 February 2028.
How long is Cyber Essentials valid?
Two years. We diarise the renewal and the second pass is faster, because your evidence pack already exists.
Is Cyber Essentials an audit or a self-assessment?
You complete a self-assessment against the standard, and an independent assessor from a certification body verifies it. We prepare the self-assessment and the evidence with you, then rehearse the verification.
Do I need Cyber Essentials or Cyber Trust?
Cyber Essentials is the baseline mark for most SMEs and most tenders. Cyber Trust is the tiered mark for larger or more digitalised organisations, and it becomes mandatory for some regulated entities from end-2026. If you are unsure, the mock audit on this site routes you to the right one.
What happens if the assessor finds a gap after your six days?
If it is in the scope we prepared, we fix it with you at no extra fee. That promise is in the engagement letter, not just on this page.
Bring us the tender. We'll bring the plan.
A 30-minute chat, a named consultant, and a one-page plan with dates on it. You keep the plan either way.