Which mark do I actually need first?
Most Singapore SMEs start with Cyber Essentials, because that is the baseline mark tenders and supplier forms ask for. Choose Cyber Trust if you are larger, more digitalised, or a regulator names a tier for you. Choose ISO 27001 if an overseas or MNC customer names the standard directly. If you are unsure, the ten-minute mock audit on this site routes you to the right one before you spend anything.
Is Cyber Trust just a bigger Cyber Essentials?
No. Cyber Essentials is a baseline hygiene mark you self-assess and have independently verified. Cyber Trust is a separate, risk-based standard (SS 712:2025) with five tiers spanning 10 to 22 domains, assessed by a full audit. They are different marks, but the homework overlaps: the asset lists, policies and evidence you build for Cyber Essentials carry forward into a Cyber Trust submission.
ISO 27001 or Cyber Trust: which do we need?
ISO 27001 is the international standard, recognised in 180+ countries, and it is the one MNC procurement teams and export customers name directly. Cyber Trust is CSA’s national, tiered mark for Singapore. Many mid-market firms end up holding both, because they answer different questions: one for global procurement, one for local regulatory and tender requirements.
Do we need all three?
Rarely, and almost never at once. Most SMEs need exactly one of them at any given time, decided by whichever tender, regulator or customer is in front of them. You climb to the next mark only when a new door asks for it, and because the evidence compounds, the next one is faster than the first.
Does one mark replace another?
No. Holding ISO 27001 does not remove a Singapore tender’s request for a CSA mark, and holding Cyber Essentials does not satisfy an MNC that has asked for ISO 27001 by name. They prove different things to different buyers, so the right answer is the mark your specific requirement names, not the most impressive one.
What does each cost in total?
Two costs each: our readiness fee, and the certification body’s audit fee billed by them. Readiness is S$6,000 for Cyber Essentials, S$22,000 for Cyber Trust and S$35,000 for ISO 27001. Cyber Essentials and Cyber Trust are co-funded up to 70% for eligible SMEs through CSA’s CISOaaS programme; ISO 27001 draws on the Enterprise Development Grant, up to 50%, if you apply before work starts. The grant calculator works out your likely share.
If we start with one, does the work carry over?
Yes, and that is the point of doing them in order. The asset register, the access controls, the written policies and the evidence pack you assemble for Cyber Essentials or Cyber Trust are the same raw material an ISO 27001 information-security system is built from. We build on what exists rather than starting the next mark from a blank page.