Services · the whole staircase

Start on the step you need.

Every mark on this page sits on a staircase, not a shelf. Cyber Essentials comes first for most SMEs because that is what tenders ask for. Each mark after it reuses the last one's homework: the same asset list, the same evidence habits, built on rather than redone. Start where your tender, your customer or your regulator is actually pointing. (say real: no need buy the whole staircase, just the step you need.)

  1. Available now Cyber Essentials The baseline CSA mark most tenders ask for. Six days of work.
  2. Available now Data Protection Essentials The IMDA and PDPC baseline for personal data. Pairs naturally with Cyber Essentials.
  3. Available now Cyber Essentials for clinics The healthcare variant, mapped to the Health Information Act. Built for clinic hours.
  4. First cohort late 2026 Cyber Trust mark The tiered CSA mark for growing organisations. Tier 3 becomes mandatory for licensed cyber providers by end-2026.
  5. From 2027 ISO 27001 · DPTM · ISO 42001 The long game: international standards and the Data Protection Trustmark, built on everything above.

Available now

Three marks you can book a chat about today.

Cyber Essentials readiness
Answers the tender clause asking for baseline cyber hygiene, CSA-recognised.
S$6,000
See the plan
Data Protection Essentials
Answers the customer questionnaire asking how you handle personal data.
Price at launch
See the plan
Cyber Essentials for clinics
Answers the Health Information Act, mapped to clinic hours and clinic risk.
Price at launch
See the plan

After the mark

vCISO and DPO retainer
Keeps a mark current after it is issued: a named lead, quarterly reviews, and DPO duty under the PDPA.
S$36,000 a year
See the retainer

Late 2026

Cyber Trust mark

S$22,000

The tiered CSA mark for larger or more digitalised organisations, five tiers, 10 to 22 domains, three-year validity. It becomes mandatory for some regulated entities on a schedule already set: licensed cybersecurity service providers need Tier 3 by 31 December 2026, CII auditors need Tier 5 by end-2026, and CII owners of non-CII systems need Tier 5 by end-2027. Our first cohort opens late 2026. Read about Cyber Trust readiness

From 2027: the long game

Three marks for organisations that have outgrown the baseline, each honest about its own wave.

ISO 27001 implementation From 2027
The international information-security standard, recognised in 180+ countries. About thirty-five days of work over four to six months.
S$35,000
Data Protection Trustmark (DPTM) From 2027
The IMDA and PDPC trustmark, three-year validity, typically three to five and a half months end to end.
Price at launch
ISO 42001 From 2027
The first international AI management system standard. Singapore accreditation is in an SAC pilot as at July 2026.
Price at launch

Want to be first when one of these opens? Join the waitlist

The marks, compared.

Validity and the readiness work involved, side by side, so you can plan the calendar as well as the budget.

See Cyber Essentials, Cyber Trust and ISO 27001 compared in full

Plain answers

Which mark do I actually need?

Most SMEs need Cyber Essentials first, because that is what most tenders and supply-chain questionnaires ask for. If you run a clinic, the Health Information Act variant applies. If you are unsure, the mock audit on this site takes ten minutes and routes you to the right mark before you spend anything.

Can we do Cyber Essentials and Data Protection Essentials at the same time?

Yes. The two schemes share a lot of the same evidence, your asset list, your access controls, your policies, so doing them together costs days, not weeks. We plan the bundle as one engagement.

Do these marks expire?

Yes, and the validity differs by mark: Cyber Essentials runs two years, Cyber Trust and DPTM run three. We diarise every renewal date for our clients, so the second pass arrives as a reminder, not a surprise.

Bring us the tender. We'll bring the plan.

A 30-minute chat with a consultant, not a salesperson. You leave with a plan on one page, whether or not you hire us.