← Back to all briefings

Cybersecurity · Credibility 92/100 · · 2 min read

Singapore Enhances CII Cybersecurity Code of Practice — July 4, 2022

The Cyber Security Agency of Singapore issued an enhanced Code of Practice for Critical Information Infrastructure operators, tightening requirements for supply chain assurance, monitoring, and incident reporting.

Executive briefing: On Singapore’s Cyber Security Agency (CSA) released an enhanced Cybersecurity Code of Practice (CCoP) for Critical Information Infrastructure (CII) owners. The revised code raises baselines for operational technology (OT) protections, third-party risk management, vulnerability disclosure, and incident notification obligations under the Cybersecurity Act.

Headline updates

  • Supply chain governance. CII owners must assess suppliers against cybersecurity requirements, enforce contractual obligations, and monitor managed service providers handling critical systems.
  • Continuous monitoring. The CCoP requires centralised logging across IT and OT environments, with security operations centres tuned for anomaly detection and incident response.
  • Enhanced reporting. Operators must notify CSA of cybersecurity incidents within two hours of assessment and provide post-incident analysis, extending beyond the earlier 12-hour benchmark.

Implementation guidance

  • Conduct a gap assessment against the enhanced controls, emphasising OT network segmentation, remote access management, and privileged account governance.
  • Update supplier due diligence workflows to capture the new contractual clauses and maintain assurance artefacts for critical vendors.
  • Test incident response runbooks to validate two-hour notification, including escalation to CSA’s National Cyber Incident Response Team.

Strategic considerations

  • Board accountability. Senior management must approve cybersecurity strategies and ensure resources for continuous compliance, with penalties for lapses.
  • Regional alignment. Operators with regional footprints should harmonise Singapore’s requirements with Australia’s SLACIP obligations and U.S. TSA directives to streamline reporting.
  • Testing cadence. CSA expects regular red-teaming or scenario exercises—integrate the enhanced controls into annual resilience validation plans.

Zeph Tech is pairing Singapore CCoP control mappings with OT incident playbooks so operators can evidence compliance during CSA audits.

  • Singapore
  • Critical infrastructure
  • Operational technology
  • Supply chain risk
Back to curated briefings