Talk to a security advisor — a free 30-minute review
AlphaCISO®
Contact us
All servicesService

Cybersecurity Act & CII

Critical infrastructure, compliant.

Owning CII is a statutory obligation, not a label

Singapore's Cybersecurity Act 2018, administered by the Cyber Security Agency of Singapore (CSA), imposes duties on owners of Critical Information Infrastructure across 11 designated sectors — including energy, water, banking and finance, healthcare, transport, infocomm, government, media, and security and emergency services. If your systems are designated CII, the obligations are legal duties, not good-practice suggestions.

Those duties include registering the CII, reporting prescribed cybersecurity incidents to the Commissioner, conducting regular audits and risk assessments, and complying with the applicable Code of Practice (CCoP). The first question is often whether you are in scope at all — and that determination has real consequences.

How we work

  • Determine. We assess whether your systems meet the CII criteria for your sector before you over- or under-scope your obligations.
  • Map. We measure your controls against the applicable CCoP and surface the gaps.
  • Support. We prepare and support the mandatory audits and risk assessments the Act requires.
  • Ready. We build the incident-reporting readiness so a real event is handled within the prescribed timelines.

Scoped to the Act, not to fear

CII obligations are specific. We keep the work anchored to what the Act and your sector CCoP actually require — so you meet your statutory duties without gold-plating controls you were never obliged to run.