Compare the marks · checked July 2026

Cyber Essentials, Cyber Trust or ISO 27001?

Three marks, three different questions. One proves baseline hygiene to a tender. One proves tiered maturity to a regulator. One proves your data discipline to a global customer. Most Singapore SMEs need one of them right now, not all three, so the useful question is not which is best, but which one your next deal is actually asking for.

Side by side, on every line that matters.

The same thirteen questions, answered for all three marks. Scroll the table sideways on a small screen; the row labels stay put.

Cyber Essentials, Cyber Trust and ISO 27001 compared across standard, oversight, validity, cost and government funding.
Attribute Cyber EssentialsCyber TrustISO 27001
Standard Cyber Essentials (2025) SS 712:2025 ISO/IEC 27001:2022
Overseen by CSA, Singapore CSA, Singapore ISO/IEC, via accredited bodies
What it proves Baseline cyber hygiene Tiered, risk-based maturity A running information-security system
Best for Most SMEs and first tenders Larger or more digitalised firms Exporters and MNC suppliers
How it is assessed Self-assessment, independently verified Independent tiered audit Independent certification audit
Validity 2 years 3 years 3 years
Ongoing audits None; renew at 2 years Annual surveillance Annual surveillance
Where it is recognised Singapore Singapore 180+ countries
Mandatory for anyone? No; tender-driven Yes, three regulated groups to end-2027 No; buyer-driven
Our readiness fee S$6,000 S$22,000 S$35,000
Readiness work 6 days About 20 days About 35 days
Government funding CISOaaS, up to 70% CISOaaS, up to 70% EDG, up to 50%
Typical timeline 2 to 4 weeks Set in your proposal 4 to 6 months

Standards, validity and oversight are per the issuing bodies (CSA; ISO/IEC). Fees and readiness days are our own published figures. We prepare you to audit-ready; certification is issued by the scheme’s independent body, and its audit fee is billed separately. Checked July 2026.

The three, in plain terms.

What each mark really is, in one sentence. Flip any of them to Say real.

Cyber Essentials

Start here · most SMEs

The Cyber Essentials Mark is a Government-recognised certification confirming baseline cybersecurity controls. Increasingly required for tenders and supplier due-diligence.

Read the full breakdown

Cyber Trust

The tier up · regulated and bigger

A higher-tier certification for organisations with more mature security needs, increasingly expected by large enterprise and Government buyers vetting key suppliers.

Read the full breakdown

ISO 27001

The passport · global customers

The international standard for information-security management. Certification shows global clients you manage data risk to a recognised benchmark.

Read the full breakdown

Not either / or

A staircase, not a fork.

You rarely need all three at once. Most SMEs start on the one step their tender, their regulator or their customer is pointing at, then climb only when a new door asks them to. And the homework compounds: the asset list, the policies and the evidence pack you build for one mark carry into the next, so you never start the following one from zero.

See the whole staircase

The money, counted out.

Each mark is two costs, never hidden: our readiness fee, and the certification body’s audit fee billed by them. The government funding route differs by mark.

  • Cyber Essentials: S$6,000, up to 70% co-funded. Six days of work. CSA’s CISOaaS co-funds eligible SMEs, and CSA offsets S$250 to S$650 of the first audit fee.
  • Cyber Trust: S$22,000, up to 70% co-funded. About twenty days for Tier 2 to 3. Same CISOaaS route, with S$1,375 to S$2,250 offset on the first audit fee.
  • ISO 27001: S$35,000, up to 50% via EDG. About thirty-five days over four to six months. You must apply to Enterprise Singapore before work starts.
Work out your number

Whichever you pick, we take you to audit-ready.

Our work ends at audit-ready: every control evidenced, every document in place, a dry run done. The certificate itself is issued by the scheme’s independent body, never by us. That line holds for all three marks, and it is written into the engagement letter, not just this page.

AUDIT-READY

Plain answers

Which mark do I actually need first?

Most Singapore SMEs start with Cyber Essentials, because that is the baseline mark tenders and supplier forms ask for. Choose Cyber Trust if you are larger, more digitalised, or a regulator names a tier for you. Choose ISO 27001 if an overseas or MNC customer names the standard directly. If you are unsure, the ten-minute mock audit on this site routes you to the right one before you spend anything.

Is Cyber Trust just a bigger Cyber Essentials?

No. Cyber Essentials is a baseline hygiene mark you self-assess and have independently verified. Cyber Trust is a separate, risk-based standard (SS 712:2025) with five tiers spanning 10 to 22 domains, assessed by a full audit. They are different marks, but the homework overlaps: the asset lists, policies and evidence you build for Cyber Essentials carry forward into a Cyber Trust submission.

ISO 27001 or Cyber Trust: which do we need?

ISO 27001 is the international standard, recognised in 180+ countries, and it is the one MNC procurement teams and export customers name directly. Cyber Trust is CSA’s national, tiered mark for Singapore. Many mid-market firms end up holding both, because they answer different questions: one for global procurement, one for local regulatory and tender requirements.

Do we need all three?

Rarely, and almost never at once. Most SMEs need exactly one of them at any given time, decided by whichever tender, regulator or customer is in front of them. You climb to the next mark only when a new door asks for it, and because the evidence compounds, the next one is faster than the first.

Does one mark replace another?

No. Holding ISO 27001 does not remove a Singapore tender’s request for a CSA mark, and holding Cyber Essentials does not satisfy an MNC that has asked for ISO 27001 by name. They prove different things to different buyers, so the right answer is the mark your specific requirement names, not the most impressive one.

What does each cost in total?

Two costs each: our readiness fee, and the certification body’s audit fee billed by them. Readiness is S$6,000 for Cyber Essentials, S$22,000 for Cyber Trust and S$35,000 for ISO 27001. Cyber Essentials and Cyber Trust are co-funded up to 70% for eligible SMEs through CSA’s CISOaaS programme; ISO 27001 draws on the Enterprise Development Grant, up to 50%, if you apply before work starts. The grant calculator works out your likely share.

If we start with one, does the work carry over?

Yes, and that is the point of doing them in order. The asset register, the access controls, the written policies and the evidence pack you assemble for Cyber Essentials or Cyber Trust are the same raw material an ISO 27001 information-security system is built from. We build on what exists rather than starting the next mark from a blank page.

Still not sure which mark?

Thirty minutes with a consultant, not a salesperson. We read your tender or your customer’s form and tell you which mark answers it, and which you can safely leave for later.