The decoder · terms checked July 2026

The jargon of this industry, named and dissolved.

Every acronym on this page gets said out loud, then the consequence gets said in the same breath. No term here costs you a search.

All terms, A to Z

Audit-ready

not an official term, a working one

Every control evidenced, every document in place, a dry run completed. It is the highest claim we make about our own work.

It is not a pass and not a certificate. An independent certification body decides that. Audit-ready means you walk into the real assessment having already sat a mock one.

(say real: We prep you until you're steady enough to walk in and sit the real thing. But 'pass' or 'certified', that word only the official body can say one.)

Certification body

the organisation that actually certifies you

An independent, accredited assessor appointed under the relevant scheme, separate from whoever prepared you for the assessment.

That separation is a rule, not a courtesy. A readiness consultant cannot also certify you. It is why we say "audit-ready", never "certified": only the certification body gets to say that word.

(say real: The independent party that actually stamps you. Not us. We coach, they mark; cannot be the same people, that's the rule.)

CISOaaS

CISO-as-a-Service

A CSA co-funding scheme: Cyber health checkup, health plan, gap closure, certification prep, VAPT, delivered by a CSA-onboarded consultant.

Up to 70% co-funding for eligible SMEs using a CSA-onboarded consultant. It is the mechanism, not the mark; Cyber Essentials or Cyber Trust is what you actually end up holding. We are applying for CSA onboarding; co-funding applies once appointed. Checked July 2026.

(say real: This is the grant, not the mark. Government co-pays a big chunk of the readiness work; the mark itself you collect at the end.)

CS/DS Essentials

Cybersecurity and Data Security Essentials

MOH’s Cybersecurity and Data Security (CS/DS) Essentials: required practices across cybersecurity, data security and common practices, set by Ministry of Health (MOH) under the Health Information Act.

If you run a clinic or another HIA-covered entity, this is your syllabus, not Cyber Essentials. Confirmed incidents: initial report to MOH within 2 hours, detailed report within 14 days.

(say real: Run a clinic? Then this is your syllabus, not the normal Cyber Essentials. Different paper, same idea.)

Cyber Essentials mark

the CSA baseline cybersecurity certification

Issued by Cyber Security Agency of Singapore (CSA) against Cyber Essentials (2025), SS 712 family. SMEs and non-profits; the baseline mark tenders and supply chains ask for.

Valid for 2 years. For an SME, it is usually the first mark to get, and the one most tenders name by name. CSA funding support of S$250 to S$650 towards the certification audit fee (scales with endpoints; first certification; through 6 Feb 2028).

(say real: The starter mark. Most tenders name this one first. Settle this, the rest come easier.)

Cyber Trust mark

the CSA tiered cybersecurity certification

Issued by CSA against SS 712:2025 (Cyber Trust 2025; the 2022 version retired 6 Feb 2026). Larger or more digitalised organisations; five tiers, 10 to 22 domains.

Valid for 3 years, with annual audits across the three-year cycle. It becomes mandatory on a schedule for some organisations. Licensed cybersecurity service providers: Tier 3 ("Promoter") by 31 Dec 2026. If that is you, the deadline is the reason to start now, not the reason to panic.

(say real: The atas tier. Big MNC and government want this before the large contracts. Level up when you're ready, tier by tier.)

DPE

Data Protection Essentials

A baseline data-protection and cyber-hygiene programme for SMEs; a stepping stone to the Data Protection Trustmark, run by IMDA and PDPC.

No fixed government co-funding percentage is published for DPE; pricing is set by the provider. For an SME already doing Cyber Essentials, DPE shares most of its evidence, so the second scheme costs days, not weeks.

(say real: CE covers your systems, DPE covers your customers' data. Did CE already? Then DPE is fast, most of the evidence is the same one.)

DPO

Data Protection Officer

The named person PDPA requires every organisation to appoint, responsible for data-protection compliance and the contact point for the public and the regulator.

It can be a staff member wearing a second hat, not necessarily a new hire. Most SMEs already have someone; they just have not been told it in writing yet.

(say real: The person in charge of data. Usually you already have someone; just never put in black and white yet. Not always a new hire.)

DPTM

Data Protection Trustmark

Issued by IMDA (with PDPC) against SS 714:2025. Valid for 3 years.

Typically 3 to 5.5 months end to end. It costs S$535 IMDA application fee plus assessment-body fees (roughly S$3,000 to S$12,000 by size). It is the data-protection mark tenders ask for once "we have a DPO" is no longer enough of an answer.

(say real: The data-protection trustmark. When 'we have a DPO' is no longer enough for the tender, this is what they want to see.)

EDG

Enterprise Development Grant

Enterprise Development Grant (EDG): 50% of qualifying costs for First-time standards adoption (ISO 27001, DPTM and similar) for eligible SMEs.

EDG is being merged into the EDGE scheme in 2H 2026; current rules apply until launch. You apply before the work starts, not after; that ordering catches more SMEs than the paperwork itself does. Checked July 2026.

(say real: Grant that helps pay for the work. The catch: apply before you start, not after. Plenty of SMEs kena caught here.)

Evidence pack

not an official term, a working one

The single folder of policies, screenshots, logs and sign-offs that proves every control in the standard is actually in place, not just written down.

It is what the certification body actually reads. Most of the six days of readiness work is building this one folder in a shape they recognise.

(say real: The one folder that proves every control is actually done, not just written down. Most of the six days is building this properly.)

HIA

Health Information Act

Passed in Parliament 12 Jan 2026; obligations phase in by batch, set by Ministry of Health (MOH).

Batch 1: September 2027; Batch 2: September 2028 (includes OMS clinics with GP and specialist services); Batch 3: March 2030. If you run a clinic, your batch is the date that matters, not the passing date.

(say real: The new law for clinics. Your batch date is the one to watch, not the passing date. Better don't drag.)

ISMS

Information Security Management System

The system of policies, roles and reviews that runs your information security on an ongoing basis, not the security controls themselves.

ISO 27001 certifies the ISMS, not a single audit moment. That is why the standard asks for annual surveillance audits: the system has to keep running after the certificate is issued.

(say real: Not the locks, the system that keeps checking the locks stay locked. ISO 27001 stamps the system, so it must keep running after you pass.)

ISO 27001

ISO/IEC 27001:2022

The international information-security management standard, recognised in 180+ countries. Valid for 3 years with annual surveillance audits.

EDG supports up to 50% of qualifying costs for first-time adoption (apply before starting work). It is the standard MNC customers and overseas tenders usually mean when they say "certified".

(say real: The big international cert. When an MNC or overseas tender says 'certified', usually this is the one they mean.)

ISO 42001

ISO/IEC 42001

The first international AI management system standard; Singapore accreditation is in an SAC pilot.

Early adoption phase in Singapore as at Jul 2026. If you sell AI features to enterprise buyers, this is the standard their procurement team will start naming next, before most competitors have an answer ready.

(say real: The AI governance standard. Selling AI to enterprise buyers? Their procurement will start asking for this before your competitor has an answer.)

MFA

Multi-Factor Authentication

Proving who you are with more than one thing: a password plus a code, an app, or a key, not a password alone.

It is a named control in almost every scheme on this page.

(say real: the OTP thing: five minutes, blocks almost every attack.)

PDPA

Personal Data Protection Act

Singapore's core data-protection law: what personal data you may collect, how you must protect it, and what happens when you do not.

Every business that holds customer or staff data is in scope, not just tech companies.

(say real: leak data, fine can hit one million.)

PSG

Productivity Solutions Grant

Productivity Solutions Grant (PSG): 50% co-funding, capped at S$30,000.

Pre-approved cybersecurity tools (not consultancy). It funds the software, not the consultancy that gets you certified; the two grants are meant to be used side by side, not instead of each other. Checked July 2026.

(say real: This grant pays for the software, not the consultant. Use it together with the other grants, not instead of.)

SFEC

SkillsFuture Enterprise Credit

SkillsFuture Enterprise Credit (SFEC), applied to Staff cyber-training top-ups (S$10,000 credit, up to 90% of out-of-pocket costs).

The current credit runs to 30 November 2026, and the redesigned scheme under the enterprise workforce transformation package has not been published yet. It pays for training your own staff to hold the line after we leave, which is worth doing even if certification is not the immediate goal. Checked July 2026.

(say real: Credit to train your own staff to hold the line after we leave. Worth using even if the cert isn't urgent yet. Runs to 30 Nov 2026.)

VAPT

Vulnerability Assessment and Penetration Testing

A scan for known weaknesses (the vulnerability assessment) followed by a controlled attempt to exploit them (the penetration test), run by a qualified tester.

Some schemes and some tenders ask for a VAPT report by name. It is a point-in-time test, not a subscription; treat the report date the way you would treat any other expiry.

(say real: A tester scans for holes, then tries to break in on purpose, with your say-so. Some tenders ask for this report by name; it has a date, so treat it like an expiry.)

vCISO

virtual Chief Information Security Officer

A named, senior security lead who works with you on a retainer, rather than sitting on your payroll full time.

It answers "who owns this after the certificate" for an SME that cannot yet justify a full-time hire. The retainer is a fixed annual sentence, not a project quote.

(say real: Answers 'who looks after this after the cert'. A senior security lead on retainer, so no need to hire full-time yet. Fixed yearly price.)

Met a term we haven't decoded?

Send it over: the acronym, or just the paragraph it came from. A consultant translates it, free, usually the same day.