"Law by Law": Your Guide to Cybersecurity Compliance in Singapore | LogRhythm

“Law by Law”: Your Guide to Cybersecurity Compliance in Singapore

As Singapore continues to brand itself as a digital-first country, businesses will also have to adhere to a high cybersecurity standard to inspire confidence in all stakeholders. Ideally, companies should already be in compliance to one of the many cybersecurity standards such as ISO 27001, PCI DSS, or CIS Critical Security Controls​ to ensure that you have the standard acceptable level of cybersecurity.

However, if you’re operating in certain industries, you’ll also find that there are additional guidelines and regulations to comply to. While there may be some overlap with the international, industry-agnostic standards, companies in these industries should show that they are in compliance to the guidelines below.

Let’s take a look at which sectors are involved, and what guidelines they’ll have to follow:

Financial Services

The Monetary Authority of Singapore (MAS) has published the Guidelines on Technology Risk Management (MAS-TRM), outlining the risk management principles and best practices for businesses operating in the sector.

Some of these guidelines include:

  • Risk management and system classification
  • Logical and physical protection of customer data and financial systems
  • User access management control
  • IT operations and change control process monitoring
  • Security automation and orchestration-assisted investigation and response
  • Pre-defined reports to easily document evidence of compliance

In addition, MAS also publishes Notices of Cyber Hygiene. Compared to the MAS-TRM, these notices are mandatory. Some requirements include ensuring security patches are applied in a timely manner to address vulnerabilities, as well as securing access to administrative accounts.

READ MORE: Find out how LogRhythm helped 3 central banks in APAC achieve compliance to their own regulations by mapping logs collected into the required controls.


To ensure the integrity of personal and medical data, Ministry of Health (MOH) developed the Healthcare Cybersecurity Essentials (HCSE). The HCSE sets out 12 recommendations to help healthcare providers improve the security of their systems and data, such as creating an IT asset inventory, deploy anti-malware protection, and audit logs. In addition, if your work involves defending organsations in the sector, the MOH publishes advisories, circulars, and regulations here, that can keep you up to date on any relevant information.

For those developing software for medical devices or supplying such devices, you’ll also need to adopt a Total Product Life Cycle approach to manage and adapt to the rapid changes in the environment.


The Infocomm Media Development Authority (IMDA) published the Telecommunications Cybersecurity Code of Practice to enhance cybersecurity preparedness for designated licensees. The Codes are currently imposed on major Internet Service Providers (“ISP”) in Singapore for mandatory compliance, and was formulated using international standards and best practices including the ISO / IEC 27011 and IETF Best Current Practices.

Government Agencies

Previously called IM8, The Instruction Manual for ICT&SS Management seeks to support support agencies as they adopt ICT&SS to enable their digital transformation, helping them manage their risks and ensure their agencies remain secure. The manual covers a wide range of domains, such as Digital Service Standards (DSS), Third Party Management (TPM), and Data. While the policy for security isn’t publicly available, we know that it establishes tailored security hygiene practices for government systems, based on a system’s classification and criticality.

Governmental agencies keen to know how LogRhythm can help you achieve compliance to the IM8 Policy on Security, you can contact us for more information.

Other Regulatory Guidelines

While this guide focuses on industry-specific regulations, there are also a few general guidelines in Singapore that are industry-agnostic:

  • Cybersecurity Act: Gives companies involved in Critical Information Infrastructure (CII) clear guidelines on their obligations to protect the CII from cyberattacks.
  • PDPA: The Personal Data Protection Act (PDPA) provides a baseline standard of protection for personal data in Singapore.

Need help complying?

LogRhythm’s Consolidated Compliance Framework simplifies your compliance program by providing a core, shared module mapped to dozens of regulations, encompassing most common cybersecurity controls. Our team can also help you map collected log data to relevant controls required by any other compliance regulations. Schedule a demo with us now!