The CSA Cyber Essentials mark is the entry-level cybersecurity certification administered by the Cyber Security Agency of Singapore (CSA) under the SG Cyber Safe Programme. It is designed for smaller organisations and is the appropriate first certification for SMEs and early-stage vendors that have implemented basic cyber hygiene controls.
Cyber Essentials covers the fundamentals — asset inventory, secure configuration, access control, malware protection, patching, backups, basic incident response, and security training. It's intended as a stepping stone to the higher Cyber Trust certification for vendors whose operations rely heavily on digital systems.
Every vendor on this page has been matched against the CSA's public *Directory of Certified Organisations*. If a vendor's name doesn't appear on the CSA list, they don't appear here. For higher-tier certified vendors, see the companion page `/csa-cyber-trust-certified-cybersecurity-singapore`.
Source of truth: Cyber Security Agency of Singapore (CSA) — Directory of Certified Organisations.
When Cyber Essentials is the right signal — and when it isn't
Right signal: smaller vendors and emerging providers. A boutique penetration-testing shop, an early-stage MSSP, or a small managed security firm with Cyber Essentials has demonstrably implemented basic cyber hygiene — a meaningful baseline for an organisation of that size.
Not enough on its own for enterprise-serving vendors. If you're buying managed SOC services for a regulated bank, healthcare provider, or critical infrastructure operator, look for the higher Cyber Trust certification instead. Cyber Essentials is the floor, not the ceiling.
Treat it as 'they take their own security seriously', not 'they're good at securing you'. Both certifications attest to the vendor's posture, not their ability to deliver. Combine with: real client references in your sector, technical depth in the specific service you're buying (SOC, IR, pentesting, GRC are different disciplines), and contractual SLAs.
Check the expiry date. Cyber Essentials certifications lapse after a defined period (typically 2–3 years) unless renewed. The date shown for each vendor below is sourced from the CSA directory at our most recent ingest — confirm currency with the vendor before signing.
Consider it a positive signal for SME-to-SME engagements. If you're an SME buying from another SME, Cyber Essentials on both sides creates a reasonable mutual-assurance baseline without the overhead of full Cyber Trust auditing.