The CSA Cyber Trust mark is the higher of the two cybersecurity certifications administered by the Cyber Security Agency of Singapore (CSA) under the SG Cyber Safe Programme. It is designed for organisations whose business or operations rely heavily on digital systems and are exposed to elevated cyber risk — the kind of profile a typical buyer of managed cybersecurity services should expect of their vendor.
Certification is awarded across five tiers — Supporter, Practitioner, Promoter, Performer, and Advocate — based on cyber risk posture, governance maturity, and adoption of preventive and detective controls. Independent third-party auditors approved by CSA conduct the assessment, and the certification is valid for three years.
Every vendor on this page has been matched against the CSA's public *Directory of Certified Organisations*. We don't infer this status — if a vendor's name doesn't appear on the CSA list, they don't appear here. Tier and expiry date are shown where the CSA directory publishes them.
Source of truth: Cyber Security Agency of Singapore (CSA) — Directory of Certified Organisations.
Why CSA Cyber Trust matters for your vendor selection
It's a credible third-party signal. Unlike vendor self-claims, CSA Cyber Trust is awarded only after an independent audit by a CSA-approved certification body. The vendor has demonstrably implemented governance, identification, protection, detection, response, and recovery controls — not just bought the products.
It aligns with MAS, MOH, and IM8 expectations. Regulators and government agencies increasingly reference the Cyber Trust mark when shortlisting vendors. For MAS-regulated firms, a Cyber Trust certified provider reduces the third-party risk justification burden during TRM audits.
Tier matters more than the badge alone. Supporter is entry-level; Advocate is the highest. For a vendor *selling* managed cybersecurity services to mid-market and enterprise buyers, expect at least Practitioner or Promoter. A Supporter-tier vendor may be early in their certification journey.
Treat the certification as a *floor*, not a *differentiator*. Cyber Trust says the vendor has the governance and controls in place. It does not say they're good at your specific use case — managed SOC, penetration testing, incident response, GRC consulting are all different disciplines. Use Cyber Trust to filter shortlist candidates, then evaluate technical fit separately.
Check the expiry date. Certification lapses after three years unless renewed. The dates shown below are sourced from the CSA directory at the time of our most recent ingest — confirm currency with the vendor before signing.