Cybersecurity Code of Practice (CCoP) for Critical Information Infrastructure

The Cybersecurity Bill was passed on 5 February 2018 and received the President’s assent on 2 March 2018 to become the Cybersecurity Act. The Act establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore. With this, the Cyber Security Agency of Singapore (CSA) has published the Codes of Practice for the regulation of owners of Critical Information Infrastructure (CII).  

CII are computer systems directly involved in the provision of essential services/ sectors such as Energy, Water, Banking and Finance, Healthcare, Transport (which includes Land, Maritime, and Aviation), Infocomm, Media, Security and Emergency Services, and Government. With the rapid changes in technology and new regulatory requirements, the CII owners are required to ensure their cybersecurity resilience and proactively protect their CII from cyber-attacks.  

Therefore, CSA has introduced Cybersecurity Code of Practice (CCoP) Compliance Audit to help CII owners to meet the requirements and achieve compliance.  

Second Edition of the Cybersecurity Code of Practice (CCoP) 

The second edition of the Cybersecurity Code of Practice (CCoP) was issued by CSA and came into effect from 4 July 2022. The new edition seeks to level up new cybersecurity capabilities in CII sectors in view of the evolving cyber threat landscape with threat actors using sophisticated tactics, techniques and procedures to attack.  

The CCoP 2.0 addresses the key requirements for CII below:  

• Governance,  

• Identification, 

• Protection, 

• Detection, 

• Response and Recovery, 

• Cyber Resiliency, 

• Cybersecurity Training and Awareness, 

• Operational Technology (OT) Security.