# CEM Guide for Vendors
### 🔍 What is the Cyber Essentials Mark (CEM)?
\
The Cyber Essentials Mark (CEM) is a cybersecurity certification developed by the **Cyber Security Agency of Singapore (CSA)** to recognise organisations that have implemented fundamental "cyber hygiene" practices to protect themselves and their customers from common cyber-attacks.
*As part of the Annual Review, moving forward ICM vendors will be required to attain the Cyber Essentials Mark. Please note, IMDA may suspend or terminate the appointment contract if the Pre Approved Vendor fails to meet any of the Annual Review Criteria's.*
### 📋 Types of CEM Required
***
#### 🏭 **CEM for ICT Vendor**
**Required for:** Vendors with their own product or have ability to modify product source code to form your own product
**Examples:** Odoo, E-commerce platforms, product principals
***
#### 🛒 **Standard CEM**
**Required for:** Vendors that resell third-party products and do not modify source code of products, as well as vendors providing 100% professional services
**Examples:** Xero resellers, QuickBooks resellers, HRMS resellers, Digital Marketing services, HRSS Services
***
### 💰 Certification Details
| Detail | Information |
| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 💵 **Cost** | $500 to $2,000 (could be higher depending on organisation size, system complexity, and certification body pricing) |
| ⏰ **Validity** | Two years, requires revalidation upon expiry |
| 🏢 **Certification Bodies** | Find CSA-appointed certification bodies [here](https://www.csa.gov.sg/our-programmes/support-for-enterprises/sg-cyber-safe-programme/cybersecurity-certification-for-organisations/how-to-get-certified/) |
***
### 📋 Which CEM Should You Get?
| 🏷️ **Certification Type** | 👥 **Who Should Get This** | 📝 **Description** | 🔧 **Coverage** |
| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ |
| **🛡️ CEM** | Non-Product Principals
• Resellers
• Service providers • Professional services
| Updated version of CEM covering comprehensive cybersecurity areas *(Must have Classical Cybersecurity scope)* | • Classical Cybersecurity ✅
• Operational Technology (OT) Security
• AI Security
|
| **🏭 CEM for ICT Vendor** | Product Principals
• Own product developers
• Source code modifiers
• Product creators
| Enhanced version of CEM with added requirements specifically for ICT Solution Vendors | • All CEM coverage • Additional ICT vendor requirements
• Enhanced security controls
|
***
### 📅 CEM Requirements by Appointment Contract Period
*For **1st April 2026 and 1st July 2026** Annual Review, CEM is not required. For all other AR, please refer to the table below:*
| 📋 **Appointment Contract Start Date** | 🎯 **CEM Requirement** |
| ------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------- |
| **1 May 2023 to 30 June 2024** *(and passed recent annual review)* | CEM not mandatory for next AR in 2026,
CEM mandatory for AR in 2027
|
| **1 July 2024 to 21 October 2025** | CEM not mandatory for first AR
CEM mandatory for second AR onwards
|
| **After 22 October 2025** | CEM **mandatory** for next AR in 2026 |