CEM Guide for Vendors

This page features information about the type of CEM that ICM vendors will need in order to pass their Annual Review.

🔍 What is the Cyber Essentials Mark (CEM)?

The Cyber Essentials Mark (CEM) is a cybersecurity certification developed by the Cyber Security Agency of Singapore (CSA) to recognise organisations that have implemented fundamental "cyber hygiene" practices to protect themselves and their customers from common cyber-attacks.

As part of the Annual Review, moving forward ICM vendors will be required to attain the Cyber Essentials Mark. Please note, IMDA may suspend or terminate the appointment contract if the Pre Approved Vendor fails to meet any of the Annual Review Criteria's.

📋 Types of CEM Required

🏭 CEM for ICT Vendor

Required for: Vendors with their own product or have ability to modify product source code to form your own product

Examples: Odoo, E-commerce platforms, product principals

🛒 Standard CEM

Required for: Vendors that resell third-party products and do not modify source code of products, as well as vendors providing 100% professional services

Examples: Xero resellers, QuickBooks resellers, HRMS resellers, Digital Marketing services, HRSS Services

💰 Certification Details

Detail

Information

💵 Cost

$500 to $2,000 (could be higher depending on organisation size, system complexity, and certification body pricing)

⏰ Validity

Two years, requires revalidation upon expiry

🏢 Certification Bodies

Find CSA-appointed certification bodies here

📋 Which CEM Should You Get?

🏷️ Certification Type

👥 Who Should Get This

📝 Description

🔧 Coverage

🛡️ CEM

Non-Product Principals

• Resellers

• Service providers • Professional services

Updated version of CEM covering comprehensive cybersecurity areas (Must have Classical Cybersecurity scope)

• Classical Cybersecurity ✅

• Operational Technology (OT) Security

• AI Security

🏭 CEM for ICT Vendor

Product Principals

• Own product developers

• Source code modifiers

• Product creators

Enhanced version of CEM with added requirements specifically for ICT Solution Vendors

• All CEM coverage • Additional ICT vendor requirements

• Enhanced security controls

📅 CEM Requirements by Appointment Contract Period

For 1st April 2026 and 1st July 2026 Annual Review, CEM is not required. For all other AR, please refer to the table below:

📋 Appointment Contract Start Date

🎯 CEM Requirement

1 May 2023 to 30 June 2024 (and passed recent annual review)

CEM not mandatory for next AR in 2026,

CEM mandatory for AR in 2027

1 July 2024 to 21 October 2025

CEM not mandatory for first AR

CEM mandatory for second AR onwards

After 22 October 2025

CEM mandatory for next AR in 2026

PreviousSME Success Stories NextVendor Guideline and Compliance

Last updated 19 days ago

hashtag🔍 What is the Cyber Essentials Mark (CEM)?

hashtag📋 Types of CEM Required

hashtag🏭 CEM for ICT Vendor

hashtag🛒 Standard CEM

hashtag💰 Certification Details

hashtag📋 Which CEM Should You Get?

hashtag📅 CEM Requirements by Appointment Contract Period