# CEM Guide for Vendors ### 🔍 What is the Cyber Essentials Mark (CEM)? \ The Cyber Essentials Mark (CEM) is a cybersecurity certification developed by the **Cyber Security Agency of Singapore (CSA)** to recognise organisations that have implemented fundamental "cyber hygiene" practices to protect themselves and their customers from common cyber-attacks. *As part of the Annual Review, moving forward ICM vendors will be required to attain the Cyber Essentials Mark. Please note, IMDA may suspend or terminate the appointment contract if the Pre Approved Vendor fails to meet any of the Annual Review Criteria's.* ### 📋 Types of CEM Required *** #### 🏭 **CEM for ICT Vendor** **Required for:** Vendors with their own product or have ability to modify product source code to form your own product **Examples:** Odoo, E-commerce platforms, product principals *** #### 🛒 **Standard CEM** **Required for:** Vendors that resell third-party products and do not modify source code of products, as well as vendors providing 100% professional services **Examples:** Xero resellers, QuickBooks resellers, HRMS resellers, Digital Marketing services, HRSS Services *** ### 💰 Certification Details | Detail | Information | | --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 💵 **Cost** | $500 to $2,000 (could be higher depending on organisation size, system complexity, and certification body pricing) | | ⏰ **Validity** | Two years, requires revalidation upon expiry | | 🏢 **Certification Bodies** | Find CSA-appointed certification bodies [here](https://www.csa.gov.sg/our-programmes/support-for-enterprises/sg-cyber-safe-programme/cybersecurity-certification-for-organisations/how-to-get-certified/) | *** ### 📋 Which CEM Should You Get? | 🏷️ **Certification Type** | 👥 **Who Should Get This** | 📝 **Description** | 🔧 **Coverage** | | -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ | | **🛡️ CEM** |

Non-Product Principals

• Resellers

• Service providers • Professional services

| Updated version of CEM covering comprehensive cybersecurity areas *(Must have Classical Cybersecurity scope)* |

• Classical Cybersecurity ✅

• Operational Technology (OT) Security

• AI Security

| | **🏭 CEM for ICT Vendor** |

Product Principals

• Own product developers

• Source code modifiers

• Product creators

| Enhanced version of CEM with added requirements specifically for ICT Solution Vendors |

• All CEM coverage • Additional ICT vendor requirements

• Enhanced security controls

| *** ### 📅 CEM Requirements by Appointment Contract Period *For **1st April 2026 and 1st July 2026** Annual Review, CEM is not required. For all other AR, please refer to the table below:* | 📋 **Appointment Contract Start Date** | 🎯 **CEM Requirement** | | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | | **1 May 2023 to 30 June 2024** *(and passed recent annual review)* |

CEM not mandatory for next Annual Review in 2026,

CEM mandatory for Annual Review in 2027

| | **1 July 2024 to 21 October 2025** |

CEM not mandatory for first Annual Review

CEM mandatory for second Annual Review onwards

| | **After 22 October 2025** | CEM **mandatory** for next Annual Review in 2026 | {% hint style="warning" %} **Q: I have an active ISO 27001 certification that has not lapsed. Can I use it to fulfil the CEM requirements?** **A:** Yes, an active ISO 27001 certification may be accepted to fulfil the CEM requirements. However, as we will need to verify that the certification scope is applicable, please reach out to us before submitting so that we can confirm its acceptance. *** **Q: After verifying that my ISO 27001 certification is acceptable, how do I upload it during my Annual Review?** **A:** As CEM is currently not mandatory, the file upload field for it is not visible in the system. In the meantime, please upload your certification under the "Additional Supporting Documents" section as a workaround. Do ensure that your certification is still valid at the point of submission *** **Q: What are the consequences of not submitting a CEM or equivalent certification during my Annual Review?** **A:** Failure to submit a CEM or equivalent certification will be considered as not meeting the Annual Review requirements, which may result in your solution status being suspended or terminated. We encourage you to ensure all required documentation is in order prior to submitting your Annual Review. If you have any questions or require clarification, please do not hesitate to reach out to us. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://preapproval-guide.imda.gov.sg/maintaining-your-contract-status/how-to-keep-my-status-as-a-pre-approved-vendor/cem-guide-for-vendors.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.