Skip to main content

CSA will never ask you to transfer money or disclose banking details. Stay vigilant.

If unsure, call the 24/7 ScamShield Helpline at 1799 to check. www.scamshield.gov.sg

Cyber Security Agency of Singapore
  1. Home
  2. Legislation
  3. Supplementary references

Supplementary references

This page contains supplementary references for owners of Critical Information Infrastructure (CII).

Last updated 20 January 2025

On this page

1. Security-by-design framework
2. Security-by-design framework checklist
3. Guide to conducting cybersecurity risk assessment for CII
4. Guidelines for auditing critical information infrastructure
5. Guide to cyber threat modelling

Supplementary references will be introduced periodically to help owners of Critical Information Infrastructure (CII) proactively secure and build resilience into their systems. These references serve as additional resources for CII owners when complying with Code of Practices issued by the Commissioner of Cybersecurity.

The list of supplementary references can be found below:

1. Security-by-design framework

The Security-by-Design Framework [PDF, 1.8 MB] was developed to guide CII owners through the process of incorporating security into their Systems Development Lifecycle process. Security-by-Design is an approach which addresses the cyber protection considerations throughout a system’s lifecycle and it is one of the key components of the Cybersecurity Code of Practice for Critical Information Infrastructure.

2. Security-by-design framework checklist

The Security-by-Design Framework Checklist [XLSX, 763 KB] is a step-by-step supplementary worksheet to the Security-by-Design Framework. It acts as a quick reference guide for cybersecurity practitioners to adopt the Security-by-Design Framework.

3. Guide to conducting cybersecurity risk assessment for CII

The Guide to Conducting Cybersecurity Risk Assessment for CII [PDF, 856 KB] was developed to provide guidance to CII Owners on how to perform a proper cybersecurity risk assessment. This guidance document also spells out the expectations that CII Owners are required to note when conducting their risk assessment under the Cybersecurity Act 2018.

For more information, you can refer to our FAQs on Cybersecurity Risk Assessment for CII.

4. Guidelines for auditing critical information infrastructure

The Guidelines for Auditing Critical Information Infrastructure [PDF, 764 KB] was developed to set out the expectations for cybersecurity audits and to provide guidance to appointed or approved auditors on key areas to take note of when conducting an audit of the CII under the Cybersecurity Act 2018.

For more information, you can refer to our FAQs on Cybersecurity Audit for CII.

5. Guide to cyber threat modelling

The Guide to Cyber Threat Modelling [PDF, 1.3 MB] was developed to supplement the Guide to Conducting Cybersecurity Risk Assessment for CII by providing a practical and systematic way for CII Owners to identify threats for cybersecurity risk assessment. This guide covers various approaches and methods of threat modelling for CII owners to identify relevant threat events.