Be aware of scammers impersonating as IMDA officers and report any suspicious calls to the police. Please note that IMDA officers will never call you nor request for your personal information. For scam-related advice, please call the Anti-Scam helpline at 1800-722-6688 or go to


In response to the paradigm shift in computing that enables businesses and end-users to access Infocomm services through cloud computing, IMDA has, since 2007, been increasingly focusing on fostering cloud service providers and enhancing Singapore's overall competitiveness through the adoption of cloud services in line with IMDA regulations. Their efforts have led to enhancing the vibrancy and growth of the Infocomm sector through the development of a cloud ecosystem. With the recent launch of IMDA Services 4.0 in Nov 2018, cloud has become naturally the de facto platform that catalyses and supports the delivery of seamless digital Services enabled by emerging technologies.

Cloud security has always been the key impediment to the adoption of cloud services since its inception. Much concerted effort was put in to secure its delivery and build trust through transparency as the cloud grows in importance, adhering to cloud security policies. Several standards related to cloud computing security were developed. A technical reference (TR30) for Virtualisation Security for Servers was introduced in 2012 followed closely by the launch of the world’s first cloud security standard that covers multiple tiers of cloud security (MTCS SS 584) in Oct 2013. An accredited cloud security certification scheme was subsequently introduced in 2014. It is now the de facto standards for the cloud industry in Singapore. The TR30 was later contributed to international standard body (ISO/IEC JTC1) and enhanced as an international standard (ISO/IEC 21878:2018).

Available standards

SS584 : 2020 Specification for multi-tiered cloud computing security

The Singapore Standard, commonly known as MTCS, is the world’s first cloud security standard that covers multiple tiers of cloud security developed under the Information Technology Standards Committee (ITSC) for Cloud Service Providers (CSPs) in Singapore. The MTCS standard specifies 3 different tiers of cloud security certification qualified with types of services (e.g. Infrastructure-as-a-Service). 

  • Multi-Tier Cloud Security (MTCS) Certification Scheme 
    In conjunction with the MTCS standard, the MTCS Certification Scheme has been established to a) encourage adoption of sound risk management and security practices by CSPs through MTCS certification; and b) promote the adoption of MTCS standard. CSPs can participate through the certification scheme provided. Find out more information on this MTCS scheme and the certification process.

TR 62 : 2018 Guidelines for cloud outage incident response (COIR)

This Technical Reference continues Singapore’s strong commitment to Business Continuity Management and Disaster Recovery (DR) Plans by bringing clarity on how to respond to outages in the cloud. This will strengthen transparency, trust and resilience of cloud service providers (CSPs) in a Smart Nation.

  • Objective
    The main objective is to reduce damages and losses caused by cloud outages by providing a COIR framework for Cloud Service Customers (CSCs) to choose the appropriate outage protection measures to complement their own business continuity/IT DR capabilities through:
  • a set of common parameters and guidelines for CSCs for identification, evaluation, and negotiation of protection needs with CSPs to incorporate into the SLAs;
  • sharing of COIR practices by CSPs via the same set of common parameters to facilitate comparison and matching of outage protection needs with provisions.
  • Scope
    The guidelines focus on cloud outage directly associated with operational mistakes, infrastructure or system failure and environmental issues (e.g. flooding, fire) but exclude cyber security, and malicious act. The guidelines are industry agnostic and primarily meant to serve the needs of all types cloud users. It is applicable to all types of cloud service models as well as cloud deployment models.
  • Adoption and Self-Disclosure
    Adoption of the COIR guidelines is entirely voluntary. However, CSPs are encouraged to share their service support capabilities with respect to cloud outage using the COIR self-disclosure form (18.96KB) and email the first two pages (disclosed COIR practices information) of the duly completed, stamped and signed e-form to for listing here.

SS ISO/IEC 21878:2019 Security Guidelines for Design and Implementation of Virtualised Servers

The intended goal of this standard is to facilitate informed decisions with respect to architecting virtualised server’s configurations from the security perspective. Such design and implementation guidance is expected to assure the appropriate protection for all virtual machines (VMs) and the application workloads running in them in the entire virtualised infrastructure of the organisation. This standard is an identical adoption of ISO/IEC 21878:2018.

Where to buy

The cloud standards are available for purchase from the Singapore Standards eShop.

Related links

Explore related tags