Search for:
Cybersecurity, Data and Tech

Singapore: New advisory guidelines to bolster resilience and security of cloud services and data centers

By , , , and 5 Mins Read

In brief

The Infocomm Media Development Authority (IMDA) has released a new set of advisory guidelines (“Advisory Guidelines”) aimed at enhancing the resilience and security of cloud services and data centers in Singapore. These Advisory Guidelines are part of Singapore’s broader digital infrastructure strategy and reflect growing emphasis on the systemic importance of digital services and infrastructure to both the economy and daily life.

Voluntary best practices

While not mandatory, the Advisory Guidelines on Resilience and Security of Data Centres (DCOAG) and Advisory Guidelines on Resilience and Security of Cloud Services (CSPAG) are strongly encouraged for adoption by data center operators (DCO) and cloud service providers (CSP) respectively.

The Advisory Guidelines recommend concrete measures to prevent, mitigate and recover from disruptions such as cyberattacks, hardware failures, fires and misconfigurations. These are aligned with global standards (e.g., ISO 22301 and ISO 27001) and draw on lessons from past incidents and industry consultations.

Cloud services

The CSPAG seek to strengthen the following key domains:

  • Cloud governance, such as sound information security, data governance and risk management
  • Infrastructure security, such as secure configurations, monitoring, encryption, and regular security testing
  • Operations management, such as robust change and incident management practices
  • Service administration, which includes control of privileged account access
  • Customer access, which addresses user authentication and access controls
  • Tenancy isolation, which ensures effective segregation between customers in shared environments
  • Cloud resilience, which includes physical and environmental protections, disaster recovery, and business continuity planning

To these ends, the CSPAG set out detailed recommendations that CSPs are encouraged to adopt to strengthen their resilience and security postures, some of which are summarized below:

  • Strengthen governance and accountability structures. CSPs should embed information security into their broader governance framework, with defined responsibilities, formalized policies and oversight mechanisms.
  • Implement rigorous human resource and third-party controls. Before and during engagement, CSPs are expected to vet personnel and contractors, ensure appropriate training, and enforce disciplinary measures for breaches.
  • Adopt comprehensive risk management processes. CSPs should maintain a cloud-specific risk framework that addresses identification, assessment and mitigation.
  • Secure infrastructure through technical controls and monitoring. Detailed measures are recommended to manage configurations, logging, system development and vulnerability testing.
  • Manage change and operations with discipline. Changes to cloud infrastructure should follow a formal process, including impact assessments, rollback plans, and separation of development and production environments.
  • Control privileged access and user management. CSPs should manage both administrative and user access through layered security, such as password policies, session management, least privilege access and strong authentication methods.
  • Ensure strong customer and tenant isolation. Multitenant environments should be architected to prevent unauthorized access between customers.
  • Prepare for disruptions with robust continuity plans. CSPs are advised to establish and test their business continuity and disaster recovery plans, including simulations of failover scenarios.
  • Appoint a senior-level officer to lead implementation.

Data centers

The DCOAG identifies key risk categories that DCOs need to address:

  • Infrastructure risk: This relates to physical and engineering issues in the design or setup of the data center that could lead to service disruptions, for example, power issues, cooling failures, cable damage, fire and intrusion risks, and water ingress.
  • Governance risk: This relates to operational oversight gaps, including monitoring lapses, slow incident responses and uncontrolled change management.
  • Cybersecurity risk: This encompasses threats to digital systems and network infrastructure, such as malware or ransomware attacks, supply chain vulnerabilities, and exploitation of outdated systems.

To address these risks, the DCOAG encourages DCOs to implement a business continuity management system (BCMS) built around a four-stage cycle: Plan, Do, Check, Act:

  • Plan: define continuity objectives and ensure top-level support.
  • Do: conduct impact and risk assessments, prepare recovery strategies and test readiness.
  • Check: monitor BCMS performance and conduct regular audits.
  • Act: update systems based on reviews, feedback and evolving threats.

Beyond the BCMS implementation, the DCOAG set out several additional technical and governance measures that DCOs are encouraged to adopt to bolster cyber resilience, including the following:

  • Maintaining a certified information security framework
  • Ensuring strong oversight of third-party providers
  • Enforcing personnel checks and training
  • Implementing secure system configurations
  • Conducting vulnerability testing and penetration assessments
  • Implementing end-to-end encryption and lifecycle key management
  • Implementing role-based access control
  • Implementing network segmentation and intrusion and intrusion detection

To anchor accountability and ensure organization-wide alignment, DCOs are encouraged to appoint a senior officer responsible for driving implementation of resilience and security measures.

Consultation

The Advisory Guidelines were shaped through consultation with major CSPs, DCOs and end-user enterprises across the banking, healthcare and tech sectors. Industry players have expressed strong support, citing the Advisory Guidelines as a critical step toward maintaining Singapore’s leadership in digital reliability and innovation.

Key takeaways

These Advisory Guidelines complement other regulatory efforts, including the Cybersecurity Act amendments in 2024 that expanded coverage to digital infrastructure. The Advisory Guidelines may also serve as a precursor to future legislation, perhaps in the forthcoming Digital Infrastructure Act, which will formally regulate systemically important digital infrastructure such as major CSPs and DCOs to address emerging threats in a rapidly digitalizing economy. Organizations that rely on cloud and data center services, particularly those in regulated or customer-facing sectors, should review their service providers’ alignment with the Advisory Guidelines. Service providers should consider adopting the Advisory Guidelines not only to mitigate risk but also to strengthen their operational reputation and market position. Please contact our team for further information.

* * * * *

LOGO_Wong&Leow_Singapore

© 2025 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “principal” means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Categories:
Tags:
Author

Andy Leck is the head of the Intellectual Property and Technology (IPTech) Practice Group and a member of the Dispute Resolution Practice Group in Singapore. He is a core member of Baker McKenzie's regional IP practice and also leads the Myanmar IP Practice Group. Andy is recognised by reputable global industry and legal publications as a leader in his field. He was named on "The A-List: Singapore's Top 100 lawyers" by Asia Business Law Journal 2018. In addition, Chambers Asia Pacific notes that Andy is "a well-known IP practitioner who is highlighted for his record of handling major trade mark litigation, as well as commercial exploitation of IP rights in the media and technology sectors. He's been in the industry for a long time and has always been held in high regard. He is known to be very fair and is someone you would like to be in the trenches with you during negotiations." Furthermore, Asian Legal Business acknowledges Andy as a leading practitioner in his field and notes that he “always gives good, quick advice, [is] client-focused and has strong technical knowledge for his areas of practice.” Andy was appointed by the Intellectual Property Office of Singapore (IPOS) as an IP Adjudicator to hear disputes at IPOS for a two-year term from April 2021. He has been an appointed member of the Singapore Copyright Tribunal since May 2010 and a mediator with the WIPO Arbitration and Mediation Center. He is also appointed as a Notary Public & Commissioner for Oaths in Singapore. He previously served on the International Trademark Association’s Board of Directors and was a member of the executive committee.

Author

Ren Jun Lim is a principal with Baker McKenzie Wong & Leow. He represents local and international clients in both contentious and non-contentious intellectual property matters. He also advises on a full range of healthcare, as well as consumer goods-related legal and regulatory issues. Ren Jun co-leads Baker McKenzie Wong & Leow's Healthcare as well as Consumer Goods & Retail industry groups. He sits on the Law Society of Singapore IP Committee and on the Executive Committee of the Association of Information Security Professionals. He is also a member of the Vaccines Working Group, Singapore Association of Pharmaceutical Industries, a member of the International Trademark Association, as well as a member of the Regulatory Affairs Professionals Association. Ren Jun is ranked in the Silver tier for Individuals: Enforcement and Litigation and Individuals: Prosecution and Strategy, and a recommended lawyer for Individuals: Transactions by WTR 1000, 2020. He is also listed in Asia IP's Best 50 IP Expert, 2020, recognised as a Rising Star by Managing IP: IP Stars, 2019 and one of Singapore's 70 most influential lawyers aged 40 and under by Singapore Business Review, 2016. Ren Jun was acknowledged by WTR 1000 as a "trademark connoisseur who boasts supplementary knowledge of regulatory issues in the consumer products industry." He was also commended by clients for being "very responsive to enquiries and with a keen eye for detail, he is extremely hands-on. His meticulous and in-depth approach to strategising is key to the excellent outcomes we enjoy."

Author

Ken Chia is a member of the Firm’s IP Tech, International Commercial & Trade and Competition Practice Groups. He is regularly ranked as a leading TMT and competition lawyer by top legal directories, including Chambers Asia Pacific and Legal 500 Asia Pacific. Ken is an IAPP Certified International Privacy Professional (FIP, CIPP(A), CIPT, CIPM) and a fellow of the Chartered Institute of Arbitrators and the Singapore Institute of Arbitrators.

Author

Sanil is a local principal in the Intellectual Property & Technology Practice Group in Baker McKenzie Wong & Leow. Sanil is qualified in both Singapore and Australia, and is a Certified Information Privacy Professional (CIPP/A) by the International Association of Privacy Professionals. Sanil is recognized as a Rising Star by both Legal 500 Asia Pacific in the Intellectual Property: Local Firms category as well as by IP Stars for his advisory work in the IP space. Sanil is also recommended by World Trademark Review 1000 for IP enforcement, litigation, prosecution and strategy.

Author

Daryl Seetoh is a local principal in the Intellectual Property & Technology (IPTech) practice group at Baker McKenzie Wong & Leow. He is a qualified lawyer in Singapore, and is a member of the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional for Asia (CIPP/Asia), an IAPP Certified Information Privacy Manager (CIPM) and a Certified Information Privacy Professional for Europe (CIPP/E). Daryl has previously worked at Baker McKenzie’s San Francisco office and has also been seconded to financial institution and technology multinational clients.

Related Posts