Frequently Asked Questions

The Cyber Trust Mark is a cybersecurity certification developed by the Cyber Security Agency of Singapore (CSA) for organisations that operate digital infrastructure or handle sensitive data. It is designed for larger or more digitally mature organisations and assesses cybersecurity preparedness across multiple domains including governance, protection, detection, and response.

Unlike Cyber Essentials, which focuses on baseline cyber hygiene, the Cyber Trust Mark evaluates an organisation's ability to manage cyber risks at a more advanced level. It covers areas such as:

• Cyber governance and oversight
• Cyber risk management
• Cyber defence and monitoring
• Cyber incident response and recovery
• Cyber education and awareness

Achieving the Cyber Trust Mark signals to customers, partners, and regulators that your organisation meets a high standard of cybersecurity. FE Technology helps organisations assess their readiness and prepare for Cyber Trust Mark certification through our security audit and consulting services.

FE Technology serves organisations across a wide range of industries in Singapore. Our key sectors include:

• Financial services — banks, insurers, fintech companies
• Government and public sector — statutory boards, ministries, public agencies
• Healthcare — hospitals, clinics, health-tech providers
• Technology — SaaS providers, cloud platforms, software companies
• Retail and e-commerce — online retailers, omnichannel businesses
• Education — schools, universities, e-learning platforms
• Manufacturing and critical infrastructure — OT/ICS environments, utilities
• Professional services — law firms, accounting practices, consulting firms

Each industry faces unique cybersecurity challenges and regulatory requirements. Visit our Industries page for more details on how we support each sector.

A vulnerability assessment (VA) is a systematic process of identifying known security weaknesses in your systems, applications, and networks using automated scanning tools combined with manual analysis. It produces a comprehensive list of vulnerabilities ranked by severity, giving you a broad view of your security posture.

Penetration testing (PT) goes a step further by actively attempting to exploit identified vulnerabilities to determine their real-world impact. Penetration testers simulate the tactics and techniques of real attackers to assess how far an adversary could go if they exploited a weakness.

Together, they form VAPT (Vulnerability Assessment and Penetration Testing), which provides both breadth of coverage (VA) and depth of analysis (PT). This combined approach gives organisations a thorough understanding of their security risks and actionable remediation guidance.

Learn more about our VAPT services.

A typical VAPT engagement with FE Technology follows a structured methodology:

1. Scoping and planning — We define the targets, testing approach (black-box, grey-box, or white-box), rules of engagement, and timeline.
2. Vulnerability assessment — Automated scanning tools and manual techniques are used to identify known vulnerabilities across your systems.
3. Penetration testing — Our security consultants manually attempt to exploit identified vulnerabilities to assess their real-world impact.
4. Reporting — We compile a detailed report with all findings categorised by severity (Critical, High, Medium, Low), along with evidence, risk ratings, and specific remediation recommendations.
5. Debrief — We conduct a walk-through session with your team to explain findings and answer questions.
6. Re-test — An optional re-test can be arranged to verify that remediation has been effective.

Visit our VAPT service page for more details.

SSAT stands for System Security Acceptance Test. It is a security testing process conducted before a new or significantly modified IT system is deployed into production. The purpose of SSAT is to verify that the system meets all defined security requirements and complies with the organisation's security policies.

In Singapore, SSAT is particularly important for:

• Government agencies deploying new systems
• Organisations operating Critical Information Infrastructure (CII) under the Cybersecurity Act
• Any organisation subject to CCOP or Security by Design requirements

SSAT typically includes security configuration reviews, vulnerability assessment, penetration testing, and verification of security controls against the defined security requirements.

Learn more about our SSAT services.

Yes, FE Technology provides cybersecurity services tailored for small and medium enterprises (SMEs) in Singapore. We understand that SMEs often have limited budgets and in-house security resources, which is why we offer scalable solutions that address the most critical security needs without unnecessary complexity.

Our SME-focused services include:

• Cyber Essentials readiness assessments
• Targeted VAPT engagements for web applications and key infrastructure
• Security policy development
• Cybersecurity awareness training programmes

We can also help SMEs apply for government grants and subsidies that support cybersecurity improvements. Contact us to discuss how we can help your business.

The timeline for achieving ISO 27001 certification depends on the size and complexity of your organisation, your current security maturity, and the scope of the ISMS. For a small to medium enterprise in Singapore, the process typically takes between 3 to 9 months.

A typical timeline includes:

• Gap analysis — 2 to 4 weeks
• Risk assessment and treatment planning — 2 to 4 weeks
• Policy and procedure development — 4 to 8 weeks
• Implementation and staff training — 4 to 8 weeks
• Internal audit and management review — 2 to 4 weeks
• External certification audit — 1 to 2 weeks

Organisations with existing security controls and documentation in place can often achieve certification more quickly. FE Technology guides clients through every stage of this process. Get in touch for a tailored timeline estimate.

CCOP stands for the Code of Practice for Critical Information Infrastructure Owners. It is a set of cybersecurity requirements issued under Singapore's Cybersecurity Act that applies to owners of Critical Information Infrastructure (CII) across designated sectors.

Designated CII sectors in Singapore include:

• Energy
• Water
• Banking and finance
• Healthcare
• Transport (land, maritime, aviation)
• Government
• Infocomm
• Media
• Security and emergency services

CCOP mandates specific cybersecurity measures including governance and oversight, threat and vulnerability management, incident response, security auditing, and SSAT for new systems. Organisations designated as CII owners must comply and may face penalties for non-compliance.

Even organisations not formally designated as CII owners can benefit from adopting CCOP principles as a robust cybersecurity baseline. Learn how FE Technology can help with SSAT and security audit services aligned with CCOP.

The recommended frequency of security audits depends on your industry, regulatory requirements, and risk profile. As a general guideline, organisations should conduct a comprehensive security audit at least once a year.

However, more frequent audits may be necessary in certain situations:

• After significant changes to your IT infrastructure or applications
• Following a security incident or data breach
• When new regulatory requirements come into effect
• Before and after major system deployments
• When onboarding new third-party service providers

For ISO 27001 certified organisations, annual surveillance audits are mandatory, with a full recertification audit every three years. Organisations subject to MAS TRM or CCOP may have additional audit frequency requirements.

Visit our Security Audit page to learn about our audit services.

Getting started with FE Technology is straightforward:

1. Initial contact — Reach out to us through our contact page, email, or phone to schedule a consultation.
2. Discovery call — During this no-obligation consultation, we discuss your organisation's cybersecurity needs, current challenges, and objectives.
3. Proposal — Based on our discussion, we recommend the most appropriate services and provide a detailed proposal including scope, timeline, and pricing.
4. Kick-off — Once approved, we assign a dedicated team of consultants and begin the engagement with a kick-off meeting.
5. Delivery — Throughout the engagement, we maintain clear communication and provide regular updates on progress.

Whether you need a one-time assessment or ongoing advisory support, we are here to help. Contact us today to schedule your free consultation.

Our consultants hold industry-recognised certifications that demonstrate expertise across governance, offensive security, and compliance domains:

Our team maintains these certifications through continuous professional development and stays current with the latest threats, tools, and methodologies. Visit our certifications page for more details.