Cybersecurity Audit Checklist for Singapore SMEs (2026 Edition)

A cybersecurity audit for Singapore SMEs is not the same as a penetration test. A VAPT finds vulnerabilities in your systems; an audit assesses whether your policies, processes, and controls are appropriately designed and operating effectively. Both are necessary — and both are required under MAS TRM, ISO 27001, and CSA's certification frameworks. This checklist covers the key audit domains for Singapore SMEs in 2026, aligned with current regulatory expectations.

1. Governance and Policy

• Information Security Policy — formally documented, approved by senior management, reviewed annually
• Cybersecurity roles and responsibilities clearly assigned (CISO or equivalent, even for SMEs)
• Risk management framework documented and practiced
• Board-level cybersecurity oversight — at least annual briefing on security posture
• Acceptable Use Policy for all employees covering devices, data, and internet usage
• Information classification policy with handling requirements for each level

2. Access Control and Identity Management

• Multi-factor authentication enforced for all cloud services, VPN, and email
• Privileged accounts distinctly managed — separate admin accounts, not elevated standard accounts
• User access reviews conducted at least semi-annually — remove access for departed employees within 24 hours
• Principle of least privilege enforced — users have only the access needed for their role
• Shared accounts eliminated or documented with individual accountability maintained
• Service account inventory maintained with owners assigned

3. Network Security

• Network segmentation implemented — separate VLANs for servers, workstations, IoT, and guest Wi-Fi
• Firewall rules reviewed and unnecessary rules removed (last review date documented)
• Remote access via VPN with MFA — no direct RDP exposure to the internet
• DNS filtering deployed to block malicious domains
• Network monitoring in place — flow logs or IDS/IPS alerting on anomalous traffic
• Wireless network security — WPA3 or WPA2-Enterprise, hidden SSIDs for internal networks

4. Endpoint Security

• Endpoint Detection and Response (EDR) deployed on all corporate devices
• Patch management programme — operating system and application patches applied within 30 days (14 days for critical)
• Full-disk encryption on all laptops and mobile devices
• Mobile Device Management (MDM) for corporate mobile devices — enforcing PIN, remote wipe capability
• USB and removable media policy — blocked by default with exception process
• Approved software list — only authorised applications installed on corporate devices

5. Data Protection and PDPA

• Personal data inventory — what data you collect, where it is stored, who has access
• Data retention and disposal policy — clear timelines, secure deletion procedures
• Privacy notices reviewed — accurate, accessible, and covering all collection channels
• Data Protection Officer (DPO) appointed and contact published on website
• Data breach response procedure documented and tested
• Third-party data processing agreements in place for all vendors handling personal data
• Cross-border transfer obligations assessed for cloud storage outside Singapore

6. Security Testing

• Annual VAPT conducted by a CREST-accredited, CSRO-licensed Singapore provider
• Penetration test scope covers all internet-facing systems, APIs, and critical internal networks
• Remediation tracking record maintained — critical findings addressed within 30 days
• Retest conducted to confirm critical and high findings are resolved
• Vulnerability management programme — continuous scanning between annual VAPT engagements

7. Business Continuity and Backup

• Backup regime documented — backup frequency, retention periods, and storage locations
• Offsite or cloud backup maintained (3-2-1 rule: 3 copies, 2 media types, 1 offsite)
• Backup restore tested at least annually — confirmed recovery to clean state
• Business Continuity Plan documented and tested via tabletop exercise
• RTO/RPO defined for critical systems — communicated to senior management

8. Monitoring and Logging

• Centralised logging for critical systems — servers, firewalls, cloud environments, email
• Log retention for at least 12 months (MAS TRM requires specific retention periods)
• Security alerts configured — failed login attempts, privilege escalation, data exfiltration indicators
• Log review process — who reviews alerts, how often, what is escalated
• SIEM or log management platform — not relying on raw log files

9. Security Awareness and Training

• Annual security awareness training for all staff — completion tracked and documented
• Phishing simulation conducted at least quarterly
• Role-specific training for IT staff, finance staff, and senior management
• New employee onboarding includes security training
• Security training records maintained for regulatory evidence

Taking Action on Your Audit Findings

Use this checklist to identify gaps, then prioritise remediation by risk. For most Singapore SMEs, the highest-priority gaps to close first are: MFA for all cloud services, EDR on all devices, annual VAPT with a CREST-accredited CSRO-licensed provider, and a documented data breach response procedure.

Infinite Cybersecurity conducts cybersecurity audits and gap assessments for Singapore SMEs, producing a prioritised remediation roadmap aligned with MAS TRM, CSA Cyber Essentials, and ISO 27001. See our compliance advisory services or contact our Singapore team.