A few years ago, penetration testing was something banks and large enterprises did when they felt like it, or when a consultant persuaded them it was a good idea. Today, that picture has changed fundamentally. MAS TRM Guidelines require it. The CSA Cyber Trust Mark requires it. ISO 27001 strongly recommends it. For any Singapore organisation that processes financial data, holds sensitive personal information, or provides services to regulated entities, VAPT has moved from optional to expected.
But "doing VAPT" means different things in different contexts. A cursory automated scan is not the same as a CREST-certified penetration test. Understanding the difference — and knowing what your regulators, clients, and certifiers actually expect — determines whether your security investment delivers real value or just produces a report that collects dust.
The Regulatory Drivers
Three major frameworks drive VAPT requirements in Singapore, and the demands differ by audience:
MAS Technology Risk Management Guidelines
MAS TRM Guidelines explicitly require financial institutions to conduct security testing of their systems, including penetration testing for internet-facing and critical systems. The frequency is risk-based — higher-risk systems need more frequent testing — and MAS expects testing to be conducted by qualified, independent parties. For many Singapore FSPs, this means an annual VAPT as a minimum, with additional scoping for new systems before go-live.
CSA Cyber Trust Mark
The Cyber Security Agency's Cyber Trust Mark certification requires organisations to demonstrate security testing as part of their security programme. Achieving higher levels of the Cyber Trust Mark requires evidence of penetration testing by competent parties, with findings tracked through to remediation.
ISO 27001
While ISO 27001 doesn't prescribe penetration testing by name, Annex A control A.8.8 (management of technical vulnerabilities) and the broader requirement for security testing mean that most certification auditors expect organisations to have a VAPT programme as part of a mature ISMS. Organisations that rely solely on automated scans typically receive findings during certification audits.
Vulnerability Assessment vs Penetration Testing — the Real Difference
VAPT stands for Vulnerability Assessment and Penetration Testing, and the two components are distinct — though they're usually packaged together:
- Vulnerability assessment (VA) is largely automated. Tools like Nessus, Qualys, or Tenable scan your systems and identify known vulnerabilities — missing patches, misconfigured services, weak cipher suites. It produces a list of findings rated by severity. Fast, relatively cheap, covers a lot of ground. But it doesn't tell you whether those vulnerabilities are actually exploitable in your specific environment.
- Penetration testing (PT) is manual, adversarial work. A skilled tester takes the VA findings (and goes beyond them) to actively attempt exploitation. They chain vulnerabilities together, test business logic flaws, attempt privilege escalation, and try to access data they shouldn't be able to reach. This is where the real risk picture emerges.
The gap between the two is significant. An automated scan might flag a medium-severity vulnerability on an internal server. A penetration tester might demonstrate that the same vulnerability — combined with a weak credential in an adjacent system — leads directly to your customer database. That's the difference between a risk score and a risk reality.
Why CREST Certification Matters for Singapore Companies
CREST (Council of Registered Ethical Security Testers) is the internationally recognised accreditation body for penetration testing firms. A CREST-certified test means the firm has passed rigorous technical examinations, their methodologies have been independently assessed, and individual testers hold current CREST practitioner credentials. MAS and CSA both recognise CREST certification as evidence of testing quality. When regulators ask about your VAPT programme, a CREST-certified provider gives you credibility that self-certified vendors cannot.
What a CREST-Certified VAPT Covers
A properly scoped VAPT for a Singapore company typically encompasses:
- External network penetration testing — testing internet-facing systems: web applications, APIs, remote access portals, email gateways
- Internal network penetration testing — assuming an attacker has breached the perimeter (insider threat, phishing success) and testing what they can reach internally
- Web application testing — OWASP Top 10 and beyond: SQL injection, authentication flaws, access control issues, business logic vulnerabilities
- Mobile application testing — where applicable: insecure data storage, API security, certificate pinning
- Social engineering — phishing simulations and physical access testing (often scoped separately)
How Often Should You Test?
At minimum, annually — and more frequently if your systems change significantly. MAS expects higher-risk systems to be tested more often. Most Singapore FSPs run an annual external VAPT and an internal penetration test, with additional application testing when new systems are deployed or major changes are made.
The key discipline is follow-through: VAPT findings need to be remediated, and critical findings should be addressed within defined SLAs. A VAPT report that documents critical vulnerabilities that remain unpatched six months later is worse than no report — it's documented proof of unmanaged risk.
Ready for a CREST-certified VAPT?
Our CREST-certified team conducts penetration tests that satisfy MAS TRM, Cyber Trust Mark, and ISO 27001 requirements — with a clear remediation roadmap, not just a risk report.