Singapore: New advisory guidelines to bolster resilience and security of cloud services and data centers

In brief

The Infocomm Media Development Authority (IMDA) has released a new set of advisory guidelines ("Advisory Guidelines") aimed at enhancing the resilience and security of cloud services and data centers in Singapore. These Advisory Guidelines are part of Singapore's broader digital infrastructure strategy and reflect growing emphasis on the systemic importance of digital services and infrastructure to both the economy and daily life.


Voluntary best practices

While not mandatory, the Advisory Guidelines on Resilience and Security of Data Centres (DCOAG) and Advisory Guidelines on Resilience and Security of Cloud Services (CSPAG) are strongly encouraged for adoption by data center operators (DCO) and cloud service providers (CSP) respectively.

The Advisory Guidelines recommend concrete measures to prevent, mitigate and recover from disruptions such as cyberattacks, hardware failures, fires and misconfigurations. These are aligned with global standards (e.g., ISO 22301 and ISO 27001) and draw on lessons from past incidents and industry consultations.

Cloud services

The CSPAG seek to strengthen the following key domains:

  • Cloud governance, such as sound information security, data governance and risk management
  • Infrastructure security, such as secure configurations, monitoring, encryption, and regular security testing
  • Operations management, such as robust change and incident management practices
  • Service administration, which includes control of privileged account access
  • Customer access, which addresses user authentication and access controls
  • Tenancy isolation, which ensures effective segregation between customers in shared environments
  • Cloud resilience, which includes physical and environmental protections, disaster recovery, and business continuity planning

To these ends, the CSPAG set out detailed recommendations that CSPs are encouraged to adopt to strengthen their resilience and security postures, some of which are summarized below:

  • Strengthen governance and accountability structures. CSPs should embed information security into their broader governance framework, with defined responsibilities, formalized policies and oversight mechanisms.
  • Implement rigorous human resource and third-party controls. Before and during engagement, CSPs are expected to vet personnel and contractors, ensure appropriate training, and enforce disciplinary measures for breaches.
  • Adopt comprehensive risk management processes. CSPs should maintain a cloud-specific risk framework that addresses identification, assessment and mitigation.
  • Secure infrastructure through technical controls and monitoring. Detailed measures are recommended to manage configurations, logging, system development and vulnerability testing.
  • Manage change and operations with discipline. Changes to cloud infrastructure should follow a formal process, including impact assessments, rollback plans, and separation of development and production environments.
  • Control privileged access and user management. CSPs should manage both administrative and user access through layered security, such as password policies, session management, least privilege access and strong authentication methods.
  • Ensure strong customer and tenant isolation. Multitenant environments should be architected to prevent unauthorized access between customers.
  • Prepare for disruptions with robust continuity plans. CSPs are advised to establish and test their business continuity and disaster recovery plans, including simulations of failover scenarios.
  • Appoint a senior-level officer to lead implementation.

Data centers

The DCOAG identifies key risk categories that DCOs need to address:

  • Infrastructure risk: This relates to physical and engineering issues in the design or setup of the data center that could lead to service disruptions, for example, power issues, cooling failures, cable damage, fire and intrusion risks, and water ingress.
  • Governance risk: This relates to operational oversight gaps, including monitoring lapses, slow incident responses and uncontrolled change management.
  • Cybersecurity risk: This encompasses threats to digital systems and network infrastructure, such as malware or ransomware attacks, supply chain vulnerabilities, and exploitation of outdated systems.

To address these risks, the DCOAG encourages DCOs to implement a business continuity management system (BCMS) built around a four-stage cycle: Plan, Do, Check, Act:

  • Plan: define continuity objectives and ensure top-level support.
  • Do: conduct impact and risk assessments, prepare recovery strategies and test readiness.
  • Check: monitor BCMS performance and conduct regular audits.
  • Act: update systems based on reviews, feedback and evolving threats.

Beyond the BCMS implementation, the DCOAG set out several additional technical and governance measures that DCOs are encouraged to adopt to bolster cyber resilience, including the following:

  • Maintaining a certified information security framework
  • Ensuring strong oversight of third-party providers
  • Enforcing personnel checks and training
  • Implementing secure system configurations
  • Conducting vulnerability testing and penetration assessments
  • Implementing end-to-end encryption and lifecycle key management
  • Implementing role-based access control
  • Implementing network segmentation and intrusion and intrusion detection

To anchor accountability and ensure organization-wide alignment, DCOs are encouraged to appoint a senior officer responsible for driving implementation of resilience and security measures.

Consultation

The Advisory Guidelines were shaped through consultation with major CSPs, DCOs and end-user enterprises across the banking, healthcare and tech sectors. Industry players have expressed strong support, citing the Advisory Guidelines as a critical step toward maintaining Singapore's leadership in digital reliability and innovation.

Key takeaways

These Advisory Guidelines complement other regulatory efforts, including the Cybersecurity Act amendments in 2024 that expanded coverage to digital infrastructure. The Advisory Guidelines may also serve as a precursor to future legislation, perhaps in the forthcoming Digital Infrastructure Act, which will formally regulate systemically important digital infrastructure such as major CSPs and DCOs to address emerging threats in a rapidly digitalizing economy. Organizations that rely on cloud and data center services, particularly those in regulated or customer-facing sectors, should review their service providers' alignment with the Advisory Guidelines. Service providers should consider adopting the Advisory Guidelines not only to mitigate risk but also to strengthen their operational reputation and market position. Please contact our team for further information.

* * * * *

LOGO_Wong&Leow_Singapore

© 2025 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.


Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.