Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.
Singapore Government ICT&SS Policy Reform

About SSP

List of system security plans supported

Last updated 4 March 2026

Purpose

A system security plan comprises the implementable controls based on system characteristics. The current types of systems include:

  • Low-Risk Cloud

  • Low-Risk On-Premises

  • Medium-Risk Cloud

  • High-Risk Cloud CII

  • Digital Services (Others)

  • Digital Services (High Impact)

  • Sandbox

Agencies and their industry partners are required to assess the risks and threats for each of their systems, to determine the controls required to mitigate the risks.

Control Levels

Profile Level 0

These are Cardinal and Mandatory requirements.

Profile Level 1

These are basic hygiene process and technical control requirements, including toolings with alternatives. Agencies and industry partners are to assess and apply the controls in accordance with its risk impacts.

Profile Level 2

These are best practices for Agencies to consider and adopt where required.

The SSPs were last updated on 16 September 2025.