About Control Catalog

Purpose

This catalog lists out the same control requirements to government agencies and industry partners so that both parties can work together to apply the right level of controls for their systems.

The catalog consists of a central pool of recommended controls meant for the following systems:

• Low-Risk Cloud
• Low-Risk On-Premises
• Medium-Risk Cloud
• High-Risk Cloud CII
• Digital Services (Others)
• Digital Services (High Impact)
• Sandbox

The controls are expressed using Open Security Controls Assessment Language (OSCAL) which are codified in machine-readable policy format. It enables future automation to monitor and assess the effectiveness of technical control implementation. Industry partners can get more info about OSCAL here.

The controls are categorised into domain areas as listed on the left. Each control can either be a basic hygiene requirement which should be implemented or a guideline which is best practice for consideration.  A control can be tagged as requirement for low-risk systems but tagged as guideline for systems in sandbox stage. The list of controls for these profiles are listed here. You may refer to sample JSON files here.

Each system is to define a system security plan that comprises the implementable controls.  Agencies and their industry partners are to apply the controls identified for each system.

The recommended controls for Low to High-Risk Cloud, Low-Risk On-Premises, Digital Services and Sandbox systems are published here and will progressively be updated in this website.

We invite the industry players to join us in the ICT&SS Reform journey. For any feedback, please provide here.

The control catalog was last updated on 16 September 2025.