Singapore MTCS

Singapore MTCS overview

The Multi-Tier Cloud Security (MTCS) Standard for Singapore was prepared under the direction of the Information Technology Standards Committee (ITSC) of the Infocomm Media Development Authority (IMDA). The ITSC promotes national programs to standardize IT and communications, and facilitates Singapore's participation in international standardization activities. In conjunction with the Singapore Standard SS 584 Specification for multi-tiered cloud computing security, the MTCS Certification Scheme was developed to encourage adoption of sound risk management and security practices by cloud service providers (CSPs).

MTCS builds upon recognized international standards such as ISO 27001. It is the first cloud security standard with provisions for assessing different levels of security, so certified CSPs can specify which certification level they have achieved. MTCS includes a total of 535 controls and it addresses the following levels of security:

  • Level 1 covers basic security
  • Level 2 includes more stringent governance and tenancy controls
  • Level 3 adds reliability and resiliency for high-impact information systems

Azure and Singapore MTCS

After a rigorous assessment conducted by an accredited MTCS Certification Body, Microsoft Azure was granted MTCS certification at Level 3. A Level 3 certification means that in-scope Azure services can host high-impact data for regulated organizations with the strictest security requirements. It’s required for certain cloud solution implementations by the Singapore government.

Applicability

  • Azure

Services in scope

For a list of Microsoft cloud services in audit scope, see the separate Azure and Dynamics 365 MTCS certificates or Cloud services in audit scope:

  • Azure
  • Dynamics 365
  • Microsoft 365
  • Power Platform

Office 365 and Singapore MTCS

For more information about Office 365 compliance, see Office 365 Singapore MTCS documentation.

Attestation documents

Alternatively, you can access Azure and Dynamics 365 MTCS audit documents from the Service Trust Portal (STP) Singapore MTCS section. For instructions on how to access audit reports, see Audit documentation.

Frequently asked questions

What are the differences between MTCS security levels?
MTCS has a total of 535 controls that cover three levels of security:

  • Level 1 is low cost, with a minimum number of required baseline security controls. It is suitable for web site hosting, test and development work, simulation, and noncritical business applications.
  • Level 2 addresses the needs of most organizations that are concerned about data security, with a set of more stringent controls targeted at security risks and threats to data. Level 2 is applicable for most cloud usage, including mission-critical business applications.
  • Level 3 is designed for regulated organizations with specific requirements and those willing to pay for stricter security requirements. Level 3 adds a set of security controls to supplement controls in Levels 1 and 2. They address security risks and threats in high-impact information systems using cloud services, such as hosting applications with sensitive information and in regulated systems.

Where can I get MTCS audit documentation?
For links to audit documentation, see Attestation documents. You can download MTCS audit documents from the Service Trust Portal (STP) or directly from the IMDA list of MTCS certified cloud services. You must have an existing Azure subscription or free Azure trial account to sign in to the STP. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.

Resources