SQEP-led, independent cyber resilience for Singapore CII and enterprise across APAC
A three-tier delivery model — SQEP advisory, CREST & OSCP technical assurance, and GRC governance — anchored in Singapore's CSRO licensing regime and ISO 27001 (meeting CTM Tier 3 minimum), and extended to Australia under the Feb 2026 SG–AU CSP 2.0 MOU.
Three independent tiers. One accountable outcome.
Infracom separates cybersecurity work into three deliberately independent practices: SQEP (Suitably Qualified Experienced Personnel embedded as advisors), VAPT (technical assurance executed by CREST- and OSCP-certified operators under our CREST Pathway+ Organisation status), and GRC (governance review and signoff against ISO 27001, IM8, MAS TRM, CSA CCoP, and PDPA). Our ISO 27001 certification meets CSRO's minimum Cyber Trust Mark Tier 3 requirement for licensed cybersecurity service providers — and the same discipline extends to Australian engagements under the Feb 2026 SG–AU MOU. The party that tests is never the party that signs off; the party that advises is never the same party that issues the assurance opinion.
→ See how the three tiers work togetherEach tier exists for a different reason, is delivered by a different qualified party, and produces a different deliverable. The independence between them is what makes the assurance opinion defensible to a regulator, an auditor, or a board — in Singapore and in Australia.
Independent advisory, embedded
Senior cybersecurity practitioners placed inside the client's environment as advisors — not to perform testing, not to issue signoff, but to translate regulatory expectations into day-to-day operating decisions, mentor in-house teams, and prepare the organisation for assurance work. SQEP roles are role-portable across IM8, MAS TRM, CSA CCoP, ISO 27001, and Australian Essential Eight contexts.
Independent testing, evidence-based
Vulnerability assessment and penetration testing executed by CREST- and OSCP-certified operators under Infracom's CREST Pathway+ Organisation status. CREST provides the organisational governance and methodology framework recognised by Singapore CSA, the UK government, and the Australian government; OSCP demonstrates hands-on offensive technical capability under exam conditions. Findings are evidenced, reproducible, and CVSS-scored.
Independent review, opinion-grade
Review of the client's control environment against ISO 27001:2022, IM8 / ICT&SS, MAS TRM, CSA CCoP, PDPA, or AU Essential Eight, culminating in a documented GRC opinion. The reviewer reads the Tier 2 evidence and the Tier 1 advisory record but did not produce either — preserving the segregation that lets the opinion stand on its own.
In regulated and CII contexts, the same party cannot test a control, advise on its remediation, and issue the assurance opinion that says it works. The table below shows how Infracom enforces that separation — and what each separation delivers to the client.
← Swipe to compare →
| Function | Infracom 3-Tier Model | What this delivers |
|---|---|---|
| Operational advisory & remediation guidance | Tier 1 SQEP — advisor only, no testing or signoff authority on the same scope | Operational support that does not bias the test scope or the signoff conclusion |
| Technical testing & evidence collection | Tier 2 VAPT — CREST- and OSCP-certified operators, firewalled from Tier 1 and Tier 3 | Evidenced findings that stand independently of any advisory work |
| Independence from delivery outcome lifecycle | Each tier produces its own deliverable; cross-tier conflicts are documented and escalated | An audit trail that respects segregation-of-duties expectations |
| Continuity across engagement phases | Engagement record handed across tiers; advisory context is preserved without compromising independence | Scope continuity without re-discovery cost between phases |
| Final signoff & opinion issuance | Tier 3 GRC reviewer — reads Tier 1 + Tier 2 evidence, issues independent opinion | An opinion defensible to a Singapore regulator, AU procurement reviewer, or board |
This matrix describes functional alignment and segregation of duties only. Specific commercial and contractual arrangements vary by engagement and are documented in the relevant Statement of Work.
We endorse architectures and issue assurance against the frameworks Singapore Authorities require, the international standards modern enterprises operate within, and the Australian baselines our SG–AU MOU clients increasingly need.
Singapore Government's Instruction Manual on ICT & Smart Systems Management — the primary baseline for SG public-sector security.
Monetary Authority of Singapore's Technology Risk Management guidelines for regulated financial institutions.
Cyber Security Agency of Singapore's Cybersecurity Code of Practice for Critical Information Infrastructure operators.
Personal Data Protection Act compliance for systems handling personal data in Singapore.
Internationally recognised ISMS certification — globally accepted across SG and AU markets.
Meets CSRO's minimum Cyber Trust Mark Tier 3 requirement for licensed cybersecurity service providers.
Australian Cyber Security Centre's strategic mitigation framework — required for AU government and increasingly expected by enterprise.
Maturity Level 1–3 advisory capability under the Feb 2026 SG–AU MOU.
General Data Protection Regulation for systems handling EU resident data.
Singapore and Australia speak different regulatory dialects, but they read the same international standards. Infracom's methodology is built on the international ISO 27001 foundation, anchored in Singapore's CSRO licensing regime, and extended to Australia under the renewed Feb 2026 SG–AU CSP 2.0 MOU on Cyber Security Cooperation.
The MOU bridge. The renewed Singapore–Australia MOU on Cyber Security Cooperation (signed 24 Feb 2026 between CSA and Australia's DFAT) explicitly includes mutual recognition of cybersecurity labelling and certification schemes. Infracom's CSRO licence and ISO 27001 certification — already cross-recognised internationally — are positioned to leverage this bilateral framework as it operationalises across the SG–AU corridor.
A neutral illustration of how the three tiers operate independently inside one engagement — with each tier producing its own evidence, signed off by a different qualified party. Engagement shape and duration vary by scope and are agreed at scoping.
A Singapore-regulated organisation engages Infracom to deliver a penetration test of its internet-facing infrastructure and a GRC review against the applicable framework (ISO 27001, MAS TRM, IM8, or CSA CCoP depending on sector). The organisation's internal cybersecurity team needs advisory support to interpret findings and prepare for the GRC review.
An Infracom SQEP advisor is embedded with the client's cybersecurity team to support control mapping against the applicable framework, prepare evidence packs, and mentor the team on remediation prioritisation. The advisor does not test the controls and does not issue any signoff.
A separate operator team — CREST- and OSCP-certified, with no view of Tier 1 advisory notes during execution — executes the penetration test against an agreed scope. Findings are CVSS-scored and delivered as an evidenced report with a retest letter.
A third Infracom reviewer — an ISO 27001 Lead Auditor with no involvement in the prior phases — reads the Tier 2 findings report and the client's evidence pack, conducts independent walkthroughs, and issues the GRC opinion. The opinion stands on documented evidence, not on Infracom's other work.
Result. The client receives a defensible audit-ready package: an advisory record (Tier 1), an independent technical assurance report (Tier 2), and an independent GRC opinion (Tier 3). At regulator inspection or board review, each tier is evidenced separately and the segregation of duties between them is documented.
Why does Infracom separate testing from governance signoff?
Because regulators, auditors, and boards apply more weight to assurance opinions issued by a party that did not deliver the underlying work. Separating Tier 2 testing from Tier 3 signoff is the structural way to demonstrate that the opinion is independent of the delivery — which is what IM8, MAS TRM, CSA CCoP, ISO 27001, and Australia's PSPF / Essential Eight regime each, in their own way, ask for.
What is the difference between CREST and OSCP — and why does Infracom hold both?
CREST is an organisational and methodological framework recognised by Singapore CSA, the UK government, and the Australian government for penetration testing services; Infracom is a listed CREST Pathway+ Organisation. OSCP is Offensive Security's hands-on technical certification, demonstrating that an individual operator can identify and exploit vulnerabilities under exam conditions. The two credential families are complementary — CREST recognises OSCP through its Equivalency Programme. Infracom's testing team holds both, so clients benefit from organisational governance assurance and operator-level technical depth in the same engagement.
Does Infracom hold the Cyber Trust Mark (CTM) Tier 3 certification required of licensed cybersecurity service providers?
Infracom is ISO 27001 certified, and CSA explicitly recognises ISO 27001 as a CTM-equivalent certification that satisfies the minimum CTM Tier 3 (Promoter) requirement for licensed cybersecurity service providers. Maintaining both ISO 27001 and CTM in parallel would mean duplicated audit, documentation, and certification overhead for the same control set — a cost we choose not to pass to clients. Our ISO 27001 scope explicitly covers SQEP services, the people-process-technology delivery environment, and is recognised internationally — including in the Australian market under the Feb 2026 SG–AU MOU.
How does Infracom's model align with Singapore regulatory frameworks?
The three-tier model maps directly across Singapore's regulatory stack. For government agencies, IM8 / ICT&SS sets the baseline; for financial institutions, MAS TRM sets the technology risk expectations; for CII operators, the CSA CCoP applies; for any system handling personal data, PDPA applies. Each framework has a different audit posture, but all of them expect independence between control implementation, testing, and signoff. Tier 1 SQEP supports preparation; Tier 2 testing provides evidence; Tier 3 GRC delivers the independent opinion. Each tier's deliverables are kept separable so the organisation can present them individually under regulator review.
How does the same methodology work for Australian clients?
Australia's regulatory environment is anchored on the ASD Information Security Manual, the PSPF, and the Essential Eight Maturity Model — with Maturity Level 2 mandated for non-corporate Commonwealth entities and increasingly expected by AU enterprise. Infracom's methodology lifts directly: Tier 1 SQEP advisors support Essential Eight uplift planning, Tier 2 testing maps to the AU technical assurance expectation, and Tier 3 GRC delivers ISO 27001 alignment recognised by AU procurement. The Feb 2026 SG–AU MOU on Cyber Security Cooperation explicitly includes mutual recognition of cybersecurity certification schemes — providing the bilateral framework Infracom's methodology is built to operate within.
Does Infracom operate its own SOC?
No. Where managed detection and response or 24/7 SOC capability is needed, Infracom delivers it as a reseller of CSRO-licensed partner SOC services. This is a deliberate choice: it keeps Infracom's GRC and assurance practices structurally independent from operational SOC delivery, preserving the segregation that underpins our signoff opinions.
Tell us about your engagement scope — our SQEP advisors, CREST & OSCP-certified operators, and ISO 27001 Lead Auditors will respond within 1 business day with a tailored proposal.