Singapore MAS TRM Guidelines

Singapore

15 domains

59 controls

Monetary Authority of Singapore Technology Risk Management Guidelines (Jan 2021 revision).

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (15)

Access Control

4 controls

Controls in the Access Control domain of Singapore MAS TRM Guidelines — 4 controls
Code	Title	Description
TRM-12.1	Identity and Access Management Framework	An IAM framework must govern user provisioning, authentication, authorisation, recertification, and deprovisioning acros...
TRM-12.2	Privileged Access Management	Privileged accounts must be inventoried, vaulted, accessed via just-in-time elevation, monitored with session recording,...
TRM-12.3	Multi-Factor Authentication	Multi-factor authentication must be enforced for remote access, privileged users, and access to sensitive systems, using...
TRM-12.4	User Access Review	User entitlements must be reviewed periodically by business owners with timely revocation of inappropriate access and ev...

Cyber Security

7 controls

Controls in the Cyber Security domain of Singapore MAS TRM Guidelines — 7 controls
Code	Title	Description
TRM-11.1	Cyber Security Strategy and Governance	A cyber security strategy aligned to business objectives must be approved by senior management, with a dedicated cyber f...
TRM-11.2	Cyber Threat Intelligence and Information Sharing	Threat intelligence from internal and external sources must be ingested, analysed, and used to inform defensive and dete...
TRM-11.3	Cyber Security Operations	A 24x7 security operations capability must monitor, detect, and respond to cyber threats with documented playbooks, esca...
TRM-11.4	Cyber Incident Response	Cyber incident response capability must include preparation, detection, containment, eradication, recovery, and lessons...
TRM-11.5	Cyber Exercises and Red Teaming	Cyber resilience must be tested through scenario-based exercises, red team engagements, and adversary emulation aligned...
TRM-11.6	Cyber Awareness and Training	All staff including third parties must receive cyber awareness training on induction and at least annually with phishing...
TRM-11.7	DDoS Protection	Internet-facing services must be protected against distributed denial of service attacks through scrubbing, rate limitin...

Cyber Security Operations

2 controls

Controls in the Cyber Security Operations domain of Singapore MAS TRM Guidelines — 2 controls
Code	Title	Description
TRM-16.1	Logging and Monitoring	Security and operational logs must be generated, centralised, protected from tampering, retained per policy, and monitor...
TRM-16.2	Time Synchronisation	All systems must synchronise to authoritative time sources to support accurate logging, forensic analysis, and transacti...

Data and Infrastructure Security

6 controls

Controls in the Data and Infrastructure Security domain of Singapore MAS TRM Guidelines — 6 controls
Code	Title	Description
TRM-10.1	Data Classification and Protection	Data must be classified according to sensitivity and protected with controls commensurate with classification including...
TRM-10.2	Encryption and Cryptographic Key Management	Cryptographic controls must protect sensitive data at rest and in transit using approved algorithms with secure key mana...
TRM-10.3	Network Security	Networks must be segmented based on trust zones with perimeter and internal controls including firewalls, IPS, and secur...
TRM-10.4	Endpoint Security	Endpoint devices must be protected with anti-malware, EDR, host firewalls, and configuration controls with central manag...
TRM-10.5	Wireless Network Security	Wireless networks must use strong authentication and encryption with corporate and guest networks segregated, and rogue...
TRM-10.6	Database Security	Databases storing sensitive data must enforce least privilege access, encryption, activity monitoring, and protection ag...

IT Audit

2 controls

Controls in the IT Audit domain of Singapore MAS TRM Guidelines — 2 controls
Code	Title	Description
TRM-14.1	IT Audit Function	Internal audit must include sufficient IT and cyber competence to provide independent assurance over technology risk and...
TRM-14.2	Audit Findings and Remediation	Audit findings must be tracked through to remediation with management responses, agreed dates, and validation by audit p...

IT Governance

3 controls

Controls in the IT Governance domain of Singapore MAS TRM Guidelines — 3 controls
Code	Title	Description
TRM-3.1	Board and Senior Management Oversight	The board of directors and senior management must establish sound and robust technology risk governance with clear accou...
TRM-3.2	Technology Risk Management Framework	The financial institution must implement an enterprise technology risk management framework covering identification, ass...
TRM-3.3	Roles and Responsibilities	Roles and responsibilities for managing technology risks must be clearly defined and segregated across business, IT, ris...

IT Operations

5 controls

Controls in the IT Operations domain of Singapore MAS TRM Guidelines — 5 controls
Code	Title	Description
TRM-9.1	IT Operations Management	IT operations must be governed by documented procedures covering daily monitoring, batch processing, scheduling, and ope...
TRM-9.2	Patch Management	Security patches must be assessed, tested, and deployed within risk-based timeframes with critical patches applied promp...
TRM-9.3	Vulnerability Management	Vulnerabilities must be identified through regular scanning and threat intelligence, prioritised by risk, and remediated...
TRM-9.4	System Hardening	Operating systems, databases, network devices, and applications must be hardened against documented baselines and audite...
TRM-9.5	Privileged Access Workstations and Jump Servers	Administrative access to production systems must be performed only from hardened workstations or jump servers with stron...

IT Project Management

2 controls

Controls in the IT Project Management domain of Singapore MAS TRM Guidelines — 2 controls
Code	Title	Description
TRM-5.1	IT Project Management	Major IT projects must follow a structured project management methodology with defined gates, risk reviews, and post-imp...
TRM-5.2	Quality Assurance and Testing	Quality assurance and testing standards must apply throughout the project lifecycle including unit, integration, securit...

IT Resilience

4 controls

Controls in the IT Resilience domain of Singapore MAS TRM Guidelines — 4 controls
Code	Title	Description
TRM-8.1	Systems Reliability and Availability	Critical systems must meet defined availability targets with redundancy, failover, and continuous monitoring of system p...
TRM-8.2	Business Continuity and Disaster Recovery	Business continuity and disaster recovery plans must be documented, tested at least annually, and aligned to defined RTO...
TRM-8.3	Data Backup and Recovery	Critical data must be backed up regularly, stored securely off-site or in segregated zones, and restoration tested perio...
TRM-8.4	Crisis Management and Communication	A crisis management plan with internal and external communication procedures must be in place and exercised regularly.

IT Service Management

6 controls

Controls in the IT Service Management domain of Singapore MAS TRM Guidelines — 6 controls
Code	Title	Description
TRM-7.1	IT Service Management Framework	An IT service management framework aligned to recognised standards must cover incident, problem, change, release, config...
TRM-7.2	Change Management	Changes to IT systems must follow a formal change management process with risk assessment, approval, testing, scheduling...
TRM-7.3	Incident Management	IT incidents must be detected, recorded, classified, escalated, and resolved according to defined SLAs with root cause a...
TRM-7.4	Problem Management	Recurring incidents must be analysed to identify root causes and implement permanent fixes through structured problem ma...
TRM-7.5	Capacity Management	IT capacity must be planned, monitored, and adjusted to meet current and future business demand with thresholds and fore...
TRM-7.6	Configuration and Asset Management	All IT assets and configurations must be inventoried in a CMDB with ownership, criticality, and dependencies maintained...

Online Financial Services

3 controls

Controls in the Online Financial Services domain of Singapore MAS TRM Guidelines — 3 controls
Code	Title	Description
TRM-13.1	Online Financial Services Security	Online financial services must implement strong customer authentication, transaction monitoring, anti-fraud controls, an...
TRM-13.2	Mobile Application Security	Mobile financial applications must include anti-tamper, root and jailbreak detection, secure storage, certificate pinnin...
TRM-13.3	Payment Card and Transaction Security	Card data and payment transactions must be protected through tokenisation, end-to-end encryption, and compliance with ap...

Regulatory Notice

4 controls

Controls in the Regulatory Notice domain of Singapore MAS TRM Guidelines — 4 controls
Code	Title	Description
TRM-NOTICE-1	Notice on Technology Risk Management Compliance	Financial institutions must comply with the legally binding MAS Notice on Technology Risk Management including system av...
TRM-NOTICE-2	Critical System Unscheduled Downtime	Unscheduled downtime of critical systems must not exceed 4 hours within any 12 month rolling period, with incidents noti...
TRM-NOTICE-3	Recovery Time Objective for Critical Systems	Recovery time objective for critical systems must not exceed 4 hours, and the institution must be able to demonstrate th...
TRM-NOTICE-4	Reporting of Relevant Incidents	Relevant incidents including breaches of personal data, cyber attacks, and system failures with customer impact must be...

Systems Acquisition and Development

5 controls

Controls in the Systems Acquisition and Development domain of Singapore MAS TRM Guidelines — 5 controls
Code	Title	Description
TRM-6.1	Systems Development Life Cycle	A documented SDLC must govern in-house and outsourced software development covering requirements, design, build, test, d...
TRM-6.2	Secure Coding Standards	Secure coding standards aligned to recognised industry practices must be enforced with developer training and automated...
TRM-6.3	Application Security Testing	Applications must undergo security assessments including vulnerability scans and penetration tests prior to production d...
TRM-6.4	Source Code Review and Repository Security	Source code must be securely stored, version-controlled, and reviewed by independent parties before promotion to product...
TRM-6.5	API Security	APIs must be designed with security controls including authentication, authorisation, rate limiting, input validation, a...

Technology Risk Management

3 controls

Controls in the Technology Risk Management domain of Singapore MAS TRM Guidelines — 3 controls
Code	Title	Description
TRM-4.1	Technology Risk Identification and Assessment	The institution must identify and assess technology risks systematically using qualitative and quantitative methods alig...
TRM-4.2	Risk Treatment and Mitigation	Risks identified must be treated through avoidance, mitigation, transfer, or acceptance with documented rationale and ap...
TRM-4.3	Risk Monitoring and Reporting	Ongoing monitoring of technology risks and timely reporting to senior management and the board must be maintained with K...

Third Party Risk

3 controls

Controls in the Third Party Risk domain of Singapore MAS TRM Guidelines — 3 controls
Code	Title	Description
TRM-15.1	Third Party and Vendor Risk Management	Third parties providing technology services must be assessed before engagement and monitored throughout the relationship...
TRM-15.2	Cloud Services Risk Management	Cloud services must be governed through risk assessments aligned to data sensitivity and criticality, with shared-respon...
TRM-15.3	Outsourcing of Material Technology Services	Material outsourcing must comply with MAS outsourcing guidelines including board approval, due diligence, exit planning,...

Frequently Asked Questions

What is Singapore MAS TRM Guidelines?

Singapore MAS TRM Guidelines is a compliance framework from Singapore with 15 domains and 59 controls. Monetary Authority of Singapore Technology Risk Management Guidelines (Jan 2021 revision). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Singapore MAS TRM Guidelines have?

Singapore MAS TRM Guidelines has 59 controls organised across 15 domains. The largest domains are Cyber Security (7 controls), Data and Infrastructure Security (6 controls), IT Service Management (6 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Singapore MAS TRM Guidelines map to?

Singapore MAS TRM Guidelines does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with Singapore MAS TRM Guidelines compliance?

Start your Singapore MAS TRM Guidelines compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Singapore MAS TRM Guidelines requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 59 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required