On 25 February 2025, the Infocomm Media Development Authority (“IMDA”) of Singapore issued advisory guidelines aimed at enhancing the resilience and security of Singapore’s digital infrastructure, a key component underpinning Singapore’s digital economy. The Advisory Guidelines for Resilience and Security of Data Centres (“Data Centre Guidelines”) provide data centre operators (“DCOs”) with guidance on and best practices for managing their respective risks and ensuring business continuity. While compliance with the Guidelines is not mandatory, DCOs are encouraged to adhere to the measures set out.
The Data Centre Guidelines
A. Key Risks for Data Centres
The Guidelines identify 3 main areas of risks for data centres (“DCs”).
Infrastructure Risk
The first main area is infrastructure risk, stemming from defects in the design of DCs’ physical infrastructure. Key infrastructure risks include inadequacies in power management, environmental control management, cable management, as well as insufficient facilities/tenant space protection and building site and design suitability.
Governance Risk
The second main area is governance risk, stemming from insufficient oversight of a DC’s operations. Key governance risks include insufficiencies in operations management, incident management and change management.
Cyber Risk
The third main area is cyber risk to the operations and controls of the DC, a risk which will only become more acute as the sophistication and complexity of cyberthreats grow.
As protecting against these risks is crucial to the resilience and security of digital infrastructure, the Data Centre Guidelines recognise that a whole-of-organisation approach should be taken, lead by a senior representative who has been designated to take charge of the organisational effort.
B. Development of Business Continuity Management Systems
DCOs are encouraged to establish and administer business continuity management systems (“BCMS”) that guard against unpredicted incidents and preserve the provision of critical services during incidents. Reference may be taken from international standards, such as the ISO 22301 and TIA-942, for examples of measures that may be adopted. DCOs should continually adhere to a cycle of processes defined as Plan, Do, Check and Act.
The “Plan” phase, in which DCOs establish the objectives, policies, procedures and processes necessary to achieve business continuity, sets out the scope and structure of the BCMS, obtains management support and identifies the critical products and services to be protected from business disruptions.
The “Do” phase, in which DCOs implement and operate the BCMS, involves several steps for the understanding, planning for and testing business continuity events. Steps include conducting prior business impact analyses to identify critical business functions and the effects of their disruption, conducting risk assessments to identify potential threats and vulnerabilities, and implementing strategies and solutions to prevent or mitigate service disruptions.
The “Check” phase, in which DCOs monitor and measure their BCMS’ performance against their set goals and compliance with the set standards, requires the setting of key performance indicators for measuring effectiveness as well as the conduct of regular appraisals to identify and rectify gaps. Crucially, the results of the assessment should be reviewed by the top management to ensure the continued relevance and suitability of the BCMS.
The “Act” process, in which DCOs take both preventive and corrective actions to improve the efficacy of their BCMS, involves updating and improving the BCMS in line with the findings of the top management’s review. In this regard, DCOs should stay informed about emerging threats and technologies that could lead to service interruptions and adjust their BCMS as needed.
C. Additional Measures for Managing Cyber Risks
The Data Centre Guidelines further highlight a suite of cybersecurity control measures that DCOs may implement to safeguard DCs’ networks and protect their operations. Such measures include:
- Creating and maintaining Information Security Management Systems with clearly defined roles and responsibilities.
- Employee and third-party control measures, including performing background checks, ensuring that parties understand responsibilities, and implementing training programs.
- Conducting due diligence on third-party service providers and ensuring their compliance with internal controls.
- Applying secure configurations, conducting security testing, and maintaining audit trails to uphold network and system security.
- Using encryption and secure cryptographic key management to protect sensitive information against unauthorised activity.
- Enforcing policies for privileged accounts, segregating duties, and implementing network segmentation.
Conclusion
It is imperative that DCOs continually improve their security and resilience measures to keep abreast of potential threats and maintain the reliability of Singapore's digital infrastructure. The Data Centre Guidelines provide detailed frameworks for DCOs to enhance their security posture and ensure business continuity. Whilst these recommendations are not mandatory, they clearly signal the expectations of the regulator and DCOs should therefore review their operations and processes for compliance with these guidelines.
The information provided above does not, and is not intended to, constitute legal advice pertaining to the Data Centre Guidelines; information, content, and materials stipulated above is based on our reading of the amendments and are for general informational purposes only.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.