Multi-Tier Cloud Security (MTCS) Standard for Singapore

MTCS overview

The Multi-Tier Cloud Security (MTCS) Standard for Singapore was prepared under the direction of the Information Technology Standards Committee (ITSC) of the Infocomm Development Authority of Singapore (IDA). The ITSC promotes and facilitates national programs to standardize IT and communications, and Singapore's participation in international standardization activities.

The purpose of the MTCS is to provide:

  • A common standard that cloud service providers (CSPs) can apply to address customer concerns about the security and confidentiality of data in the cloud, and the impact on businesses of using cloud services.
  • Verifiable operational transparency and visibility into risks to the customer when they use cloud services.

The MTCS builds upon recognized international standards such as ISO/IEC 27001, and covers such areas as data retention, data sovereignty, data portability, liability, availability, business continuity, disaster recovery, and incident management. It also includes a mechanism for customers to benchmark and rank the capabilities of CSPs against a set of minimum baseline security requirements.

MTCS is the first cloud security standard with different levels of security, so certified CSPs can specify which levels they offer. MTCS includes a total of 535 controls, covering basic security in Level 1, more stringent governance and tenancy controls in Level 2, and reliability and resiliency for high-impact information systems in Level 3.

Microsoft and MTCS

After rigorous assessments conducted by the MTCS Certification Body, Microsoft cloud services received MTCS 584:2013 certification across all three service classifications — Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). Microsoft was the first global CSP to receive this certification across all three classifications.

Certifications were granted at Level 3 for Microsoft Azure services (IaaS and PaaS), Microsoft Dynamics 365 services (SaaS), and Microsoft Office 365 services (SaaS). A Level 3 certification means that in-scope Microsoft cloud services can host high-impact data for regulated organizations with the strictest security requirements. It's required for certain cloud solution implementations by the Singapore government.

Microsoft in-scope cloud platforms & services

  • Azure
  • Dynamics 365 online services (Business Central, Commerce, Customer Service, Field Service, Finance, Fraud Protection, Marketing, Sales, Supply Chain Management)
  • Genomics
  • Intune
  • Microsoft Defender for Cloud Apps
  • Microsoft Graph
  • Microsoft Healthcare Bot
  • Office 365
  • OMS Service Map
  • PowerApps
  • Power BI

Office 365 and MTCS

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Delve, Exchange Online, Exchange Online Protection Loki, Microsoft Teams, Office 365 Customer Portal, Office Online, Office Service Infrastructure, SharePoint Online, Skype for Business

Audits, reports, and certificates

Certification is valid for three years, with a yearly surveillance audit to be conducted.

Microsoft MTCS certification

Microsoft MTCS cloud service provider disclosure

Frequently asked questions

To whom does the standard apply?

It applies to businesses in Singapore that purchase cloud services requiring compliance with the MTCS standard.

What are the differences between MTCS security levels?

MTCS has a total of 535 controls that cover three levels of security:

  • Level 1 is low cost, with a minimum number of required baseline security controls. It is suitable for web site hosting, test and development work, simulation, and noncritical business applications.
  • Level 2 addresses the needs of most organizations that are concerned about data security, with a set of more stringent controls targeted at security risks and threats to data. Level 2 is applicable for most cloud usage, including mission-critical business applications.
  • Level 3 is designed for regulated organizations with specific requirements and those willing to pay for stricter security requirements. Level 3 adds a set of security controls to supplement those in Levels 1 and 2. They address security risks and threats in high-impact information systems using cloud services, such as hosting applications with sensitive information and in regulated systems.

Where do I start with my organization's own compliance effort?

The MTCS Certification Scheme provides guidance on audit controls and security requirements.

Can I use Microsoft's compliance in my organization's certification process?

Yes. If you have a requirement to certify your services built on these Microsoft cloud services, you can use the MTCS certification to reduce the impact of auditing your IT infrastructure, if it relies on them. However, you are responsible for engaging an assessor to evaluate your implementation for compliance, and for the controls and processes within your own organization.

Use Microsoft Compliance Manager to assess your risk

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.

Resources