Computer Misuse Act (CMA): Primary legislation in Singapore that criminalizes unauthorized access and modification of computer material, requiring explicit authorization for penetration testing activities
Personal Data Protection Act (PDPA): Legislation governing the collection, use, disclosure, and care of personal data, which must be considered when handling data during VAPT activities
Cybersecurity Act 2018: Framework for the protection of Critical Information Infrastructure (CII) in Singapore, establishing requirements for cybersecurity assessments and incident reporting
Criminal Law (Temporary Provisions) Act: Relevant for certain aspects of cybersecurity investigations and handling of potential criminal activities discovered during testing
MAS Technology Risk Management Guidelines: Regulatory guidelines specifically for financial institutions, providing requirements for technology risk management including penetration testing
MAS Notice 644: Specific notice on Technology Risk Management requirements for banks, including requirements for security testing and assessments
Singapore's Cybersecurity Code of Practice: Provides practical guidance on cybersecurity measures and best practices for organizations in Singapore
PDPC's Advisory Guidelines: Detailed guidance on compliance with PDPA requirements in various contexts, including security testing
ISO/IEC 27001: International standard for information security management systems, providing framework for security testing and assessments
NIST Cybersecurity Framework: Internationally recognized framework providing standards, guidelines, and best practices for managing cybersecurity risk
OWASP Testing Guide: Industry-standard guide for web application security testing, providing methodologies and best practices
PCI DSS: Payment Card Industry Data Security Standard requirements for organizations handling payment card data, including specific testing requirements
Authorization Requirements: Legal requirement for documented scope and explicit authorization from system owners before conducting VAPT activities
Data Protection Requirements: Legal obligations regarding handling of personal data during testing, including breach notification and data disposal requirements
Testing Boundaries Documentation: Legal requirement to clearly define and document scope limitations, prohibited activities, and emergency procedures
Reporting Obligations: Legal requirements for incident reporting, documentation, and retention of testing evidence
Professional Liability Considerations: Legal requirements regarding insurance, limitation of liability, and indemnification clauses for VAPT activities
