Upcoming Webinar | Assuring Agentic AI on March 5th @ 1:00 PM ET

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Services
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
Certificate Directory
Contact Us

«  View All Posts

Understanding MTCS: A Guide for Organizations Evaluating Cloud Security Blog Feature
Steve Caruso

By: Steve Caruso

Print/Save as PDF

Understanding MTCS: A Guide for Organizations Evaluating Cloud Security

Cybersecurity Assessments | Cloud Computing

Published: Jan 29, 2026

Cloud computing has become foundational for how businesses and governments deliver services, store sensitive data, and scale operations. As organizations increasingly rely on third-party cloud providers, it is critical to have verifiable assurance that these providers implement robust security controls aligned with the sensitivity of the data and workloads they host.

In Singapore, one of the most structured approaches to cloud security assurance is Multi-Tiered Cloud Security (MTCS), formally Singapore Standard SS 584:2020 Specification for Multi-Tiered Cloud Computing Security. This standard provides a tiered, auditable framework for evaluating cloud service providers’ security practices.

As a U.S.-based MTCS certification body, we support organizations in navigating this framework and aligning with both Singapore’s regulatory requirements and international best practices. This guide explains what MTCS is, why it matters, and key considerations for compliance officers and cloud security teams.

What Is MTCS?

MTCS (SS 584) is a cloud security certification standard built around tiered levels of assurance. It was developed under Singapore’s Information Technology Standards Committee (ITSC) and is supported by the Infocomm Media Development Authority (IMDA) and Enterprise Singapore. The Singapore Accreditation Council (SAC) accredits certification bodies to ensure consistency and credibility in assessments.

MTCS incorporates principles from ISO/IEC 27001, including governance, risk management, operational controls, and continuous improvement, but it is specifically tailored for cloud environments. Unlike ISO 27001, which allows organizations to select applicable controls, MTCS provides prescriptive requirements organized into three-tiered security levels, offering a standardized and auditable framework for cloud services. Certification bodies performing MTCS audits comply with ISO/IEC 17021, the international standard for management system certification, ensuring both technical rigor and global credibility.

Why Is MTCS Important?

MTCS provides tangible benefits for both cloud users and providers:

  • Clearer Security Benchmarks: Organizations can evaluate providers based on certified security tiers rather than relying solely on marketing claims.
  • Enhanced Risk Management: MTCS encourages adoption of structured governance, operational, and data protection practices across the cloud service lifecycle.
  • Transparency: Certified providers submit a self-disclosure form detailing the security controls implemented and how services are delivered.

While MTCS certification is optional for most providers, it is mandatory for providers bidding on bulk Singapore government cloud contracts. For organizations evaluating cloud providers, MTCS bridges the gap between general ISO 27001 compliance and the specific risks of cloud service delivery, providing a clear framework for assessing provider security posture.

The Three MTCS Security Levels

MTCS defines three progressive security levels, each building upon the previous one:

The Three MTCS Security Levels

Level 1: Low-Impact Information Systems

Use cases: Public websites, test environments, non-production workloads, or non-confidential data.

Focus: Baseline security controls for low-impact systems and data.

Level 2: Moderate-Impact Information Systems

Use cases: Business applications handling personal data (PII), internal collaboration platforms, or systems with moderate regulatory requirements.

Focus: Enhanced controls addressing security risks for critical business data and personal information.

Level 3: High-Impact Information Systems

Use cases: Financial services systems, healthcare records, government applications, or other regulated workloads.

Focus: Comprehensive security and governance controls to address risks in high-impact, compliance-sensitive environments.

The MTCS Certification Process

The MTCS certification process provides a structured, auditable path for cloud service providers and informs organizational procurement decisions:

  1. Preparation (Optional): Providers may conduct a readiness assessment to identify gaps prior to formal audit.
  2. Scoping: Define the target tier and the specific services to be certified.
  3. Documentation: Complete the MTCS self-disclosure form detailing implemented controls and service characteristics.
  4. Audit: Conducted by an SAC-accredited certification body, in two stages:
    • Stage 1: Documentation review to confirm policies, procedures, and control design.
    • Stage 2: In-depth assessment of control implementation and operating effectiveness, covering technical, operational, and governance aspects.
  5. Certification: Upon successful assessment, the provider receives a certificate valid for three years, with annual surveillance audits, followed by a recertification.
  6. IMDA Listing (Optional): Providers may submit their certificate and self-disclosure form to IMDA to appear on the official MTCS registry.

Timeline: Certification duration varies depending on the provider’s security maturity and ISO 27001 alignment but typically spans several months.

Who Uses MTCS?

Although MTCS originated in Singapore, it is now pursued by regional and global cloud providers to meet local customer needs and regulatory expectations. Certification spans IaaS, PaaS, and SaaS offerings, providing a clear framework for risk-based provider selection.

Benefits for Cloud Providers:

  • Compliance with Singapore government cloud contract requirements.
  • Demonstrates independently validated security maturity.
  • Provides a competitive differentiation in the market.

Benefits for Organizations Evaluating Providers:

  • Reduces due diligence effort through third-party validation.
  • Facilitates risk-aligned provider selection.
  • Supports regulatory and compliance obligations by providing verified assurance.

Evaluating MTCS-Certified Providers

When assessing providers:

  • Check IMDA’s official registry for certified providers, which lists the tier, certified services, certification body, and validity dates.
  • If a provider is not listed, request:
    • A copy of the SAC-accredited MTCS certificate
    • The MTCS self-disclosure form
    • Tier level and scope of certified services
    • Last surveillance audit date
    • Data residency and sovereignty details

Note: IMDA listing is optional. Certification should always be verified through the SAC-accredited certification body.

Moving Forward with MTCS

MTCS (SS 584) offers a tiered, standards-based approach to cloud security that combines governance, technical controls, and operational risk management. By aligning with ISO 27001 principles and adding cloud-specific assurance tiers, MTCS provides organizations and auditors with clarity, transparency, and confidence in evaluating cloud providers and selecting services appropriate for their risk profile.

For compliance officers and cybersecurity teams, MTCS represents a practical, auditable framework for secure cloud adoption and ongoing assurance of provider security practices. Contact us today to learn more about MTCS and its use cases and benefits.

About Steve Caruso

Steve Caruso is a Director with Schellman & Company, LLC. Prior to joining Schellman in May of 2018, Steve worked as a Senior Associate in a Big 4 audit firm specializing in Financial Audit IT (FAIT). Steve has over 10 years of experience comprised of serving clients in various industries, including manufacturing, healthcare, and consumer products. As a Director with Schellman, Steve Caruso is focused primarily on System and Organization Controls (SOC) for organizations across various industries.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.