Frequently Asked Questions


What is the CSM27001 Scheme?
The CSM27001 Scheme provides a model for certifying organisations' ISMS Scopes against internationally recognised MS ISO/IEC 27001 standard.

Who is the certification body for CSM27001 Scheme?
CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation.


Is MS ISO/IEC 27001 an internationally recognised standard?
Yes. IDT on the front cover indicates an identical standard i.e. a standard where the technical content, structure, and wording (or is an identical translation) of a Malaysian Standard is exactly the same as in an International Standard or is identical in technical content and structure although it may contain the minimal editorial changes specified in clause 4.2 of ISO/IEC Guide 21-1.


What are the benefits of the certification?
Please read our Benefit page.


What are the steps towards achieving certification?
Please read our Services to find out the certification steps.


How much is the certification fee?
The total certification fee involves the professional fee, number of auditors involved and number of audit days. It will vary depending on the clients certification requirements.


What other fees are involved apart from the certification fee?
Application fee and Annual Fee (for successful clients).


How much is the Application Fee?
RM 500 per application. The application is considered unsuccessful when a formal rejection letter is received from CyberSecurity Malaysia; after which the organisation has to submit a fresh application.


Who can apply for the CSM27001 Scheme certification?
Organisations that have implemented ISO/IEC 27001 can apply for the CSM27001 certification.


How much is the Annual Fee?
RM 1000 upon successful initial certification.


When should the Application Fee and Annual Fee be paid?
The Application fee should be paid together with the submission of the Application Form. The Annual Fee should be paid prior to receiving the certificate.


How does the certification body handles complaints?
Please read our Appeal, Disputes and Complaints procedure.


What services does the CSM27001 Scheme offer?
Please read our Services to find out more.


How do I know it is time for Surveillance audit?
Annual surveillance audit is required, in which the certified client organisation will be prompted by the certification body.


What is the validity period of the certificate?
Three (3) years, after which, the client organisation will be prompted for a re-certification audit.


How do I comply with the certification mark usage rules?
Please contact us at to get a copy of the certification mark usage rules.


How do I confirm whether CybeSecurity Malaysia is an accredited certification body?
CyberSecurity Malaysia is listed under the Directory of Accredited Certification Bodies at


Will I be entitled for a single or double tax deduction?
Clients of CyberSecurity Malaysia are eligible for a double tax deduction for their Initial Certification fee, and single tax deduction for their Surveillance and Recertification fees.