Last update: 29/03/2024

1. General

In support of the ‘CyberFundamentals Framework’ the Centre for Cybersecurity Belgium (CCB) has developed a tool in MS© Excel.

The self-assessment tool takes into account the requirements for assurance level 'Basic', assurance level 'Important' and assurance level 'Essential' of a specific version of the framework as well as the requirements identified in the Conformity Assessment Scheme (CAS). The versions of the CyberFundamentals framework and CAS with which the tool is aligned, are identified in the tool. For this reason, the tool shall not be modified as part of any verification or certification activity.

The self-assessment tool is electronically available in English in the CyFun toolbox (www.cyfun.be).
 

2. Tool layout

The self-assessment tool in MS© Excel includes several tabs, each with its own function. Besides introduction, maturity levels and references, there are the tabs with the controls for assurance level ‘Basic’, ‘Important’ and ‘Essential’ (‘details’ tab) and for each assurance level a summary (‘summary’ tab).

The controls are assessed through two angles:

Policy Maturity:The Policy Maturity evaluation measures how well your written rules and procedures satisfy the controls of the CyberFundamentals Framework.
Implementation Maturity:The Implementation Maturity evaluation assess how mature your actual operational practices are in relation to the CyberFundamentals Framework.

The table below shows the different maturity levels and the definitions used to assess maturity from both perspectives:

The image contains a table titled “Maturity Level” with four columns: “Maturity Level”, “Policy Maturity”, “Documentation Maturity”, and “Implementation Maturity”. The rows are titled “Repeatable”, “Defined”, and “Managed”.

 

The  attached document  provides a holistic description of the different CyberFundamentals Maturity levels and is meant as a guidance during assessments.


3. Calculation method

A sub-category may consist of several controls and each of those controls shall be assessed for documentation and implementation according to the maturity table above. A value from 1 to 5 has to be entered per control in the "details" tab of the applicable assurance level. The tool calculates an arithmetic average for documentation and implementation per sub-category (e.g. ID.AM-1) to then calculate another arithmetic average for documentation and implementation per category (e.g. ID.AM).

These calculated values are visible in the ‘details’ tab of the applicable assurance level.

4. Summary report

The ‘summary’ tab for the respective CyberFundamentals assurance levels contains:

  1. An overall maturity level (‘Total Maturity Level’) calculated as an arithmetic mean of the maturity levels of the categories.
  2. A summary of the different maturity levels for each category using the respective values of the arithmetic averages of what was calculated in the ‘details’ tab.
  3. A listing of the key measures to be met, the data for which is taken from the values entered in the ‘details’ tab.
  4. A radar chart (spider chart ) is also displayed based on the data from the summary of categories.

Determining conformity with the Conformity Assessment Scheme (CAS)

The overview includes the target scores as determined for the specific assurance levels as described in the CAS. It is against these target scores that the values of the self-assessment are assessed.

When the values colour red one is not conforming to the required maturity level, green shows conformance.

The Conformity Assessment Scheme (CAS) is under discussion with the National Accreditation Body, BELAC.

Feedback regarding the tool can be sent to certification@ccb.belgium.be

5. User Instructions

A clear operating instruction is available via the link below.

CyFun Self-Assesment Tool CyFun Self Assessment User Instructions