CyberFundamentals Frequently Asked Questions (FAQ)

The certification authority of the CCB (NCCA) will verify if the substantiated statement of applicability (SoA) has the same level as the relevant CyFun® assurance level. The inclusion of CyFun® controls in the ISO/IEC 27001 Statement of Applicability remains a decision of the entity concerned.

In relation to the above the certification authority of the CCB (NCCA) will apply the deadlines set out in Art 22 of the RD of 09 June 2024:

• Within 18 months of the entry into force of the NIS2 law or the date of the identification referred to in Article 11 of the NIS2 law the scope of the ISMS and a substantiated statement of applicability (SoA) of the same level as stipulated in CyFun® Basic or CyFun® Important and
• Within 30 months an ISO/IEC 27001:2022 certification where the substantiated SoA has the same level as defined in CyFun® Important or Essential, depending on whether the entity is Important or Essential.

The definition of “substantiated” is as in ISO/IEC 27006-1:2024 clause 9.3.2.2 (f); the substantiation of the Statement of Applicability (SoA) has to allow the assessment of the effective implementation of the controls. Or in other words: There must be evidence that a control is implemented and is effective.

The aim is to create a level playing field for all entities registered in Belgium, whether they choose CyFun® or ISO/IEC 27001:2022. Given the specificity of CyFun® that has been endorsed by various stakeholders, the NCCA uses the measures identified in the respective assurance level of CyFun® to review the Statement of Applicability of an ISO/IEC 27001:2022 certified entity to ensure that equivalent controls are defined and implemented effectively. Here the NCCA will pay specific attention to the key measures defined in CyFun® as these measures are directly derived from cyber attacks taking place in Belgium.

As supervising authority, we are not allowed to advise on how the relationship between the relevant assurance level of CyberFundamentals and the ISO/IEC 2700:2022 SoA is made.

Exclusions in CyFun® could be specific CyFun® requirements where it is not feasible for the organisation to meet those CyFun® requirements. Because The premise of CyFun® is that one can fill in controls proportionally based on risk management, a conscious decision was made not to provide the possibility in the CyFun® self-assessment tool taking into account the unlikeliness of these motivated exclusions.

The non-application of a control is an ‘exception’ (‘exception’) as provided in the CyFun® Maturity Level Description (CyFun® Toolbox).

Documentation should verify that the exclusion is properly motivated,  documented and authorised by the organisation's senior management.

Implementation should verify that there is sufficient evidence of due diligence to demonstrate that the exclusion of a CyFun® control does not compromise compliance with specific legal, regulatory and/or contractual obligations.

The CyberFundamentals Framework is originally a Belgian framework, developed by the Centre for Cybersecurity Belgium (CCB) but built in such a way that it can be recognised at European level. A process that has now been initiated by BELAC. At the moment, CyFun® was only registered in legislation in Belgium in order to be able to assume, until proven otherwise, that the entity meets its NIS2 cybersecurity obligations (presumption of conformity). Meanwhile, the framework has been formally adopted by Romania. How it will be used in their operational rollout of NIS2 is under construction there. Other European countries also recognise the value of CyFun® (including France) and are looking at how they can recognise or even fully adopt this framework.

The CCB maintains the framework and all documents associated with the scheme as Primary Scheme Owner. This is contained in a formal procedure that enables the roll-out of CyFun® to other European countries.

CyFun® is designed to help organizations protect their data, reduce the risk of common cyber-attacks, and increase cyber resilience. Based on four commonly used cybersecurity frameworks (NIST CSF, ISO/IEC 27001, CIS Controls, and IEC 62443), it also uses anonymized historical data of successful cyber-attacks to  identify the different measures in the framework.

. The CyFun® Framework has a formal conformity assessment scheme and is focused on practical measures to identify, assess, and mitigate cybersecurity risks, with an emphasis on resilience and recovery from cyber incidents.

ISO/IEC 27001:2022 is an international standard for information security management systems (ISMS), providing a framework for managing and protecting information assets, that outlines requirements for establishing, implementing, maintaining, and continually improving an ISMS, aligned with other ISO management system standards.

The link between ISO/IEC 27001:2022 and CyFun® is made visible in the CyFun® mapping that is available online in the CyFun® Toolbox.

The following is a summary of what is described in detail in the CyFun® Conformity Assessment Scheme available online.

A Belgian legal entity  can opt for a verification assessment in order to obtain a label with associated QR code CyberFundamentals “Basic” or “Important”. In order to obtain and use the CyberFundamentals ‘Basic’ or ‘Important’ label, the entity must submit to the CCB the self-assessment that was verified and attested in a verification statement by the same accredited  Conformity Assessment Body (CAB).

When it comes to a CyberFundamentals ‘Essential’ label, the same procedure applies, but here it is based on a certification instead of a verification. In this case evidence of successful implementation of key measures must be submitted with the self-assessment. The evidence required for each key measure consists of an explanation (1-pager) with demonstrable evidence of how the measure has been rolled out.

In all cases, for each label application the CCB will check whether the requirements for each key measure have been met and whether the overall maturity level has been reached. The CCB certification authority may request additional information.

It is possible for Belgian entities to obtain a CyberFundamentals label based on an ISO/IEC 27001:2022 certificate. This certificate must be delivered to the CCB after which the CCB will verify eligibility in the same way as described in the respective rules for obtaining and using a CyberFundamentals label ‘Basic’, ‘Important’ or ‘Essential’, depending on what the entity requests. The certification authority of the CCB (NCCA) will verify that the substantiated statement of applicability (SoA) has the same level as the relevant CyFun® assurance level.

The scope of the conformity assessment, ISO/IEC 27001:2022 and CyFun®,  involves an organization as a whole, unless IT/OT environments are physically and/or technically separated. The separation shall be performed in such a way that the environments out of scope do not influence the risks of the environment in scope. In any case, this shall be clarified in the scope of the conformity assessment. Since the scope covers the entire organisation, the same applies to the Statement of Applicability foreseen in the ISO/IEC 27001:2022.

The CyberFundamentals Framework is a framework owned by the Centre for Cybersecurity Belgium (CCB), operating under the authority of the Prime Minister of Belgium. 

The acronym “CyFun” stands for “CyberFundamentals Framework” and is a registered trademark owned by the CCB.

The CyFun Framework and the CyberFundamentals Conformity Assessment Scheme (CAS) are available on www.cyfun.be.

The use of the acronym “CyFun” and/or parts of this document are authorised, as long as the source is clearly mentioned.

Any commercial use of CyFun is subject to a prior agreement with the CCB.