CyberFundamentals Frequently Asked Questions (FAQ)

The certification authority of the CCB (NCCA) will verify if the substantiated statement of applicability (SoA) has the same level as the relevant CyFun® assurance level. The inclusion of CyFun® controls in the ISO/IEC 27001 Statement of Applicability remains a decision of the entity concerned.

In relation to the above the certification authority of the CCB (NCCA) will apply the deadlines set out in Art 22 of the RD of 09 June 2024:

• Within 18 months of the entry into force of the NIS2 law or the date of the identification referred to in Article 11 of the NIS2 law the scope of the ISMS and a substantiated statement of applicability (SoA) of the same level as stipulated in CyFun® Basic or CyFun® Important and
• Within 30 months an ISO/IEC 27001:2022 certification where the substantiated SoA has the same level as defined in CyFun® Important or Essential, depending on whether the entity is Important or Essential.

The definition of “substantiated” is as in ISO/IEC 27006-1:2024 clause 9.3.2.2 (f); the substantiation of the Statement of Applicability (SoA) has to allow the assessment of the effective implementation of the controls. Or in other words: There must be evidence that a control is implemented and is effective.

The aim is to create a level playing field for all entities registered in Belgium, whether they choose CyFun® or ISO/IEC 27001:2022. Given the specificity of CyFun® that has been endorsed by various stakeholders, the NCCA uses the measures identified in the respective assurance level of CyFun® to review the Statement of Applicability of an ISO/IEC 27001:2022 certified entity to ensure that equivalent controls are defined and implemented effectively. Here the NCCA will pay specific attention to the key measures defined in CyFun® as these measures are directly derived from cyber attacks taking place in Belgium.

As supervising authority, we are not allowed to advise on how the relationship between the relevant assurance level of CyberFundamentals and the ISO/IEC 2700:2022 SoA is made.

Exclusions in CyFun® could be specific CyFun® requirements where it is not feasible for the organisation to meet those CyFun® requirements. Because The premise of CyFun® is that one can fill in controls proportionally based on risk management, a conscious decision was made not to provide the possibility in the CyFun® self-assessment tool taking into account the unlikeliness of these motivated exclusions.

The non-application of a control is an ‘exception’ (‘exception’) as provided in the CyFun® Maturity Level Description (CyFun® Toolbox).

Documentation should verify that the exclusion is properly motivated,  documented and authorised by the organisation's senior management.

Implementation should verify that there is sufficient evidence of due diligence to demonstrate that the exclusion of a CyFun® control does not compromise compliance with specific legal, regulatory and/or contractual obligations.

The CyberFundamentals Framework is originally a Belgian framework, developed by the Centre for Cybersecurity Belgium (CCB) but built in such a way that it can be recognised at European level. A process that has now been initiated by BELAC. At the moment, CyFun® was only registered in legislation in Belgium in order to be able to assume, until proven otherwise, that the entity meets its NIS2 cybersecurity obligations (presumption of conformity). Meanwhile, the framework has been formally adopted by Romania. How it will be used in their operational rollout of NIS2 is under construction there. Other European countries also recognise the value of CyFun® (including France) and are looking at how they can recognise or even fully adopt this framework.

The CCB maintains the framework and all documents associated with the scheme as Primary Scheme Owner. This is contained in a formal procedure that enables the roll-out of CyFun® to other European countries.

CyFun® is designed to help organizations protect their data, reduce the risk of common cyber-attacks, and increase cyber resilience. Based on four commonly used cybersecurity frameworks (NIST CSF, ISO/IEC 27001, CIS Controls, and IEC 62443), it also uses anonymized historical data of successful cyber-attacks to  identify the different measures in the framework.

. The CyFun® Framework has a formal conformity assessment scheme and is focused on practical measures to identify, assess, and mitigate cybersecurity risks, with an emphasis on resilience and recovery from cyber incidents.

ISO/IEC 27001:2022 is an international standard for information security management systems (ISMS), providing a framework for managing and protecting information assets, that outlines requirements for establishing, implementing, maintaining, and continually improving an ISMS, aligned with other ISO management system standards.

The link between ISO/IEC 27001:2022 and CyFun® is made visible in the CyFun® mapping that is available online in the CyFun® Toolbox.

The following is a summary of what is described in detail in the CyFun® Conformity Assessment Scheme available online.

A Belgian legal entity  can opt for a verification assessment in order to obtain a label with associated QR code CyberFundamentals “Basic” or “Important”. In order to obtain and use the CyberFundamentals ‘Basic’ or ‘Important’ label, the entity must submit to the CCB the self-assessment that was verified and attested in a verification statement by the same accredited  Conformity Assessment Body (CAB).

When it comes to a CyberFundamentals ‘Essential’ label, the same procedure applies, but here it is based on a certification instead of a verification. In this case evidence of successful implementation of key measures must be submitted with the self-assessment. The evidence required for each key measure consists of an explanation (1-pager) with demonstrable evidence of how the measure has been rolled out.

In all cases, for each label application the CCB will check whether the requirements for each key measure have been met and whether the overall maturity level has been reached. The CCB certification authority may request additional information.

It is possible for Belgian entities to obtain a CyberFundamentals label based on an ISO/IEC 27001:2022 certificate. This certificate must be delivered to the CCB after which the CCB will verify eligibility in the same way as described in the respective rules for obtaining and using a CyberFundamentals label ‘Basic’, ‘Important’ or ‘Essential’, depending on what the entity requests. The certification authority of the CCB (NCCA) will verify that the substantiated statement of applicability (SoA) has the same level as the relevant CyFun® assurance level.

The scope of the conformity assessment, ISO/IEC 27001:2022 and CyFun®,  involves an organization as a whole, unless IT/OT environments are physically and/or technically separated. The separation shall be performed in such a way that the environments out of scope do not influence the risks of the environment in scope. In any case, this shall be clarified in the scope of the conformity assessment. Since the scope covers the entire organisation, the same applies to the Statement of Applicability foreseen in the ISO/IEC 27001:2022.

The CyberFundamentals Framework is a framework owned by the Centre for Cybersecurity Belgium (CCB), operating under the authority of the Prime Minister of Belgium. 

The acronym “CyFun” stands for “CyberFundamentals Framework” and is a registered trademark owned by the CCB.

The CyFun Framework and the CyberFundamentals Conformity Assessment Scheme (CAS) are available on www.cyfun.be.

The use of the acronym “CyFun” and/or parts of this document are authorised, as long as the source is clearly mentioned.

Any commercial use of CyFun is subject to a prior agreement with the CCB.

The below elements are identified in the CyFun® Conformity Assessment Scheme. This document is available on www.cyfun.be

• The ISO/IEC 27001:2022 certificate issued by an accredited CAB.
• The Statement of Applicability that is linked with the provided ISO/IEC 27001:2022 certificate.
• A clear statement that the level of assurance for which the applicant wants to obtain a label is “Basic” or “Important” (foreseen in the tool).
• The Statement Of Applicability that is part of the ISO/IEC 27001:2022 certification must include the requirements of the CyberFundamentals assurance level “Basic” or “Important”. This can be proven through a mapping.
• Evidence of successful implementation of all key measures.

Although the CyFun® Conformity Assessment Scheme does not impose a specific format for the evidence to be provided, it must enable the assessment of the effective implementation of the key measures.

The CCB Certification Authority can request additional information.

The below elements are identified in the CyFun® Conformity Assessment Scheme. This document is available on www.cyfun.be

• ISO/IEC 27001:2022 certificate issued by an accredited CAB.
• The Statement of Applicability that is linked with the provided ISO/IEC 27001:2022 certificate.
• A clear statement that the level of assurance for which the applicant wants to obtain a label is ‘Essential’ (foreseen in the tool).
• The Statement Of Applicability that is part of the ISO/IEC 27001:2022 certification must include the requirements of the CyberFundamentals assurance level Essential. This can be proven through a mapping.
• Evidence of successful implementation of all key measures through an explanation (1-pager) with demonstrable evidence of how the measure has been rolled out.

The CCB Certification Authority can request additional information.

The following is a non-exhaustive list of possible elements that provide evidence that an organization understands and manages its supply chain effectively:

1. Documentation of supplier and customer lists

Documentation in a controlled manner (version control, approval, etc.) of lists of all upstream (raw material suppliers, component manufacturers, service providers, etc.) and downstream (customers) organisations, further detailed with the services provided, possibilities, products and items that each supplier provides.

2. Visualisation of the supply chain

Creation of a visualisation of the supply chain (e.g. in a MindMap) that shows the flow of goods and services from suppliers to your organisation and from your organisation to customers.

Critical suppliers and customers that are essential to your organisation's operations should be highlighted.

3. Communication with the supply chain

Records should be available of communication with both upstream and downstream entities, showing that you have communicated the position of your own organisation and the crucial importance of each individual organisation in your supply chain for your activities.  This can also be done through regular meetings with important suppliers and customers that you organise to discuss the cooperation and resolve any problems. It is important to document these meetings and the points discussed.

4. Contracts and agreements

Creation, updating and monitoring of contracts and agreements with suppliers and customers as meant by ISO/IEC 27001:2022 clause 7.5. These documents should include the roles, responsibilities and authorities of each party and their importance to your activities.

5. Documented and monitored risk management plans

Risk management plans should be documented and maintained that identify potential risks associated with suppliers and customers. This also includes mitigation to limit these risks.

6. Regular reviews and updates

Regular reviews of your supply chain should be planned and the documentation should be updated accordingly. Suppliers or customers should be informed of any changes.

7. Training and awareness programmes

Training programs for employees, and where relevant suppliers and customers, should be rolled out to ensure that they understand the importance of the supply chain to your organisation and their role in maintaining it. These training sessions and their results should be documented (attendance list, training materials, agenda, feedback and actions taken as a result of that feedback, evaluation tests and their results, etc.).