The levels and key measures

To respond to the severity of the threat an organisation is exposed to, in addition to the starting level Small, 3 assurance levels are provided: Basic, Important and Essential.

CyFun Small cover


The starting level Small allows an organisation to make an initial assessment. It is intended for micro-organisations or organisations with limited technical knowledge.

CyFun Basic Cover


The assurance level Basic contains the standard information security measures for all enterprises. These provide an effective security value with technology and processes that are generally already available. Where justified, the measures are tailored and refined.

CyFun Important cover


The assurance level Important is designed to minimise the risks of targeted cyber-attacks by actors with common skills and resources in addition to known cyber security risks.

CyFun Essential cover


The assurance level Essential goes one step further and is designed to address the risk of advanced cyber-attacks by actors with extensive skills and resources.


The CyberFundamentals Framework is a set of concrete measures to:

  • protect data,
  • significantly reduce the risk of the most common cyber-attacks,
  • increase an organisation's cyber resilience. 

The framework is based on and linked with 4 commonly used cybersecurity frameworks: NIST CSF, ISO 27001 / ISO 27002, CIS Controls and IEC 62443.

It uses the functions of any cybersecurity framework.

The levels and key measures

To respond to the severity of the threat an organization is exposed to, in addition to the starting level Small, 3 assurance levels are provided: Basic, Important and Essential

Based on our historical data, retro-fitting was done on successful cyber-attacks using anonymized data. The conclusion is that:

  • measures in assurance level Basic are able to cover 82% of the attacks,
  • measures in assurance level Important are able to cover 94 % of the attacks,
  • measures in assurance level Essential are able to cover 100% of the attacks.

Based on these attacks, key measures were identified at each level to prioritize the countermeasures to protect against the known cyberattacks relevant for that assurance level.

CyberFundamentals Conformity Assessment Scheme

Conformity against the requirements of the respective assurance levels in the CyberFundamentals Framework will be assessed according to the requirements set out in the CyberFundamentals Conformity Assessment Scheme (CAS).

Conformity assessment of the CyberFundamentals Framework shall be performed by an accredited and authorized conformity assessment body.

A conformity assessment body will be accredited according to EU Regulation 765/2008 setting out the requirements for accreditation and market surveillance, unless otherwise determined by Belgian legislation. Accreditation requests can be addressed to BELAC according to the applicable procedure.

The authorization is given by the CCB as National Cybersecurity Certification Authority (NCCA); Accreditation is one of the requirements for authorization. 

Conformity Assessment


To facilitate the use of the CyberFundamentals Framework, several tools are provided to assist in the implementation of the framework:

  • CyFun Selection Tool is a tool  for  Risk Assessment resulting in a well-informed selection of the appropriate CyberFundamentals Assurance Level.
  • CyFun Self-Assessment tool is a MS Excel format tool to prepare self-assessment and includes spider diagrams to support management reporting
  • CyberFundamentals Framework mapping provides an overview of the requirements and links with the frameworks in a MS Excel-format
  • CyFun Policy Templates provide a set of policies that can be used to fulfill the requirements of the level BASIC.