What is CyFun

CyFun, short for CyberFundamentals Framework, is a cybersecurity maturity framework developed by the Centre for Cybersecurity Belgium (CCB). It provides organizations with a structured and scalable approach to establishing and improving their cybersecurity posture based on their risk level and operational context.

The framework is designed to translate cybersecurity best practices into practical and auditable controls. It helps organizations move beyond ad-hoc security measures by defining clear baseline requirements for protecting systems, data, and services.

CyFun is primarily used by organizations operating within or interacting with Belgian and EU regulatory environments, particularly those impacted by NIS2-aligned cybersecurity expectations. It is relevant across both public and private sectors, including critical infrastructure providers, SMEs, and service organizations handling sensitive or essential operations.

At its core, CyFun is structured to be risk-based and scalable. It typically distinguishes between different maturity or assurance levels (such as baseline and higher assurance profiles), allowing organizations to adopt requirements proportionate to their exposure and criticality.

What are the requirements for compliance?

Compliance with CyFun is based on implementing a defined set of cybersecurity controls and governance practices aligned with the framework’s security objectives. These requirements are not purely technical; they also emphasize organizational accountability, process maturity, and continuous risk management.

At a high level, compliance involves establishing and maintaining:

• Governance and security management structures, including defined roles, responsibilities, and oversight mechanisms
• Security policies and procedures that formalize how cybersecurity is managed across the organization
• Technical and operational controls covering areas such as access control, network security, endpoint protection, logging, and vulnerability management
• Incident management capabilities, including detection, response, escalation, and reporting processes
• Evidence and documentation practices to demonstrate that controls are implemented and operating effectively
• Audit readiness, particularly where CyFun is used as a certification or assurance baseline

In practice, organizations typically implement CyFun by mapping existing controls to the framework, identifying gaps, and progressively remediating them based on priority and risk. It is commonly integrated with other security and compliance standards such as ISO 27001, NIST Cybersecurity Framework, and CIS Controls, enabling organizations to reuse existing security investments where possible.

CyFun Assurance Levels

CyFun uses a tiered model to ensure that cybersecurity requirements are proportional to an organization’s risk profile, operational impact, and regulatory exposure. The three main levels – Basic, Essential, and Important – represent increasing maturity and control rigor.

Basic is the entry-level baseline. It focuses on fundamental cybersecurity hygiene and is typically aimed at smaller organizations or those with limited exposure to critical systems or sensitive data. The objective is to ensure that minimum safeguards are in place to reduce common and easily exploitable risks, such as weak access control, missing updates, or lack of incident awareness.

Essential represents a more mature and structured security posture. It applies to organizations with moderate risk exposure or those supporting important services. At this level, cybersecurity becomes more formalized, with stronger governance, systematic risk management, and broader implementation of technical controls such as monitoring, incident response processes, and access governance.

Important is the highest level and is intended for organizations whose services are critical to societal, economic, or operational continuity. This level requires advanced security maturity, strong resilience capabilities, and comprehensive control coverage. It emphasizes continuous monitoring, robust incident handling, strict access control mechanisms, and higher expectations for evidence-based assurance.

Across all levels, the framework is designed to be scalable, allowing organizations to progress gradually as their risk profile or regulatory obligations evolve.

The CyFun Answering Model

A key characteristic of CyFun is that compliance is not assessed through control existence alone. Instead, it uses a dual-layer validation approach that combines documentation evidence and implementation evidence.

The documentation layer requires organizations to formally define how security is governed and executed. This includes policies, procedures, standards, and defined roles and responsibilities. The goal is to demonstrate that cybersecurity is intentionally designed and consistently directed at the organizational level.

The implementation layer focuses on operational reality. It verifies that documented controls are not only defined but actively enforced and functioning in practice. This includes technical configurations, system behavior, logs, operational workflows, and evidence of day-to-day execution.

Together, these two dimensions ensure that compliance is not theoretical. An organization must be able to show both:

• that controls are formally defined and governed (documentation), and
• that they are effectively applied and operating as intended (implementation)

In practice, this means that compliance assessments typically require structured evidence collection. Organizations must provide artifacts such as policy documents, configuration outputs, audit logs, training records, and incident reports, depending on the control being evaluated.

This dual approach strengthens assurance quality by reducing the gap between “paper compliance” and actual security effectiveness, ensuring that CyFun reflects real operational cybersecurity maturity rather than documentation alone.

Why should you be CyFun compliant?

CyFun compliance is primarily driven by the need to establish a consistent and demonstrable cybersecurity baseline. For many organizations, it is not only a regulatory consideration but also a mechanism to improve operational resilience and stakeholder confidence.

From a business perspective, CyFun compliance strengthens trust with customers, partners, and regulators by demonstrating that cybersecurity risks are being managed in a structured and recognized way. It also supports market access, particularly in environments where cybersecurity assurance is a prerequisite for doing business.

From a risk standpoint, implementing CyFun reduces exposure to common threats such as unauthorized access, ransomware, data breaches, and service disruption. It enforces discipline around governance, monitoring, and incident response, which are often the weakest areas in less mature security programs.

Non-compliance or weak alignment can result in several consequences, including:

• Increased likelihood and impact of security incidents
• Regulatory scrutiny or enforcement actions in applicable jurisdictions
• Loss of business opportunities due to insufficient security assurance
• Higher remediation costs following incidents or audits

More broadly, CyFun aligns organizations with evolving regulatory expectations in Europe, particularly those emphasizing structured cyber risk management and accountability.

How to achieve CyFun compliance

Achieving CyFun compliance can be challenging when managed through spreadsheets, fragmented security tools, and manual audit processes. Organizations often struggle with maintaining up-to-date control mappings, tracking evidence across multiple teams, and demonstrating continuous compliance rather than point-in-time readiness.

Centraleyes supports organizations in operationalizing CyFun compliance through a centralized and automated approach to governance, risk, and compliance management.

Key capabilities include:

• Mapping CyFun requirements to existing security controls and frameworks
• Performing gap assessments to identify areas of non-compliance or partial alignment
• Managing risk, control ownership, and remediation workflows in a unified environment
• Centralizing evidence collection to support audit and certification readiness
• Enabling continuous monitoring of compliance posture over time
• Providing reporting and dashboards for stakeholders, auditors, and leadership teams

By consolidating these activities into a single platform, organizations reduce manual effort, improve consistency across control implementation, and gain real-time visibility into their compliance posture.

This approach not only simplifies CyFun adoption but also helps organizations move from periodic compliance exercises toward continuous, operationalized cybersecurity governance.

The post Cyber Fundamentals (CyFun) appeared first on Centraleyes.

*** This is a Security Bloggers Network syndicated blog from Centraleyes authored by rotem. Read the original post at: https://www.centraleyes.com/cyber-fundamentals-cyfun/