The starting level Small allows an organisation to make an initial assessment, excluding the aspects related to the internal development of applications. The starting level Small is intended for micro-organisations or organisations with limited technical knowledge.
The assurance level Basic contains the standard information security measures for all enterprises. These provide an effective security value with technology and processes that are generally already available. Where justified, the measures are tailored and refined.
The assurance level Important is designed to minimise the risks of targeted cyber-attacks by actors with common skills and resources in addition to known cyber security risks.
The assurance level Essential goes one step further and is designed to address the risk of advanced cyber-attacks by actors with extensive skills and resources.
This document provides a detailed description of the maturity levels and practical use cases of the Basic assurance level to help you assess your maturity level for the framework.
This document provides a detailed description of the maturity levels and practical use cases of the Important assurance level to help you assess your maturity level for the framework.
This document provides a detailed description of the maturity levels and practical use cases of the Essential assurance level to help you assess your maturity level for the framework.
This CyFun® Self-Assessment tool is a MS Excel format tool that prepares entities with assurance level 'Basic' and includes spider diagrams to support management reporting.
This CyFun® Self-Assessment tool is a MS Excel format tool that prepares entities with assurance level 'Important' and includes spider diagrams to support management reporting.
This CyFun® Self-Assessment tool is a MS Excel format tool that prepares entities with assurance level 'Essential' and includes spider diagrams to support management reporting.
In support of the ‘CyberFundamentals Framework’ the Centre for Cybersecurity Belgium (CCB) has developed a tool in MS© Excel.
The self-assessment tool takes into account the requirements for assurance level 'Basic', assurance level 'Important' and assurance level 'Essential' of a specific version of the framework as well as the requirements identified in the Conformity Assessment Scheme (CAS). The versions of the CyberFundamentals framework and CAS with which the tool is aligned, are identified in the tool. For this reason, the tool shall not be modified as part of any verification or certification activity.
The self-assessment tool in MS© Excel includes several tabs, each with its own function. Besides introduction, maturity levels and references, there are the tabs with the controls for assurance level ‘Basic’, ‘Important’ and ‘Essential’ (‘details’ tab) and for each assurance level a summary (‘summary’ tab).
The controls are assessed through two angles:
Policy Maturity: The Policy Maturity evaluation measures how well your written rules and procedures satisfy the controls of the CyberFundamentals Framework.
Implementation maturity: The Implementation Maturity evaluation assess how mature your actual operational practices are in relation to the CyberFundamentals Framework.
The table below shows the different maturity levels and the definitions used to assess maturity from both perspectives:
A sub-category may consist of several controls and each of those controls shall be assessed for documentation and implementation according to the maturity table above. A value from 1 to 5 has to be entered per control in the "details" tab of the applicable assurance level. The tool calculates an arithmetic average for documentation and implementation per sub-category (e.g. ID.AM-1) to then calculate another arithmetic average for documentation and implementation per category (e.g. ID.AM).
These calculated values are visible in the ‘details’ tab of the applicable assurance level.
The ‘summary’ tab for the respective CyberFundamentals assurance levels contains:
A radar chart (spider chart ) is also displayed based on the data from the summary of categories.
Determining conformity with the Conformity Assessment Scheme (CAS)
The overview includes the target scores as determined for the specific assurance levels as described in the CAS. It is against these target scores that the values of the self-assessment are assessed.
When the values colour red one is not conforming to the required maturity level, green shows conformance.