The assurance level Basic contains the standard information security measures for all enterprises. These provide an effective security value with technology and processes that are generally already available. This assurance level will protect your organisation against known cybersecurity risks. For this assurance level, we provide three supporting resources: an Excel self-assessment tool, a booklet, and a document on maturity level use cases.
This tool helps you evaluate your organisation’s current cybersecurity practices. It guides you through the controls at the Basic level, allowing you to identify strengths and areas for improvement in a structured and accessible way.
In support of the ‘CyberFundamentals Framework’ the Centre for Cybersecurity Belgium (CCB) has developed a tool in MS© Excel.
The self-assessment tool takes into account the requirements for assurance level 'Basic', assurance level 'Important' and assurance level 'Essential' of a specific version of the framework as well as the requirements identified in the Conformity Assessment Scheme (CAS). The versions of the CyberFundamentals framework and CAS with which the tool is aligned, are identified in the tool. For this reason, the tool shall not be modified as part of any verification or certification activity.
The self-assessment tool in MS© Excel includes several tabs, each with its own function. Besides introduction, maturity levels and references, there are the tabs with the controls for assurance level ‘Basic’, ‘Important’ and ‘Essential’ (‘details’ tab) and for each assurance level a summary (‘summary’ tab).
The controls are assessed through two angles:
| Policy Maturity: | The Policy Maturity evaluation measures how well your written rules and procedures satisfy the controls of the CyberFundamentals Framework. |
| Implementation Maturity: | The Implementation Maturity evaluation assess how mature your actual operational practices are in relation to the CyberFundamentals Framework. |
The table below shows the different maturity levels and the definitions used to assess maturity from both perspectives:
A sub-category may consist of several controls and each of those controls shall be assessed for documentation and implementation according to the maturity table above. A value from 1 to 5 has to be entered per control in the "details" tab of the applicable assurance level. The tool calculates an arithmetic average for documentation and implementation per sub-category (e.g. ID.AM-1) to then calculate another arithmetic average for documentation and implementation per category (e.g. ID.AM).
These calculated values are visible in the ‘details’ tab of the applicable assurance level.
The ‘summary’ tab for the respective CyberFundamentals assurance levels contains:
The overview includes the target scores as determined for the specific assurance levels as described in the CAS. It is against these target scores that the values of the self-assessment are assessed.
When the values colour red one is not conforming to the required maturity level, green shows conformance.
The Conformity Assessment Scheme (CAS) is under discussion with the National Accreditation Body, BELAC.
The booklet provides background information, practical guidance, and explanations of the Basic assurance level requirements. It supports you in understanding the purpose behind each control and how to implement them effectively.
This document provides a detailed description of the maturity levels and practical use cases of the Basic assurance level to help you assess your maturity level for the framework.