What Is CyFun and How to Implement It?

Updated: 13 January, 2025

12 January, 2025

Introduction

In this blog, we will focus on helping you understand what is Cybersecurity Fundamentals (CyFun) framework and how it can help your organization. We’ll provide all the information you need to implement CyFun effectively.

CyFun is a cybersecurity framework developed by the Centre for Cybersecurity Belgium (CCB) under the Prime Minister of Belgium’s authority. CyFun is heavily based on Cybersecurity Framework v1.1 from NIST as well as a number of other standard frameworks ISO27001, CIS Controls, and IEC-62443, CyFun offers a structured approach to improving cybersecurity. While inspired by CSF 1.1, CyFun goes further by providing additional guidance, requirements, and assessment methodologies. This makes it a more mature and practical framework, especially for organizations operating in both the EU and US.

What Is CyFun?

CyFun, short for CyberFundamentals Framework, is a cybersecurity framework designed to increase resilience and reduce the risk of common cyberattacks. It mirrors CSF 1.1 in structure, with the same functions, categories, and outcomes. However, CyFun enhances CSF by integrating guidance from other standards like ISO27001 and IEC-62443. So it provides more detailed guidance and requirements to help organizations achieve measurable security improvements.

CyFun Structure

CyFun is largely based on CSF v1.1
CyFun follows the CSF v1.1 structure with its 5 functions

The CyFun structure mirrors the framework of NIST CSF v1.1, adopting its five core functions:

  1. Identify
    This function focuses on understanding the organization’s assets, risks, and vulnerabilities. It includes activities such as asset management, risk assessment, and governance to provide a clear picture of the cybersecurity landscape.
  2. Protect
    Protecting critical assets and data is the next step. This function covers safeguards like access control, awareness training, and data protection to ensure resilience against cyber threats.
  3. Detect
    Early detection of cybersecurity events is critical. This function emphasizes monitoring, anomaly detection, and continuous security assessments to quickly identify potential breaches.
  4. Respond
    When incidents occur, it’s essential to manage them effectively. The Respond function includes incident response planning, communication strategies, and mitigation measures to minimize damage.
  5. Recover
    After an incident, organizations need to restore normal operations. The Recover function focuses on recovery planning, improving resilience, and incorporating lessons learned to strengthen future defenses.

CyFun Profiles

The 4 CyFun profiles based on the risk appetite: small, basic, important and essential
The 4 CyFun profiles: small, basic, important and essential

CyFun introduces four assurance levels tailored to an organization’s size and risk profile:

  1. Small, which is a of 10 rules of thumb. The Small profile is perfect for small businesses or startups with minimal cybersecurity maturity. So small doesn’t really require much of a structured approach.
  2. Basic includes 34 controls. This level is suitable for small to medium-sized organizations with moderate cybersecurity needs. The Basic profile has been validated by CCB against CERT attack profiles and it can stop 82% of those attacks.
  3. Important includes 117 controls. Important is suitable for organizations that handle sensitive customer or proprietary data. CCB claims it can stop 94% of attacks.
  4. Essential includes 140 controls. Essential is suitable for larger enterprises, critical infrastructure operators, or organizations in highly regulated sectors. It addresses 100% of attacks (historically).

Important Note: These figures represent historical data and don’t account for emerging threats. However, they illustrate CyFun’s effectiveness in reducing risks.

Which CyFun assurance level shall I use?

CyFun risk assessment tool to map to an assurance level
CyFun risk assessment tool to map to an assurance level

Choosing the appropriate CyFun assurance level is critical for aligning your cybersecurity strategy with your organization’s needs and risk profile. Fortunately, the Centre for Cybersecurity Belgium (CCB) has developed a user-friendly tool to simplify this decision-making process. The tool also comes with a set of sample risk assessment outcomes for various sectors in the context of the NIS2 regulation. You can leverage the same basic risk assessment methodology to figure out which CyFun assurance level you should use.

Guidance, Controls, and Requirements

Although CyFun mirrors the CSF structure, the contributions of CyFun are not to be underestimated.

CyFun controls: CyFun introduces the term control, which encapsulates CSF outcomes enhanced with additional guidance and requirements.

Control guidance: CyFun provides detailed guidance on how to implement each CSF outcome.

Control requirements: Finally, CyFun provides the definition of done for each outcome making the implementation measurable.

While CSF includes mappings to NIST SP 800-53 for guidance, CyFun goes further, offering specific criteria for successful implementation.

Assessment and Scoring

CyFun introduces a dual scoring system to evaluate both documentation maturity and implementation maturity for each outcome. Dual scoring acknowledges that implementation is key for smaller organizations, while larger entities require formalized, practical documentation. By focusing on actionable, automated policies, organizations avoid compliance traps and enhance security effectiveness.
  1. Implementation maturity: Assesses how well each control is implemented and executed.
  2. Documentation maturity: For smaller or more agile organizations, tribal knowledge—unwritten but deeply ingrained practices—may suffice. However, as an organization grows, it’s critical to formalize this knowledge into clear, pragmatic documentation. So this category measures the organization’s written policies, procedures, and standards.

Maturity Levels

CyFun maturity levels based on CMMI
CyFun maturity levels based on CMMI

CyFun uses CMMI maturity levels for assessments.

The CyFun maturity model consists of five levels, each reflecting the sophistication of an organization’s documentation and implementation processes. At Level 1 (Initial), there is no formal documentation or standard processes. Level 2 (Repeatable) introduces formally approved documentation, though it may be outdated, and processes are ad hoc and informal. Level 3 (Defined) ensures formally approved documentation with minimal exceptions (<5%) and a consistent, evidence-backed process with fewer than 10% exceptions. Level 4 (Managed) includes comprehensive documentation, detailed metrics, and less than 5% process exceptions, establishing a baseline for performance metrics. At Level 5 (Optimizing), organizations maintain continually improving metrics, minimal process exceptions (<1%), and rigorously implemented and monitored processes. This progression emphasizes both process maturity and actionable improvements.

CyFun doesn’t include a “Level 0” (indicating no maturity) or an explicit “Not Applicable” option. So it is the assurance levels that would exclude certain controls by design.

Who Needs to Implement CyFun?

CyFun is suitable for both voluntary and mandatory adoption:

  • Voluntary Use: Organizations can leverage CyFun as a National Certification Scheme for Cybersecurity Certification. A self-declaration can be verified by a Conformity Assessment Body (CAB) to receive a label or certificate.
  • Mandatory Use: Some laws and regulations may require certification under CyFun.

Organizations with existing ISO27001 certifications can use these to fast-track CyFun certification by aligning their scope with CyFun requirements.

How to Implement CyFun

Implementing CyFun is a straightforward process that involves four essential steps. Following these steps ensures your organization aligns with the framework and builds a robust cybersecurity posture.

  1. Perform a Risk Assessment to Select Your Assurance Level
    Start by evaluating your organization’s risks and needs using the CyFun Selection Tool. This tool helps you identify the assurance level—Small, Basic, Important, or Essential—that best fits your size, complexity, and risk profile. Taking the time to assess your unique circumstances ensures that your cybersecurity measures are both effective and resource-efficient.
  2. Complete Your Self-Assessment and Implement Corrective Measures
    Once you’ve chosen your assurance level, conduct a self-assessment using tools like SAMMY. This step helps you understand how your organization aligns with CyFun’s requirements and highlights areas needing improvement. Develop and implement a plan to address these gaps with practical, risk-reducing measures.
  3. Select an Authorized Conformity Assessment Body (CAB)
    After completing your self-assessment, you need verification. Contact an Authorized Conformity Assessment Body (CAB) to assess both your self-assessment and the implementation of corrective measures. Their evaluation provides an independent review, ensuring your processes meet the framework’s standards.
  4. Request Your Label on the Safeonweb@work Portal
    Once your CAB has verified your compliance, submit a request for your CyFun label through the Safeonweb@work portal. This label serves as a certification of your organization’s adherence to CyFun, demonstrating your commitment to cybersecurity.

Commonalities and Differences Between CyFun and CSF

CyFun builds on the foundation of NIST CSF while introducing enhancements that make it more practical and actionable for organizations. Here’s how the two frameworks compare:

  1. Profiles
    • CyFun introduces four assurance levels—Small, Basic, Important, and Essential—tailored to different organizational sizes and risk profiles.
    • These assurance levels are practical implementations of CSF’s concept of risk-based profiles, offering pre-defined, actionable pathways for organizations at various stages of cybersecurity maturity.
  2. Guidance, Requirements, and Controls
    • One significant refinement in CyFun is its treatment of outcomes (or subcategories in CSF), which it refers to as controls.
    • This change reflects CyFun’s addition of detailed guidance and “definition of done” requirements for each control, providing clear, actionable steps for implementation.
    • CyFun enriches these controls with insights from well-established standards like ISO27001, CIS Controls, and IEC-62443, ensuring comprehensive guidance.
    • By defining controls instead of just outcomes, CyFun bridges the gap between high-level concepts and practical execution.
  3. Assessment Methodology
    • CyFun introduces a structured assessment methodology based on CMMI maturity levels. This enables organizations to score their performance and progress objectively, supporting both self-certification and third-party certification.
    • While CSF includes tiers to guide risk-based decisions, it lacks CyFun’s robust structure for assessment and comparative scoring, making CyFun more actionable for organizations seeking measurable improvements.

By combining the strengths of CSF with additional layers of guidance, requirements, and structured assessment, CyFun empowers organizations to adopt a more mature and practical approach to cybersecurity. This makes CyFun especially effective for those seeking a framework that aligns with both strategic and operational needs.

Conclusion

CyFun is a robust framework that enhances the widely respected CSF by adding detailed guidance, requirements, and a structured assessment methodology. It helps organizations of all sizes build resilience against cyber threats and improve their security posture.

Tools like SAMMY provide an excellent way to navigate CyFun’s structured approach, offering incremental steps to improve security based on your organization’s risk strategy. Start your journey with CyFun today and take a significant step toward stronger cybersecurity.

Author

Subscribe to the AppSec Newsletter

Aram is the founder and the CEO of Codific. With over 15 years of experience, he has a proven track record in building complex software systems by explicitly focusing on software security. Aram has a PhD in cybersecurity from DistriNet KU Leuven. His contributions to the refinement and streamlining of the LINDDUN privacy engineering methodology have been incorporated into ISO and NIST standards. Aram is also a core contributor to OWASP SAMM project and the architecture and security mentor for all our teams.
If you have questions, reach out to me hereContact

Related Posts