CyberFundamentals Framework
Discover how Brainframe can help you to implement and manage your CyberFundamentals compliance efforts effectively
CyberFundamentals
The CyberFundamentals Framework, developed by Belgium's Centre for Cybersecurity, is designed to reduce cyber risks and enhance resilience against common threats. Brainframe helps you align with some requirements of this framework by offering an Information Security Management System (ISMS). The framework is divided into levels (Small, Basic, Important, Essential) tailored to various organizational needs, enabling a step-by-step enhancement of security measures. For more information on the CyFun framework, visit their official website.
The CyberFundamentals framework is structured around five core functions designed to provide a holistic approach to cybersecurity risk management. These functions—Identify, Protect, Detect, Respond, and Recover—work together to help organizations assess and mitigate risks, enhance resilience, and maintain operational continuity in the face of cyber threats. This structured approach ensures that both technical and non-technical stakeholders can align cybersecurity measures with broader organizational objectives, facilitating clear communication and effective decision-making across all levels.
Available packages
Small
The "Small" assurance level provides a basic starting point for organizations to evaluate their cybersecurity posture. It is specifically designed for micro-enterprises or those with minimal technical expertise, allowing them to perform an initial assessment of their current security practices and identify key areas for improvement. This level is ideal for those beginning their cybersecurity journey, providing simple and essential measures that are accessible without advanced technical knowledge
Basic
The "Basic" assurance level includes standard cybersecurity measures that are suitable for all types of enterprises. It provides essential protection by utilizing commonly available technologies and processes to enhance security. These measures are designed to deliver effective security value without requiring specialized resources, and they can be adapted and refined as needed to fit specific organizational contexts. This level is ideal for companies that want to establish a solid foundation of security practices.
Important
The "Important" assurance level aims to significantly reduce the risk of cyber-attacks carried out by adversaries with moderate skills and resources, while addressing common cybersecurity threats. It is crafted to protect organizations from more sophisticated threats beyond those mitigated by basic security measures, providing an additional layer of defense against actors capable of launching targeted attacks. This level enhances an organization’s resilience by focusing on known risks and emerging threats.
Essential
The "Essential" assurance level takes cybersecurity further by focusing on mitigating risks from advanced cyber-attacks conducted by highly skilled and well-resourced adversaries. It is designed to protect against sophisticated threats that require a comprehensive set of security measures, ensuring that the organization is resilient against attackers with extensive capabilities. This level offers robust safeguards for defending against complex cyber-attacks, making it suitable for organizations that need the highest level of security.
CyberFundamentals Best Practices
Framework Familiarization
Familiarize yourself with the CyFun® framework, particularly its assurance levels, and align the implementation to the specific industry’s needs. you should also document the roles, responsibilities, and authorities involved in cybersecurity, covering both internal teams and third parties, ensuring proper customization and accountability in the implementation process.
Initial assessment
Begin with an initial assessment by ensuring your organization has an up-to-date inventory of all physical devices, software, and third-party systems. You should also identify critical resources, dependencies, and roles within the supply chain to understand the business environment comprehensively.
Gap Analysis
Consultants should conduct a gap analysis to compare the client's current cybersecurity posture against the CyFun "Important" assurance level, including a risk assessment of hardware, software, personnel, and data. Based on the findings, they need to develop a risk management strategy, prioritizing key risks and responses, and actively involve both internal and external stakeholders in the process.
Framework Implementation
Establish cybersecurity policies that align with CyFun controls, including policies on access control, data protection, and third-party management. Implement technical safeguards, such as network segmentation, firewalls, and multi-factor authentication (MFA) for critical systems. Define and manage access permissions following the principles of least privilege and separation of duties, ensuring robust identity management and monitoring.
Training and Awareness
Consultants should ensure that the organization provides cybersecurity training for all employees, including privileged users, external stakeholders, and third-party providers, covering their roles in protecting information assets. Additionally, they should organize cybersecurity awareness campaigns and conduct simulation exercises, such as phishing drills and incident response tests, to improve awareness and enhance the organization's response capabilities.
Ongoing Assessment and Improvement
Consultants should help set up ongoing audits and vulnerability scans to continuously identify system weaknesses, with key performance indicators established to measure implementation success. They should also assist in developing incident response and recovery plans, ensuring these plans are regularly tested with all relevant stakeholders to maintain preparedness.
Compliance and Reporting
Consultants should ensure the organization complies with all legal, regulatory, and framework-specific obligations, implementing regular reviews of the risk management process. They should also provide clients with ongoing reports and updates regarding the framework's implementation status and identified risks, ensuring key decision-makers remain well-informed throughout the process.
Brainframe overzicht
Vermogensbeheer
Met Brainframe kunt u een uitgebreide inventaris van uw bedrijfsmiddelen bijhouden en deze naadloos koppelen aan de processen die ze ondersteunen. U kunt aan elk bedrijfsmiddel een kriticiteitsniveau toekennen, zodat u de belangrijkste middelen van uw organisatie effectief kunt prioriteren en beheren.
Risicobeheer
Brainframe stelt je in staat om risico's te definiëren voor elk bedrijfsmiddel of proces, hun kriticiteitsniveau te bepalen, plannen te maken voor risicobeperking en deze te prioriteren, en biedt een uitgebreid overzicht van al je risico's in een gecentraliseerd dashboard.
Beleidsbeheer
Maak gebruik van de uitgebreide sjablonen van Brainframe om op efficiënte wijze de beleidsregels en procedures te ontwikkelen die door DORA worden vereist. Wijs specifieke rollen en verantwoordelijkheden toe aan het management en zorg ervoor dat zij actief betrokken zijn bij en verantwoording afleggen voor het beleids- en besluitvormingsproces.
Maturiteitsmanagement
Breng uw controles in kaart met hun vereisten en volg het volwassenheidsniveau van uw compliance frameworks. Dankzij de diepgaande integratie met de task manager kunt u uw voortgang laten zien en de efficiëntie van uw audits verbeteren.
Achieve CyberFundamentals
compliance with Brainframe
While Brainframe addresses many of the requirements outlined in the CyberFundamentals framework, it does not claim full compliance with the CyFun Framework. For detailed information on how Brainframe aligns with CyberFundamentals, please contact us or visit our CyFun terms and conditions.
Self-hosted solution
Brainframe kan naadloos worden geïmplementeerd op uw infrastructuur op locatie, waardoor u volledige controle heeft over uw gegevens en systemen. Deze implementatieoptie zorgt ervoor dat u voldoet aan het interne beveiligingsbeleid en de wettelijke vereisten, terwijl het dezelfde krachtige functies en mogelijkheden biedt als de cloudgebaseerde oplossingen van Brainframe. Met on-premises implementatie kunt u het platform aanpassen aan uw unieke omgeving, zodat u verzekerd bent van optimale prestaties en integratie met bestaande infrastructuur.
Cloud solution
Brainframe is beschikbaar als cloud-gebaseerde oplossing en biedt flexibiliteit en schaalbaarheid zonder dat complex infrastructuurbeheer nodig is. Deze implementatieoptie zorgt voor een snelle implementatie en automatische updates, terwijl de hoogste niveaus van beveiliging en compliance gehandhaafd blijven. Met Brainframe in de cloud heeft u overal toegang tot het platform, wat naadloze samenwerking mogelijk maakt en ervoor zorgt dat uw organisatie veerkrachtig en up-to-date blijft met minimale overhead.
Here is how Brainframe can help you with some of the CyberFundamentals requirements:
CyberFundamentals requirement | Brainframe Solution |
ID.AM-1: Physical devices and systems used within the organization are inventoried. Organizations must maintain an up-to-date inventory of all assets related to information processing. This inventory should be regularly reviewed and updated to ensure accountability, with details like device type, manufacturer, serial numbers, and physical location. The use of IT asset management tools is recommended to streamline this process. |
|
ID.AM-2: Software platforms and applications used within the organization are
inventoried. Organizations must maintain a detailed and up-to-date inventory of all software platforms and applications, including those that are outsourced. This inventory should cover essential details like name, description, version, and business purpose. Regular reviews and updates are necessary, and IT asset management tools can be used to streamline the process. Accountability for software management should also be clearly defined. |
|
ID.AM-3: Organizational communication and data flows are mapped. Organizations must identify and map the types of information they store and use, linking this data to physical devices, systems, and software platforms. All connections within the ICT/OT environment should be documented, approved, and regularly updated. This documentation must include details on interfaces, data characteristics, security requirements, and protocols. |
|
ID.AM-4: External information systems are catalogued. Organizations must map, document, authorize, and regularly update all external services and their connections. This includes systems for which the organization does not have direct control, such as cloud services, SaaS, and APIs. Information flows to and from external systems should also be documented and updated as needed, with external service providers required to specify the functions, ports, protocols, and services necessary for these connections. |
|
ID.AM-5: Resources are prioritized based on their classification, criticality, and business value. Organizations should prioritize their resources, including hardware, software, data, and personnel, based on their classification, criticality, and business value. This involves assessing the potential impact of data being exposed, damaged, or inaccessible. Resources should be categorized (e.g., Public, Internal, Confidential) and communicated clearly to ensure proper handling. The classification should address confidentiality, integrity, and availability (C-I-A) to ensure comprehensive protection of assets. |
|
ID.AM-6: Cybersecurity roles, responsibilities, and authorities for the entire workforce and third-party stakeholders are established. Organizations must document, review, and update information security and cybersecurity roles, responsibilities, and authorities, ensuring alignment with internal and external stakeholders. This involves clearly defining who is responsible, accountable, consulted, and informed for various security tasks. Key functions, including legal and threat detection, should have well-established roles, and responsibilities should extend to third-party providers who have access to the organization's ICT/OT environment. |
|
CyberFundamentals requirement | Brainframe Solution |
ID.BE-1: The organization’s role in the supply chain is identified and communicated. Organizations must identify, document, and communicate their role within the supply chain, clearly understanding who is upstream and downstream. This includes recognizing which suppliers provide critical services, products, or capabilities. The organization should also ensure that its position and importance within the supply chain are clearly communicated to both upstream and downstream partners. |
|
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated. Organizations must establish and communicate clear priorities for their business objectives and activities. This includes determining and prioritizing the organizational mission and goals, as well as assessing information protection needs. Processes should be adjusted as needed to align with these priorities, ensuring a practical and achievable security strategy. |
|
ID.BE-4: Dependencies and critical functions for delivery of critical services are established. Organizations must identify, document, and prioritize dependencies and mission-critical functions necessary for delivering essential services. This process should be integrated into the overall risk assessment, ensuring that all critical components, including support services, are recognized and managed based on their importance to business continuity. |
|
ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states. Organizations must identify, document, and test the necessary requirements for cyber resilience, with approval for their implementation. This includes mechanisms such as failsafe systems, load balancing, and redundancy in data and network infrastructure. Effective business continuity management (BCM) practices, including Business Impact Analysis (BIA), Disaster Recovery Plan (DRP), and Business Continuity Plan (BCP), are essential to maintaining service availability. Additionally, organizations should define recovery time objectives (RTO) and recovery point objectives (RPO) to ensure quick restoration of essential systems. |
|
CyberFundamentals requirement | Brainframe Solution |
ID.GV-1: Organizational cybersecurity policy is established and communicated. Organizations must establish, document, and regularly review policies and procedures for information security and cybersecurity. These guidelines should clearly outline acceptable practices, roles, responsibilities, and expectations for protecting the organization’s resources. Policies need to be accessible to all employees, used for training, and updated at least annually or whenever there are changes in the organization or technology. Senior management must approve and disseminate these policies across the organization, ensuring coordination among various security functions throughout the lifecycle of ICT/OT systems. |
|
ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood, and managed. Organizations must ensure that legal and regulatory requirements concerning information and cybersecurity, including privacy obligations, are fully understood, implemented, and managed. Regular reviews are necessary to maintain continuous compliance, and these requirements extend to contractors and service providers who may handle or have access to sensitive information. |
|
ID.GV-4: Governance and risk management processes address cybersecurity risks. A comprehensive strategy to manage information security and cybersecurity risks must be developed as part of the company's overall risk management. This strategy should outline the allocation of resources necessary to safeguard business-critical assets and ensure that all identified risks are documented, formally approved, and regularly updated to reflect any changes. Utilizing risk management tools can streamline this process. |
|
CyberFundamentals requirement | Brainframe Solution |
ID.RA-1: Asset vulnerabilities are identified and documented. Organizations must establish a process to continuously monitor, identify, and document vulnerabilities in their business-critical systems. Effective vulnerability management involves regular scanning, testing, and validation to ensure potential risks are identified and addressed without disrupting normal operations. |
|
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk Organizations must conduct comprehensive risk assessments to evaluate risks based on identified threats, vulnerabilities, and their impact on business processes and assets. These assessments should consider both internal and external threats and evaluate the potential consequences on the confidentiality, integrity, and availability of assets. Organizations are encouraged to use both qualitative and quantitative analysis methods and document the results. Risk assessment findings should be communicated to relevant stakeholders to ensure appropriate mitigation actions are taken. |
|
ID.RA-6: Risk responses are identified and prioritized. Organizations must develop and implement a comprehensive strategy to manage risks to their critical systems, which involves identifying and prioritizing appropriate risk responses. This strategy should engage both management and employees, clearly define which assets are most critical, understand the potential impact of their compromise, and outline how effective mitigation measures will be implemented to protect these assets. |
|
CyberFundamentals requirement | Brainframe Solution |
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders. Organizations must establish a cyber risk management process that identifies key internal and external stakeholders. This process should facilitate the effective handling of risk-related issues and information. It should be thoroughly documented, regularly reviewed, and updated whenever there are changes. External stakeholders might include customers, investors, shareholders, suppliers, government agencies, and the wider community. |
|
ID.RM-2: Organizational risk tolerance is determined and clearly expressed. Organizations must clearly define their risk appetite, ensuring that it aligns with their information security and cybersecurity policies. This coherence between risk tolerance and security measures helps demonstrate a consistent and strategic approach to managing risks. |
|
CyberFundamentals requirement | Brainframe Solution |
ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders. Organizations must establish a documented cyber supply chain risk management process that is regularly reviewed, approved, and updated when changes occur. This process should facilitate the identification, assessment, and mitigation of risks arising from the interconnected nature of ICT/OT products and service supply chains, ensuring comprehensive management of supply chain security. |
|
ID.SC-2: Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process. Organizations must conduct cyber supply chain risk assessments at least once a year or whenever there are changes to critical systems, the operational environment, or the supply chain. These assessments should be documented, and the results shared with relevant stakeholders. Additionally, organizations should maintain an up-to-date list of suppliers, vendors, and partners, both online and offline, which includes their contact information and the services they provide. |
|
ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. Based on the findings of cyber supply chain risk assessments, organizations should establish a contractual framework with suppliers and external partners to manage the sharing of sensitive information and interconnected ICT/OT products and services. Contracts should include specific information security and cybersecurity requirements, ensuring a verifiable flaw remediation process to address identified vulnerabilities. Additionally, organizations must ensure GDPR compliance if personal data is involved. Contracts should also permit the organization to review the cybersecurity programs of suppliers and partners to verify adherence to security requirements. |
|
ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations. Organizations must routinely review assessments of suppliers' and third-party partners' compliance with contractual obligations by examining audits, test results, and other evaluations. The depth of the review should be based on the criticality of the products and services provided, ensuring that independent audits and evaluations are used to verify compliance. |
|
ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers. Organizations must identify and document key personnel from suppliers and third-party partners, including them as stakeholders in response and recovery planning activities. This ensures that these partners are actively involved in the testing and execution of response and recovery plans. |
|
CyberFundamentals requirement | Brainframe Solution |
PR.AT-1: All users are informed and trained. Organizations must ensure that all employees, including users and managers of ICT/OT systems, receive appropriate training on information security policies upon hiring and on a regular basis thereafter. Training should be continuously updated and reinforced through awareness campaigns. Security awareness training must also include insider threat recognition and reporting, and should be communicated regularly and engagingly to ensure everyone understands their responsibilities. Practical scenarios and regular simulation exercises can help reinforce learning. |
|
CyberFundamentals requirement | Brainframe Solution |
PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles. Organizations must develop, document, and maintain a baseline configuration for their business-critical systems, ensuring that these configurations are regularly reviewed and updated. Baseline configurations should include details on system versions, patch status, configuration settings, network topology, and the placement of components within the system architecture. |
|
PR.IP-2: A System Development Life Cycle to manage systems is implemented. The system and application development life cycle must incorporate security considerations throughout all phases, including specification, design, development, and implementation. This involves ensuring that security is integrated into the acquisition of business-critical systems and their components, and providing training on vulnerability awareness for developers. The development process should also include robust configuration management, flaw tracking, change control, and security testing to ensure security-relevant system interfaces are properly designed and implemented. |
|
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed. Organizations must establish, maintain, and regularly test incident response and recovery plans, including those for business continuity and disaster recovery, to ensure their effectiveness and readiness. These plans should provide clear instructions for detecting, responding to, and mitigating the effects of cyber-attacks, while addressing recovery objectives, restoration priorities, and personnel roles. |
|
PR.IP-12: A vulnerability management plan is developed and implemented. Organizations must establish and maintain a documented process for the continuous review of vulnerabilities and the development of strategies to mitigate them. Regular updates and proactive measures are essential to ensure vulnerabilities are addressed before they can be exploited. |
|
CyberFundamentals requirement | Brainframe Solution |
RS.RP-1: Response plan is executed during or after an incident. An incident response process must be in place and executed during or after a cybersecurity event affecting the organization’s critical systems. This process should include predefined instructions for detecting, responding to, and mitigating the impact of malicious cyber-attacks. Clear roles, responsibilities, and authorities must be established, specifying who is involved, their contact information, and who is authorized to initiate recovery procedures and communicate with external stakeholders. |
|
CyberFundamentals requirement | Brainframe Solution |
RS.CO-1: Personnel know their roles and order of operations when a response is needed. Organizations must ensure that all personnel involved in incident response clearly understand their roles, objectives, restoration priorities, task sequences, and specific responsibilities. Regular testing of the incident response plan is essential to ensure its effectiveness, and adjustments should be made after each incident to address any gaps. |
|
RS.CO-2: Incidents are reported consistent with established criteria. Organizations must implement a clear process for reporting information and cybersecurity incidents on critical systems within a defined time frame. The reporting process should specify who needs to be informed and ensure that all users have a single point of contact for incident reporting, encouraging prompt communication. Reporting criteria should be outlined in the incident response plan to ensure consistency and clarity on when and how to report incidents. |
|
RS.CO-3: Information is shared consistent with response plans. Organizations must ensure that information about information/cybersecurity incidents is communicated to employees in a clear and understandable format. Additionally, incident information should be shared with relevant stakeholders, both internal and external, as outlined in the incident response plan to ensure coordinated and effective responses. |
|
CyberFundamentals requirement | Brainframe Solution |
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks. Organizations must implement a comprehensive incident handling capability for information and cybersecurity incidents affecting business-critical systems. This process should cover all phases, including preparation, detection and analysis, containment, eradication, recovery, and documented risk acceptance. Risk acceptance involves formally acknowledging risks that are assessed as manageable and within the organization’s risk appetite, with the risk owner taking responsibility for these decisions. |
|
Audit trail
Brainframe zorgt voor een uitgebreid en geautomatiseerd controlespoor door alle acties, wijzigingen en updates binnen het systeem vast te leggen. Gebruikersactiviteiten, beleidswijzigingen, risicobeoordelingen en nalevingsmaatregelen worden bijgehouden, waardoor een duidelijke documentatie met tijdstempel ontstaat. Dit gedetailleerde controletraject vereenvoudigt niet alleen interne en externe audits, maar zorgt ook voor transparantie, verantwoording en afstemming op wettelijke vereisten zoals DORA.
KPIs
Brainframe maakt uitgebreide KPI-monitoring mogelijk en biedt een gecentraliseerd dashboard voor het bijhouden van belangrijke prestatiecijfers voor verschillende afdelingen of productlijnen. Het biedt realtime inzichten voor verschillende belanghebbenden en zorgt voor duidelijk inzicht in de voortgang en prestaties. Deze gestroomlijnde aanpak vergemakkelijkt datagestuurde besluitvorming en helpt bij het afstemmen op organisatorische doelen en compliance-eisen.
Integrations
Brainframe ondersteunt naadloze integraties met je bestaande systemen (SharePoint, JIRA, Monday.com,...) waardoor je eenvoudig documenten en dossiers kunt importeren. Dit zorgt voor een soepele overgang door alle relevante bestanden binnen het platform te centraliseren, handmatig werk te verminderen en consistentie te behouden. Door uw huidige documentworkflows te integreren, helpt de software processen te stroomlijnen en de efficiëntie in uw organisatie te verbeteren.
Wil je meer weten?
Book a call to find out more on how we can help you achieve and manage your compliance with CyberFundamentals.
Begin nu gratis!
Streamline your GRC work using our all-in-one management solution and get access to our network of local specialists