ISO 27001 or CyberFundamentals: which framework to choose?

In Belgium, two frameworks can be used to demonstrate NIS2 conformity: the international standard ISO/IEC 27001 and the CyberFundamentals (CyFun) framework of the Centre for Cybersecurity Belgium (CCB). The CCB recognises them on an equal footing — the stated aim is to place all entities on a level playing field. The choice depends on context.

ISO/IEC 27001

ISO/IEC 27001 is the international standard for information security management. It rests on a risk-based approach, a Statement of Applicability (SoA) and certification issued by an independent accredited body. Its main asset is international recognition, useful when dealing with clients or partners outside Belgium.

CyberFundamentals

CyFun is the Belgian framework of the CCB. It is free, graded across four levels, and directly aligned with NIS2; its key measures are derived from attacks actually observed in Belgium. It offers a faster starting point, calibrated to risk.

For NIS2 conformity

Presumption of conformity is obtained through CyFun verification (Basic or Important levels), through CyFun certification (Essential level), or through ISO/IEC 27001 certification — provided the scope and the Statement of Applicability are found acceptable by the CCB. In concrete terms, the SoA must cover the requirements of the targeted CyFun level, which is shown by means of a mapping; the CCB inspection service checks this equivalence, paying particular attention to the key measures.

How to decide

An organisation already certified to ISO 27001, or oriented towards international markets, has an interest in building on that standard. An organisation starting from a Belgian frame and seeking a graded, economical path will find CyFun more direct. The two are not mutually exclusive — and the right choice is made from the actual scope and the applicable obligations.