iso27diy-corp/Corpus/Standards/other/CyFun certification in Belgium.md

CyFun certification in Belgium

In Belgium, an organization can get certified for the CyberFundamentals-raamwerk (CyFun®) from the Centre for Cybersecurity Belgium (CCB).

Certification Process for CyFun®

• Framework and Authority: The CyFun® framework is developed and maintained by the CCB, which is designated as Belgium’s National Cybersecurity Certification Authority (NCCA)¹.
• Certification Levels: The CyFun® framework is structured around several assurance levels (Small, Basic, Important, Essential) that correspond to the organization’s size and risk profile²¹.
• Conformity Assessment: Certification is achieved through a conformity assessment performed by an external, independent, and accredited Conformity Assessment Body (CAB). These CABs must be accredited by BELAC, the Belgian national accreditation body, and authorized by the CCB³¹.
• Certification Steps:
  • Self-evaluation using the CyFun® self-assessment tool.
  • Internal implementation and documentation of required measures.
  • External audit and verification by an accredited CAB.
  • If compliant, the organization receives an official CyFun® label or certificate²³¹.
• Legal and Regulatory Context: Certification for CyFun® is recognized as a way to demonstrate compliance with the NIS2 directive in Belgium. For some organizations, this certification may be voluntary, while for others (especially those in critical sectors), it may be required by law²¹⁴.
• Recognition and Assurance: The certification scheme is validated by BELAC, ensuring that the process is credible and recognized nationally. The CyFun® certificate provides evidence of an organization’s cybersecurity posture to customers, suppliers, regulators, and insurers³¹.

Summary Table

Step	Description
Self-assessment	Organization evaluates itself against CyFun® requirements
Implementation	Measures are implemented and documented
External audit	Accredited CAB performs independent verification
Certification	Organization receives CyFun® certificate/label if compliant

In summary: Organizations in Belgium can obtain official certification for the CyFun® framework through an accredited audit process, providing recognized proof of their cybersecurity measures and compliance with Belgian and EU regulations²³¹⁴.

ISO 27001 certification as proof of compliance

ISO 27001 certification is accepted as proof of compliance with the CyberFundamentals-raamwerk (CyFun®) in Belgium, but with important nuances:

• Equivalence for NIS2 Compliance: Organizations falling under the 'Essential' assurance level of the NIS2 directive can choose either ISO 27001 certification or CyFun® certification to demonstrate compliance⁵¹. Both are recognized paths for meeting regulatory requirements in Belgium.
• Certification Process: For CyFun®, organizations undergo a specific process involving self-assessment, implementation, and external verification by an authorized Conformity Assessment Body (CAB) accredited by the CCB⁵³. For ISO 27001, certification must also be performed by an accredited CAB with the appropriate scope and statement of applicability¹.
• Scope Alignment Required: If your organization already holds ISO 27001 certification, you can use it to "fast-track" CyFun® certification by aligning the scope of your ISO 27001 Information Security Management System (ISMS) with CyFun® requirements². However, this may require mapping your existing controls and documentation to the additional or specific requirements of CyFun®.
• Additional Guidance: While ISO 27001 and CyFun® share many foundational elements, CyFun® includes extra guidance, requirements, and assessment methodologies beyond ISO 27001²⁶. Therefore, holding ISO 27001 certification does not automatically grant CyFun® certification, but it is a strong basis and may significantly reduce the effort required for CyFun® compliance.
• Official Recognition: Both ISO 27001 and CyFun® certifications are officially recognized by Belgian authorities for demonstrating NIS2 compliance, provided the certification is issued by an authorized CAB¹.

In summary: ISO 27001 certification is accepted as proof of CyFun® compliance for regulatory purposes in Belgium, especially for organizations subject to NIS2. However, you may need to ensure your ISO 27001 scope and controls fully cover CyFun® requirements, and certification must be performed by an appropriately accredited CAB²⁵¹.

---

---

---

1. https://higherlogicdownload.s3.amazonaws.com/ISACA/1466d1d1-d2d8-471d-a649-d456b914f0c6/UploadedImages/NIS2_CyFun_ISACA_BELGIUM20240904.pdf ↩︎

2. https://codific.com/what-is-cyfun-and-how-to-implement-it/ ↩︎

3. https://www.beltug.be/nis2-where-to-begin-the-cyfun-basic-key-measures-are-a-good-starting-point/ ↩︎

4. https://www.axsguard.com/en_US/blog/our-company-8/new-milestone-axs-guard-achieves-iso-27001-certification-283 ↩︎

5. https://qfor.org/nl/cyfun-cyberfundamentals-framework/ ↩︎

6. https://assets.kpmg.com/content/dam/kpmg/be/pdf/2024/NIS2-EVENT-15-05-2024-05-15.pdf ↩︎