CyFun Prototyping: Take-aways from KU Leuven Round-Table
Leuven, 2 June 2025
Who was in the room?
- Johan Klykens, CyFun “Grand Master” and lead certification architect at CCB
- Researchers Isabela Rosal Santos and Charlotte Somers (CiTiP), who unveiled the latest answers of the KU Leuven Cyfun readiness questionnaires
- Eight early-adopter companies rolling out NIS2 governance, risk & compliance (GRC) programmes—including Qfirst’s Danny Zeegers and Orange Cyberdefense QMS & Risk manager Karin Printemps
5 pain points the pilots surfaced
| Concern | What participants said |
| Supplier risk still a grey zone | “The framework tells us that we must vet business-critical ICT providers, but not how,” one CISO complained. The Excel tool has no weighting for SaaS versus on-prem suppliers. |
| Top-floor buy-in | CFOs balk at six-figure certification budgets and expect “proof of ROI before signature.” Steering committees need a narrative that resonates. |
| Management training | Mid-management wants bite-size courses—yet nobody could name one publicly available today. |
| Excel tool lock-in | The self-assessment spreadsheet will jump to CyFun 2025 this September. “What happens to the hundreds of controls we already scored?” asked an energy-sector risk officer. |
| ISO 27001 déjà-vu | Several firms felt ISO 27001 “sets clearer guard-rails than CyFun,” especially on documentation and audit cadence. |
What the experts answered
- Supplier assessment is not optional – “Any company that flies a quality label already performs supplier due-diligence,” Johan Klykens reminded the room. Under CyFun each business-critical ICT supplier must be risk-scored and able to show at least CyFun Basic readiness; otherwise the contracting firm carries the residual liability.
- Guidance for managers is coming – A CCB update is planned for Q3 2025 with slide decks, check-lists and case studies aimed at boards and department heads.
- Risk-based storytelling wins the budget – Qfirst’s Danny Zeegers recommended mapping every CyFun gap to a concrete business impact, then walking executives through the heat-map: “When they see revenue or chain liability in red, support follows.”
- ISO vs CyFun is a false dichotomy – “ISO 27001 isn’t easier— just better known,” added Zeegers. “CyFun’s value is the Belgian legal mapping and NIS2 focus; as a step up you can cross-reference clauses 4-10 of ISO 27001:2022 and plug in CyFun’s tech controls.” According to Karin Printemps, successful NIS2 implementer.
- Grass-roots roles matter – He advised naming a GRC manager, CyFun internal auditor, incident manager, risk manager and risk owners at project kick-off. Qfirst even offers a free “Internal Auditor CyFun Essentials & Gap Analyst” course for those roles.
More insight from Johan Klykens on money, timing and tooling
INSIGHTS ON BUDGET, TIMELINE & TOOLING
- Budget ≠ purely technical spend – “ICT spend must stay in balance with governance spend,” Johan stressed. CyFun isn’t a ‘bolt-on’ tech buy—board-level oversight, risk workshops and audits need funding too.
- A three-year runway – The CyFun pathway opened October 2024 and runs to April 2027. “That gives organisations three budget cycles to stagger costs and avoid one-off CAPEX shocks.”
- Savings offset the outlay – A mature ISMS/GRC programme cuts man-hours (“good governance saves time”). Greater cyber-resilience lowers cyber-insurance premiums. Final CCB certification is only €2 500—a fraction of the potential downtime losses CyFun aims to avert.
- Excel tool continuity – The September 2025 upgrade will migrate all existing answers into the new workbook automatically. “No work is lost; you simply continue your roadmap on the updated scale.”
3 take-aways for NIS2 readiness
Start supplier due diligence now – Even before the additional insight of CCB will be provided, document your criteria (criticality, dependence, assurance level) so you are ready to align them into CyFun 2025 requirements.
Treat executives like a stakeholder group – Build a five-slide “risk-vs-cost” deck; pair it with short, sector-specific training once CCB releases the Q3 material.
Run ISO-style governance, layer CyFun controls – Use ISO 27001’s management cycle (Context → Leadership → Planning → Support → Operation → Evaluation → Improvement) as the project skeleton; populate each phase with the CyFun measures and the coming CCB artefacts.
With supplier chains high on the NIS2 risk radar, the Leuven session underscored a simple message: organisations that wait for a “perfect” framework will lose precious months. Those that start small—mapping suppliers and visualising risk for management—will be ready when CyFun 2025 and the Belgian NIS2 transposition go live.
More guidance can be found here.
Visualising CyFun Essential inside an ISO 27001 Governance Skeleton
The easiest way to present CyFun to executives who already recognise ISO 27001 is to lay its requirements over the familiar Clause 4-10 cycle, then drop in CyFun’s organisational & technical controls (OC / TC).
| ISO 27001 clause | CyFun Essential focus area | Key organisational controls (OC) | Key technical controls (TC) | Typical ISO 27001 Annex A cross-references |
| 4 Context of the organisation | Governance & scope definition | Asset & service inventory, stakeholder register, supply-chain mapping | – | A.5.9, A.5.31 |
| 5 Leadership | Commitment & policy | InfoSec policy, roles & responsibilities, board charter | – | A.5.1 – A.5.5 |
| 6 Planning | Risk management & objectives | Risk methodology, risk register, NIS2-specific objectives | Supplier-risk dashboard | A.5.35, A.8.8 |
| 7 Support | Resources, awareness, documentation | Training plan for execs & middle management, CyFun document set | Microsoft Purview DLP (audit-only, EU boundary), endpoint EDR | A.6.3, A.8.15-16 |
| 8 Operation | Operational security controls | Change-management SOP, incident-response playbooks, due-diligence of ICT suppliers (CyFun Level B) | Access control, patch management, secure configuration baselines, MDR/SIEM | A.5.12, A.8.2-A.8.14 |
| 9 Performance evaluation | Monitoring, internal audit & KPIs | CyFun self-assessment workbook, internal audit schedule, management review minutes | Audit-log retention (12 m), metrics automation | A.5.36, A.8.15 |
| 10 Improvement | Corrective actions & continual improvement | CAPA log, lessons-learned workshops, roadmap tracker to 2027 deadline | Automated ticket linkage from SIEM/ITSM | A.5.26-A.5.28 |
Why this mash‑up works
- Auditors already benchmark against ISO 27001 Annex A; adding the CyFun label per control tells them instantly which Belgian/NIS2‑specific proof to look for.
- Budget owners see that many CyFun controls piggy‑back on investments they already make for ISO or SOC2, making Klykens’ argument—that the incremental €2 500 certification fee is “defendable”—easier to swallow.
- Management training gaps land squarely in Clause 7: once CCB releases the promised Q3 slide‑decks, they drop right into the “Support” column of the table above.
Bottom line: Map CyFun Essential onto ISO 27001’s clauses, plug in the OC/TC specifics, and you give leadership a single, comprehensible roadmap—one that fits the budget cycles Johan Klykens outlined and that keeps every prior Excel assessment fully reusable come the September 2025 upgrade.
