By nis2.news Danny Zeegers | 15 June 2025
ADKAR outcome snapshot for an NIS2 “Essential” organisation
| ADKAR stage | What success looks like under NIS2 | Evidence pointers |
|---|---|---|
| Awareness | All stakeholders ‒ from the board to system owners ‒ understand why NIS2 matters: higher cyber-resilience, heavy fines for non-compliance and reputational risk. This starts with a campaign that “clearly communicates the need for and benefits” of the new security regime. | |
| Desire | Leadership’s visible sponsorship turns understanding into motivation. A committed “tone of the top” creates a culture in which staff actually want to adopt new controls instead of seeing them as red tape. | |
| Knowledge | Staff receive role-based training on ISO 27001 Annex A controls, Cyfun Essential practices and incident-reporting duties, giving them the know-how to act compliantly. | |
| Ability | Hands-on workshops and in-house training sessions ensure people can do the tasks (e.g., configure logs, execute playbooks, fill the unified control matrix). | |
| Reinforcement | Continuous evaluation—KPIs, internal audits and management reviews—keeps behaviours sticky, maximises benefits and sustains compliance over time. |
Why this saves time during an ISO 27001 Level 3 audit
- When Awareness & Desire are high, auditors spend less time chasing missing owners.
- With Knowledge & Ability embedded, evidence (policies, SOP screenshots, ticket logs) is produced on first request instead of in last-minute scrambles.
- Reinforcement mechanisms mean the control set is already monitored; audit samples are ready-made dashboards, not ad-hoc exports.
In practice, organisations that work through the ADKAR sequence often cut external audit fieldwork from weeks to days
Why this setup in combination with a Cyfun essential maturity level matters now
Starting 17 October 2024, the EU’s NIS2 Directive requires every essential entity—from energy grids to e-health providers—to prove that their security management system is both risk-based and continuously improving. Many boards have chosen ISO 27001 as the governance backbone, but auditors increasingly insist on evidence of process maturity. Meanwhile, government buyers in several member states reference the “Cyfun Essential” maturity model (a three-tier control set derived from CMMC & ENISA best practice).
If you are aiming for ISO 27001 Audit Maturity Level 3 (processes defined, implemented and partially measured) and need to map that to Cyfun-Essential Level 3, here is a game plan that works for both the standard and the directive.
1 | Pin down your current maturity—objectively
Before scheduling the external audit, run an internal score-card covering process documentation, data quality, control effectiveness and reporting. A CMMI-inspired template lets you score each domain 0-5 and spot the gaps early.
Pro tip: Auditors will not accept self-assessment only. Keep evidence packages (policy, logs, minutes) together with every score to speed up sampling.
2 | Align your controls: ISO Annex A ↔ Cyfun A ↔ CMMC
Build a unified control matrix that shows:
| ISO 27001 Annex A | Cyfun Essential A | CMMC (Level 1-3) | Evidence artefact |
|---|---|---|---|
| A.5 Policies | Gov-01 | AC.L1-3.001 | Information-sec. policy v3.2 |
| A.8 Asset mgmt. | Inv-02 | AM.L2-3.003 | CMDB export & ownership list |
| … | … | … | … |
Why do this?
Auditors can trace every Cyfun requirement to an ISO clause, reducing “additional” questions during the on-site phase.
3 | Close the Level-3 gaps early
| Gap theme | What “good” looks like at Level 3 | Quick win |
|---|---|---|
| Process Definition | Documented SOPs & RACI for every control | Convert tribal knowledge to “micro-playbooks” |
| Data Quality & ETL | Standardised, reconciled log feeds | Activate schema-validation in SIEM |
| Control Effectiveness (ToD/ToE) | Sampling plus basic KPIs | Add “control health” widgets to dashboard |
The thesis work on continuous auditing shows that organisations at Level 3 (“Defined”) can already substantiate both design and operational effectiveness of controls—a prerequisite to convince ISO auditors.
4 | Make “tone at the top” visible
External auditors repeatedly flag missing executive sponsorship as the #1 blocker. Embed cyber-risk KPIs in board packs and require directors to sign the Statement of Applicability. “Tone of the top management plays a pivotal role” in audit success.
5 | Hardwire continuous improvement
Cyfun Essential Level 3 expects a feedback loop; ISO 27001 calls it the PDCA cycle. Use:
- Risk register reviews before each major change.
- Monthly metrics on incident response time, false-positive rates, etc.
- Quarterly management reviews feeding new treatment plans.
Internal research confirms that maturity assessment plus a roadmap “provide a structured framework for organisations to gauge effectiveness and identify areas for improvement.”
6 | What to expect from the external audit team
A typical three-stage maturity-based audit under NIS2/ISO 27001 looks like this:
| Stage | Auditor focus | Your deliverables |
|---|---|---|
| Readiness (remote) | Does Level 3 evidence exist? | Unified control matrix, score-card results |
| Fieldwork (on-site) | Sample of “live” controls | Screenshots, system walks, staff interviews |
| Follow-up (30 days) | CAPA verification | Proof of remediation & updated KPIs |
Because Cyfun emphasises operational security, expect deeper testing of logging, alert management and patch cadence—areas auditors say often lag behind documentation.
7 | Key take-aways for CISOs
- Map once, comply twice—a consolidated matrix satisfies ISO, Cyfun and NIS2.
- Level 3 is about evidence, not perfection—show that processes are defined and repeatable.
- Leadership matters—auditors look for board-level risk ownership.
- Start the maturity score-card now—it frames the audit narrative and drives action.
By following this blueprint, essential entities can walk into their ISO 27001 Level 3 audit with confidence—and prove to regulators that they meet both NIS2 and Cyfun Essential expectations.
