“Pass this course or pay for it later.
The Internal Auditor CyFun Essentials training turns NIS 2 theory into the three artefacts every regulator will demand on day one: a live risk register, a board-approved treatment plan and documented residual-risk sign-off. In two days you leave audit-ready—skipping months of trial-and-error and avoiding five-figure fines. For essential entities, that’s not a nice-to-have; this time it’s survival.”
Training teaser : Why a Solid Risk-Management Framework Must Be Your First Move
The 90-second teaser – 50 full courses with exam voucher will be raffled under interested visistors at the Orangecyberdefense booth Cybersec Brussels 21 and 22 May 2025
Belgium’s NIS 2 obligations already began on 18 Oct 2024 and the next compliance checkpoints fall fast:
- 18 Dec 2024 – digital-sector entities must register at Safeonweb@Work.
- 18 Mar 2025 – all other in-scope entities register.
- 18 Apr 2026 – first assurance (CyFun® Basic/Important or ISO 27001 evidence).
- 18 Apr 2027 – full certification at CyFun® Important/Essential – or ISO – must be in hand. atwork.safeonweb.be
That means every “essential” or “important” organisation has, at best, 24 months to prove its cyber-risk controls work.
Why risk management is the keystone
Article 21 of the Directive – and the Belgian law – starts with one command: “establish and maintain an appropriate risk-management framework.” ENISA’s guidance (§ 2.1) turns that into four non-negotiables:
- Documented methodology – ISO 27005, NIST 800-30, FAIR … pick one, but write it down.
- Board-approved risk criteria & tolerance – likelihood, impact, third-party exposure.
- Risk-treatment plan – every “High” risk mapped to a control, owner, budget and due date.
- Residual-risk sign-off – explicit, minuted acceptance aligned with CyFun® levels.
Miss any one of these and your subsequent audits – CyFun®, ISO or CCB inspection – will stall.
Learning the ropes quickly
The “Internal Auditor – CyFun Essentials” course (with optional Gap-Analyst track for Essential companies) has been built around ENISA’s Module 2 requirements:
| Course drill | What you master | Direct audit benefit |
|---|---|---|
| Build a live risk register in 60 minutes | Scoring matrix, risk criteria, CyFun mapping | Supplies evidence for § 2.1.1–2.1.3 |
| Trace risk → control → residual gap | Treatment plan, cost-benefit check | Shows external auditors control coverage |
| Simulate board approval | Residual-risk statement, tolerance line | Fulfils governance demand |
| Threat-intel “flash” exercise | Update scores after real-world events | Demonstrates annual (or faster) refresh |
Participants leave with a ready-to-use evidence pack that drops straight into ServiceNow IRM, OneTrust, Archer or any other GRC suite.
Additional insight you’ll get
- ISO/IEC 27005 vs. FAIR cheat-sheet – decide when quantitative risk adds value.
- Template Klaas for linking CyFun IDs to ENISA Annex controls.
- Quick-start integrations with popular tools (LogicGate, MetricStream, SureCloud, OpenGRC).
What happens if you wait?
From 18 Oct 2024 the CCB can already inspect, scan and fine. The first thing the inspector asks for?
“Show us your current risk register and the minutes where management approved it.”
If you’d struggle to put that on the table today, the clock in the timeline above is your call to action.
Secure your seat
Next cohort: June 10-11 (virtual live) – limited to 25 auditors & risk analysts.
👉 Register now at training.cyfun.be and turn the Directive’s toughest chapter into your easiest audit win.
(Need an on-site gap-analysis workshop for your Essential entity? Send “GAP-2025” to danny@qfirst.be for dates.)
Stay ahead of the NIS 2 wave – because risk waits for no one.
