I discovered CyberFundamentals (CyFun) during the Executive Master in Cybersecurity Management at Solvay Brussels School, and it immediately caught my attention.

I have always valued solid frameworks — ISO 27001, NIST, the guidelines built by experts who have genuinely thought the subject through. These are the tools that structure thinking and help organizations move forward in tangible ways.

The question was how CyFun would actually behave in the field.

Then I applied it in a real organization.

And that is where it became genuinely interesting.

At a time when Europe is accelerating around NIS2, the Cyber Resilience Act, and operational resilience requirements, Belgium has taken a rather distinctive approach: not only regulating cybersecurity, but actively helping organizations improve their maturity.

Not only through audits.

Not only through obligations.

But through a pragmatic, accessible, and structured framework.

A framework designed to be used

CyberFundamentals is built around a relatively simple idea: assessing cybersecurity maturity across several key domains through understandable questions, explicit documentation expectations, and clearly defined maturity levels.

On paper, that sounds straightforward.

In practice, very few frameworks manage to balance:

  • simplicity of use;
  • alignment with international standards;
  • operational applicability;
  • and educational value.

CyFun does this surprisingly well.

The framework quietly — but clearly — integrates concepts from established standards and practices such as:

  • ISO 27001;
  • NIST;
  • governance best practices;
  • operational resilience principles.

The result is structured enough to be credible for security professionals, while remaining accessible for organizations with lower cybersecurity maturity.

And that is probably one of its greatest strengths.

“Not one size fits all”

Another particularly relevant aspect is that the approach is not designed as a universal template.

CyberFundamentals attempts to align cybersecurity expectations with the actual context of the organization:

  • industry sector;
  • operational criticality;
  • organizational maturity;
  • business exposure.

This matters.

Because many organizations do not fail cybersecurity due to a lack of willingness, but because they are confronted with frameworks that are operationally unrealistic.

CyFun avoids part of that trap.

It provides structure while still leaving room for pragmatism.

And when applied inside a large organization, pragmatism becomes essential.

The spider chart that hurts

Like many maturity models, CyberFundamentals produces a visual representation of the assessment results.

The famous spider chart.

At first glance, it seems almost harmless.

In reality, it can be brutally revealing.

Because it forces organizations to confront:

  • perceived maturity;
  • documented reality;
  • and the actual ability to demonstrate what is claimed.

This is where the framework becomes particularly powerful.

CyFun is uncompromising on one essential point:

“You assess your organization at level 3. Very well. Can you show the associated documentation?”

That single question completely changes the dynamic.

Suddenly:

  • confidence becomes less certain;
  • approximations become visible;
  • “yes, of course we do that” turns into frantic searches through SharePoint;
  • practices assumed to exist reveal themselves as informal, undocumented, or dependent on a few individuals.

At that moment, the framework becomes less of a technical audit tool and more of an organizational truth detector.

What the exercise really reveals

Having applied it within a large enterprise, I quickly realized that the real challenge was not technical.

It was human.

Because a credible maturity assessment requires:

  • pragmatism;
  • diplomacy;
  • the ability to challenge without alienating;
  • and most importantly, cross-functional participation.

The tool itself can be used relatively quickly.

Even with limited tenure inside an organization, it is possible to complete a significant part of the assessment.

A half-day workshop with a CISO or security lead is often enough to establish an initial maturity view.

But that first assessment is only the beginning.

The real work starts when involving:

  • operations;
  • IT;
  • cloud teams;
  • product teams;
  • business stakeholders;
  • architects;
  • sometimes even HR or legal departments.

That is where the gaps emerge.

Not necessarily explicit falsehoods.

But omissions.

Grey areas.

Controls that are “supposedly managed.”

Practices that were never formally documented.

Processes entirely dependent on a single individual.

Cybersecurity as organizational maturity

This is perhaps what CyberFundamentals highlights best:

cybersecurity is not merely a control problem.

It is an organizational maturity problem.

The framework does not only assess:

  • configurations;
  • policies;
  • procedures.

Indirectly, it also measures an organization’s ability to:

  • structure itself;
  • document;
  • transfer knowledge;
  • demonstrate controls;
  • govern consistently.

And in the context of NIS2, this capability is becoming essential.

Organizations will increasingly need to prove their cybersecurity maturity — not simply claim it.

A particularly European approach

Belgium is demonstrating an interesting cybersecurity approach here.

Rather than focusing exclusively on regulatory pressure, the Belgian ecosystem is also trying to:

  • guide organizations;
  • structure improvement journeys;
  • make cybersecurity expectations understandable;
  • and help companies mature progressively.

That distinction matters.

And it is likely a direction from which other European countries could learn.

Because between large theoretical frameworks and operational business reality, there is often a considerable gap.

CyberFundamentals attempts to reduce that gap.

Simply.

Pragmatically.

And sometimes, that is exactly what organizations need.