CyFun Audit Preparation: The 8-Week Plan to Be CAB-Audit Ready
A Conformity Assessment Body (CAB) audit at CyFun BASIC tier is achievable in eight weeks if you work the right artifacts in the right order. This is the plan: what each week produces, what the CCB CyberFundamentals workbook expects to see, and where a managed compliance platform replaces hours of manual scaffolding.
Why These Eight Weeks, In This Order
The CCB CyberFundamentals workbook is the artifact that travels — to a CAB auditor, to an enterprise client doing supplier due diligence, to the Safeonweb @work portal for self-assessment submission. The 8-week plan reverse-engineers that workbook:
- Scope and asset inventory first — every other control references "the assets in scope". Without that list, the workbook is unrenderable.
- Risk register second — the GV-RM control family explicitly references "documented risk assessment" as evidence. Policies that follow are framed as risk treatments.
- Policies before evidence — evidence is meaningless unless a policy says what good looks like.
- Mock run before submission — a cold reviewer finds the gaps the CAB will. Cheaper to fix in W7 than in week 12 of an audit.
New to CyberFundamentals? Start with what is CyberFundamentals and how the CyFun maturity scoring works before working this plan.
Scope: Define What You Are Certifying
Goal. Decide what is in scope and what is out, and write it down. Auditors will not let you redefine scope mid-audit.
What you ship this week
- Scope statement: legal entity, sites, business processes, IT systems in and out of scope.
- Asset inventory: hardware, software, cloud services, data stores. Mapped to which scope item owns each asset.
- Stakeholder map: who is responsible for each scope element (named individuals, not roles).
Risk Register: Document the Risks Your Controls Mitigate
Goal. A risk register that names threats, ranks them, and points each one at the control(s) that mitigate it. The CCB CyberFundamentals workbook references "documented risk assessment" in its evidence column for the GV-RM control family.
What you ship this week
- Threat list: ransomware, phishing, insider misuse, supplier compromise, data theft, DDoS — at minimum the six the CCB risk catalog highlights for SMEs.
- Likelihood × impact scoring per threat (5×5 matrix is the Belgian default).
- Treatment decisions: mitigate (point at controls), accept (with sign-off), transfer (insurance, contracts), avoid.
Policies (1/2): Information Security and Incident Response
Goal. Two of the four policies the CCB workbook checks for: an Information Security Policy approved at management level, and an Incident Response Plan that names roles and decision rights.
What you ship this week
- Information Security Policy: scope, principles, roles, review cadence. Signed by an authority that exists in the org chart.
- Incident Response Plan: severity levels, escalation tree, 24-hour notification path to the CCB (NIS2 Article 23), contact list with backups, lessons-learned template.
Policies (2/2): Access Control and Supplier Security
Goal. The remaining two BASIC policies: an Access Control Policy (least privilege, joiner-mover-leaver, MFA enforcement) and a Supplier Security Policy (NIS2 Article 21(2)(d) is non-negotiable).
What you ship this week
- Access Control Policy: identity lifecycle, MFA enforcement, privileged account separation, quarterly access review cadence.
- Supplier Security Policy: critical-supplier criteria, due diligence checklist, contract security clauses, breach notification expectations.
- Supplier register: at least the suppliers tagged "critical" with a documented risk rating.
Evidence Collection (1/2): Identity, Access, and Endpoint
Goal. Walk through the BASIC controls in the GV, ID, and PR functions and collect the evidence the workbook's evidence column names. This week handles identity, access, and endpoint protection.
What you ship this week
- MFA enabled for all admin accounts: screenshot of admin role list, screenshot of MFA enforcement policy.
- Joiner-mover-leaver process: the most recent leaver ticket showing access revocation timestamps.
- Endpoint protection deployed: EDR or AV console screenshot showing coverage percentage, patch compliance report.
- Quarterly access review: the most recent review document with sign-off.
Evidence Collection (2/2): Backup, Logging, and Awareness
Goal. The remaining BASIC functions: detect, respond, and recover. Backup verification, security logging, and awareness training are the three areas that most often fail a workbook review.
What you ship this week
- Backup verification: most recent restore-test report, retention policy document, evidence that backups are stored offline or immutable.
- Security logging: SIEM or log aggregator screenshot, log retention period, evidence of alert review cadence.
- Security awareness training: completion percentage, training content summary, dates of last campaign per employee.
- Tabletop exercise: incident scenario walkthrough document with named participants and lessons learned.
Mock Self-Assessment Run
Goal. A full pass through the workbook scoring rubric against your collected evidence, by someone who did not collect it. The mock run finds the holes a CAB will find.
What you ship this week
- Workbook completed end-to-end with the CCB 1–5 maturity score per control on both Documentation and Implementation axes.
- Gap list: every control scored below the BASIC threshold, with target remediation dates and owners.
- Internal review by a second pair of eyes (a colleague, an MSP, or a peer compliance lead) who challenges every score.
- Updated risk register entries for any gap that materially raises a documented risk.
Submission: Workbook + Roadmap
Goal. Hand off the workbook. For an important entity past the April 18, 2026 deadline, this is the late self-assessment submission via the CCB Safeonweb @work portal. For an essential entity, this is the CAB engagement kickoff.
What you ship this week
- Final CCB CyberFundamentals workbook (the Excel file the CCB publishes and the CAB expects).
- Remediation roadmap: every gap from W7 with target date, owner, and dependency.
- Scope statement and asset inventory attached.
- For late submitters: a cover note documenting the catch-up timeline and current state.
After Submission: What Happens Next
For a self-assessment submission, the CCB does not return a verdict in the way a CAB does — the submission goes on the record and supports any subsequent supervisory review. For a CAB audit, the auditor returns a marked-up workbook with findings the organization must address.
Either way, the workbook is the working artifact. If you submitted via Safeonweb @work, plan a quarterly review cycle to keep the evidence current. If you went through a CAB, the marked-up workbook becomes the next remediation roadmap — same structure, different starting state.
The April 18, 2027 essential-entity certification deadline is the next pressure point. Important entities at BASIC tier today should plan a tier upgrade if their NIS2 classification or supply-chain pressure pushes them toward IMPORTANT.
Run the 8 Weeks in ECP Instead of in Sharepoint
Every artifact in this plan — scope statement, asset inventory, risk register, the four policies, evidence per control, mock-run scoring, remediation roadmap, the CCB-compatible Excel workbook — is a first-class object in Easy Cyber Protection. You work the plan; the platform produces the workbook.
- CyFun-mapped templates for every BASIC, IMPORTANT, and ESSENTIAL control.
- Live integrations (Microsoft Graph, Sophos, Bitdefender, others) feed evidence into the right control automatically.
- CCB-compatible Excel export and CAB auditor reimport (shipped April 2026).
- Audit Readiness Snapshot — the one-page artifact you hand the W7 reviewer.
Frequently Asked Questions
Is 8 weeks realistic for a CyFun BASIC audit-readiness?
For an organization with reasonable existing security hygiene (MFA, EDR, backups, some documentation), yes. For an organization starting from zero documentation, 12–16 weeks is more realistic — the security work itself takes time, and the workbook cannot evidence what does not exist. The 8-week plan assumes the controls are roughly in place; the work is documenting them and collecting evidence.
Do I need a CAB audit, or is a self-assessment enough?
Important entities under NIS2 owe a self-assessment at minimum BASIC tier (filed via the CCB Safeonweb @work portal). Essential entities owe a Conformity Assessment Body (CAB) audit at IMPORTANT (132 controls) or ESSENTIAL (217 controls) tier by April 18, 2027. Some important entities choose a voluntary CAB audit because enterprise clients ask for an external certificate.
What if my mock run in W7 surfaces serious gaps?
Submit anyway in W8 with the remediation roadmap. The CCB does not penalize organizations for documented gaps with a credible plan; it penalizes organizations for missing evidence and for refusing to remediate. A workbook that scores honestly with target dates per gap is a stronger position than a wall of green that does not survive a CAB review.
Can I use this plan if my deadline already passed?
Yes — this is exactly the catch-up pattern. The April 18, 2026 self-assessment deadline passed, but the CCB Safeonweb @work portal accepts late submissions. Work the 8-week plan, submit the workbook with a roadmap, and you are on the record as remediating before the April 18, 2027 essential-entity certification deadline. See the missed-deadline article for the three remediation paths.
How does this plan map to IMPORTANT or ESSENTIAL tier?
The structure (scope → risk register → policies → evidence → mock run → submission) is the same. The volume changes: IMPORTANT tier covers 132 controls (vs 34 for BASIC), ESSENTIAL covers 217. Allow 16–24 weeks for IMPORTANT and 24–36 for ESSENTIAL with the same week-by-week structure scaled to fit. The CAB audit cycle adds another 4–8 weeks on top.
What does the CCB CyberFundamentals workbook actually look like?
It is the official Excel file maintained by the Centre for Cybersecurity Belgium (CCB), downloadable from the Safeonweb @work portal. Each control has rows for Documentation maturity (1–5) and Implementation maturity (1–5), an evidence column where you reference the artifact (document name, screenshot path, log sample), and a comments column. The same file is what a CAB receives, marks up, and returns.