How to Run a CyFun Mock Audit on Your Own (Belgian NIS2 Self-Check)
A mock audit is the cheapest insurance against a CAB audit going sideways. The exercise: take the CCB CyberFundamentals workbook, score every control honestly against your collected evidence, and find the gaps a Conformity Assessment Body (CAB) auditor would find — before they cost you a re-audit cycle. Here is how to run one yourself.
Why a Mock Audit Is Worth a Week of Effort
A real CAB audit at IMPORTANT or ESSENTIAL tier costs €5K-€25K in audit fees plus weeks of audit-week effort. A finding that triggers a re-audit costs a meaningful fraction of that again. A mock audit catches the same finding for the price of one week of focused internal time, before the audit fee meter starts running.
Three patterns the mock audit exercise reliably surfaces:
- Coverage shortfalls hidden in summary numbers. A 95% MFA coverage figure is still a "no" for BASIC PR-AA-01. The mock audit forces you to look at the missing 5% by name.
- Untested artifacts. Backups that exist but were never restore-tested. Incident response plans that were written but never tabletop-exercised. The CCB workbook explicitly references "tested" in the evidence column for RC-BA and RS-IR.
- Orphaned ownership. Policies whose named owner left the organization 18 months ago. Suppliers classified "critical" with no current due-diligence on file. Phase 5's second-reviewer challenge surfaces these every time.
Phase 1 — Evidence Prep (Day 1-2)
Goal. Pull the evidence the workbook expects before scoring anything. Trying to score a control without the artifact in front of you produces wishful numbers, not a real picture.
Concrete actions
- Download the latest CCB CyberFundamentals workbook for your tier (BASIC = 34 controls, IMPORTANT = 132, ESSENTIAL = 217).
- For each control, find the artifact named in the workbook's evidence column: policy reference, screenshot, log sample, training record. If the artifact does not exist or is not retrievable in 5 minutes, mark the control "evidence missing" and move on.
- Compile a single folder (or wiki, or ECP evidence drawer) with one entry per control. Naming convention matters: future-you and the CAB will both thank you.
Phase 2 — Score Documentation Maturity (Day 3-4)
Goal. The CCB rubric scores every control on two axes: Documentation maturity (is the policy/procedure written down?) and Implementation maturity (is it actually being followed?). Phase 2 handles the first axis.
Concrete actions
- For each control, score Documentation 1-5 using the CCB CMMI-derived rubric: 1 = Initial (ad-hoc), 2 = Repeatable (some documentation), 3 = Defined (formal policy), 4 = Managed (measured + reviewed), 5 = Optimizing (continuously improved).
- Be honest. Documentation 5 means the policy is reviewed on a defined cadence with measurable improvement signals — not "we wrote a policy two years ago".
- Common shortfall the CCB has flagged in published guidance: scoring policies that exist but have no documented review cadence as Documentation 4 or 5. The rubric treats those as Documentation 3 at most.
Phase 3 — Score Implementation Maturity (Day 5-6)
Goal. The other axis. A perfectly written policy nobody follows scores high on Documentation and low on Implementation — that is a real and common pattern.
Concrete actions
- For each control, score Implementation 1-5 against actual evidence: log samples, screenshots, attendance records, restore-test reports.
- Implementation 5 requires evidence that the control runs continuously and improves over time — not "we did this once when the auditor was here".
- Coverage shortfalls matter. 95% MFA coverage on admin accounts is still a "no" for BASIC PR-AA-01, which expects all admin accounts. Score the gap as Implementation 2-3 with a remediation note rather than rounding up to 4.
Phase 4 — Gap List + Roadmap (Day 7)
Goal. The mock audit's real output is not the score — it is the gap list. A CAB walks in and the workbook tells them exactly which controls are below threshold; you want that conversation framed by your roadmap, not their findings.
Concrete actions
- Filter the workbook to every control scored below the BASIC threshold (the CCB rubric treats Documentation 2 + Implementation 2 as the minimum for BASIC certification; tier-specific thresholds are higher for IMPORTANT and ESSENTIAL).
- For each gap: target remediation date, owner (a named person, not a role), and dependency (what needs to happen first).
- Update your risk register if a gap materially raises a documented risk. The GV-RM control family explicitly references "documented risk assessment" as evidence — gaps that fail to land in the risk register are doubly visible to a CAB.
Phase 5 — Second-Reviewer Challenge (Day 8)
Goal. A mock audit you score yourself catches a fraction of what a cold reviewer catches. Phase 5 is the discipline that separates a real mock audit from wishful self-scoring.
Concrete actions
- Hand the scored workbook to someone who did not collect the evidence: a colleague, an MSP, a peer compliance lead in another organization.
- Their job: challenge every score above 3. "Show me the artifact behind this 4. Now show me the review cadence behind this 5."
- Drop scores that do not survive the challenge. A workbook that scores honestly with target dates per gap is a stronger position than a wall of green that does not survive a CAB review.
The Honesty Rubric: Score Like a CAB Reviews
The single biggest failure mode of a self-run mock audit is scoring optimistically. Three rules to keep the exercise honest:
Run the Mock Audit in ECP Instead of in Excel
ECP runs the same CCB CyberFundamentals workbook + 1-5 maturity rubric inside the platform. The Audit Readiness Snapshot is the one-page artifact you hand the Phase 5 reviewer. Live integrations (Microsoft Graph, Sophos, Bitdefender) pull coverage data into the relevant evidence slots automatically — coverage gaps surface as failed control checks, not as a percentage to investigate later.
- CyFun maturity scoring engine surfaces controls below threshold automatically.
- CCB-compatible Excel export — the same workbook a CAB receives.
- Auditor reimport when you go from mock to real: the CAB sends back a marked-up workbook, ECP merges findings into the live state.
- Quarterly re-runs are a button, not a project.
Frequently Asked Questions
Is a mock audit different from the real CAB audit?
Same workbook, same scoring rubric, different signer. A CAB audit is performed by a Conformity Assessment Body accredited by BELAC, and produces a certificate. A mock audit is performed internally (or by an MSP, consultant, or peer reviewer) and produces a confidence calibration plus a gap list. The mock run finds the holes the real audit will find — that is the point.
What happens if my mock audit reveals serious gaps?
Better now than during the real audit. The remediation roadmap from Phase 4 is the artifact that turns "we have gaps" into "we have gaps and here is when each closes". A CAB submission with a credible roadmap is a stronger position than a self-assessment with no documented gaps that does not survive scrutiny.
Do I need a tool to run this, or can I do it in Excel?
Excel works. The CCB publishes the workbook as an Excel file precisely so any organization can run the exercise without buying tooling. The trade-off: you maintain the workbook by hand, you do not get integration evidence (MFA coverage, EDR deployment, backup-test logs) auto-pulled, and your gap list is a separate sheet you manage manually. ECP keeps all of that wired together; for organizations running multiple clients (MSPs especially), that machinery pays back fast.
How often should I run a mock audit?
Once before the first CAB submission, then quarterly thereafter. CyberFundamentals certification is valid 2-3 years with surveillance audits in between — quarterly mock runs catch drift between surveillance audits and keep the workbook in a state where the next audit is a routine update rather than a sprint.
Can my MSP run this for me?
Yes. MSPs running CyFun assessments on behalf of clients is exactly the pattern ECP is built around. The MSP runs the mock audit using the platform, hands the client the Audit Readiness Snapshot, and either drives remediation or hands the workbook to a CAB for the formal audit.