CyberFundamentals vs ISO 27001: Which Do You Need?
Two security frameworks, two different approaches. CyberFundamentals is Belgium's national framework designed for NIS2 compliance. ISO 27001 is the international gold standard. Here's how to choose.
Understanding Both Frameworks
Not sure what CyberFundamentals is? Read our complete introduction first.
CyberFundamentals
- Developed by CCB (Centre for Cybersecurity Belgium)
- Designed specifically for Belgian NIS2 compliance
- Prescriptive: tells you exactly what to implement
- Four tiers (Small, Basic, Important, Essential)
- Progressive approach - start small, grow as needed
- Based on international standards (NIST, ISO, CIS)
ISO 27001
- International standard from ISO/IEC
- Globally recognized certification
- Risk-based: you determine controls based on your risks
- Requires an Information Security Management System (ISMS)
- More flexible but requires more expertise
- Annex A contains 93 controls across 4 themes
Side-by-Side Comparison
| Aspect | CyberFundamentals | ISO 27001 |
|---|---|---|
| Origin | Belgium (CCB) | International (ISO/IEC) |
| Approach | Prescriptive controls | Risk-based ISMS |
| Structure | 4 tiers with set controls | Single standard, flexible scope |
| Controls | 7-140 (by tier) | ~93 (select based on risk) |
| NIS2 Alignment | Direct alignment | Requires mapping |
| Certification | €1k-25k | €5k-50k+ |
| Implementation Time | 1-12 months | 6-18 months |
| Best For | Belgian NIS2 compliance | International recognition |
When to Choose CyberFundamentals
CyberFundamentals is the right choice when: Check who must comply with NIS2 to see if this applies to you.
- You're a Belgian organization subject to NIS2
- You want clear, prescriptive guidance on what to implement
- You're new to formal security frameworks
- You have limited security expertise internally
- Budget is a concern (lower certification costs)
- You primarily do business in Belgium/EU
When to Choose ISO 27001
ISO 27001 is the right choice when:
- You need international recognition
- Customers/partners specifically require ISO 27001
- You already have an ISMS or risk management framework
- You have mature security operations
- You operate in multiple countries
- You want maximum flexibility in control implementation
Can You Do Both?
Yes, and many organizations do. The good news:
- CyberFundamentals is based on international standards including ISO 27001
- About 70-80% of controls overlap between the frameworks
- Work done for one framework counts toward the other
- Some organizations get CyberFundamentals first, then extend to ISO 27001
- Auditors familiar with both can conduct integrated assessments
How They Map Together
CyberFundamentals controls map well to ISO 27001 Annex A: See the full breakdown of CyberFundamentals control categories.
| CyberFundamentals | ISO 27001 Annex A |
|---|---|
| Access Control | A.5.15-A.5.18, A.8.2-A.8.5 |
| Asset Management | A.5.9-A.5.14 |
| Business Continuity | A.5.29-A.5.30 |
| Cryptography | A.8.24 |
| Incident Response | A.5.24-A.5.28 |
| Network Security | A.8.20-A.8.22 |
Full mapping available from CCB. If you're already ISO 27001 certified, you likely meet most CyberFundamentals requirements.
Cost Comparison
Typical costs for Belgian SMEs:
| CyberFundamentals | ISO 27001 | |
|---|---|---|
| Implementation (internal) | €5k-30k | €15k-60k |
| Certification audit | €1k-15k | €5k-25k |
| Annual surveillance | €500-5k | €2k-10k |
| Total 3-year cost | €10k-60k | €30k-120k |
Costs vary significantly based on organization size, complexity, and chosen level/scope.
Decision Guide
Are you subject to NIS2 in Belgium?
Do customers require ISO 27001?
Do you operate internationally?
Is this your first security framework?
Not Sure Which to Choose?
Easy Cyber Protection helps you assess your requirements and implement the right framework. Start with our free assessment to understand your needs.
Frequently Asked Questions
Does CyberFundamentals certification satisfy ISO 27001?
No, they're separate certifications. However, if you're CyberFundamentals certified, you've done significant work toward ISO 27001. The gap analysis would be much smaller than starting from scratch.
Is one better than the other?
Neither is objectively "better" - they serve different purposes. CyberFundamentals is optimized for Belgian NIS2 compliance. ISO 27001 provides international recognition. Choose based on your specific needs.
Can I use ISO 27001 for NIS2 compliance?
Yes — the CCB explicitly accepts ISO/IEC 27001:2022 as a valid path to NIS2 conformity, with the same legal presumption of conformity as CyFun. However, you must submit a Statement of Applicability (SoA) to the CCB showing that your controls are equivalent to the appropriate CyFun assurance level. The CCB inspection service will compare your ISO controls against CyFun requirements. For organizations that already have ISO 27001, this is straightforward. For organizations starting from scratch, CyFun is typically faster and cheaper.
Does Microsoft 365, Purview, or Secure Score cover CyFun compliance?
No. Microsoft Purview Compliance Manager and Secure Score are built around Microsoft's own compliance frameworks (GDPR, NIST, SOC 2) and Microsoft 365 configurations. They have no CyFun template and cannot map to CCB CyberFundamentals controls. Secure Score gives you a security posture score but generates no audit-ready evidence per CyFun control. Microsoft tools are valuable for securing your M365 environment — but they are not a substitute for CyFun compliance. You still need structured evidence collection, policy documentation, and a CAB audit. The same applies to other generic compliance tools (Vanta, Drata, etc.) that don't have a CyFun module.
Which is faster to implement?
CyberFundamentals, especially at lower tiers. Small tier can be implemented in weeks. ISO 27001 typically takes 6-18 months due to ISMS requirements.
Will my ISO 27001 auditor understand CyberFundamentals?
Not necessarily. CyberFundamentals requires accredited auditors specifically approved by the CCB. Some auditors are accredited for both.