Choosing ISO27001 or CyberFundamentals for NIS2?
What Is CyberFundamentals?
CyberFundamentals (CyFun) is a security framework developed by the Centre for Cybersecurity Belgium (CCB) as a pragmatic response to the growing need for cybersecurity maturity under NIS2. It’s designed for Belgian organisations and aligns directly with the directive’s expectations.
Its main advantage? Simplicity and structure. The framework includes a fixed set of controls mapped to four levels (Small, Basic, Important, Essential), depending on your organisation’s size and NIS2 classification. Each level comes with clearly defined controls, offering a prescriptive checklist of what needs to be in place.
For many smaller organisations, especially those operating locally or not directly regulated, this approach provides clarity without the complexity of international standards. But that simplicity comes with limitations. CyFun is less adaptable, lacks formal certification options, and doesn’t scale well across geographies or complex business models.
What Is ISO/IEC 27001?
ISO/IEC 27001 is the internationally recognised standard for information security management. Where CyFun offers a predefined checklist, ISO27001 provides a flexible, risk-based system to design and operate a fully functional Information Security Management System (ISMS).
ISO 27001 is built around the principles of continuous improvement, using the Plan-Do-Check-Act (PDCA) cycle, and covers a wide range of technical, organisational, and governance-related controls. ISO27001 doesn’t tell you exactly how to do security. Instead, it helps you define the best way to manage your information risks based on your organisation’s needs.
Why regulated entities often choose ISO27001
If your organisation is classified as ‘essential’ under NIS2, or you operate in a heavily regulated sector such as finance, energy, healthcare or transport, ISO27001 is likely the stronger choice.
It provides:
- Auditability with certified bodies, ensuring your controls meet global standards
- Adaptability, so you can tailor your controls to how your organisation actually works
- Trust: formal certification offers a level of assurance to regulators, partners, and clients
The CCB also explicitly recognises full-scope ISO27001 certification (without exclusions) as proof of NIS2 compliance, making it a strategic fit for long-term assurance.
CyFun vs ISO27001: Key Differences at a Glance
While both frameworks support NIS2 alignment, they do so in very different ways. Here’s a condensed view of how they compare:
Feature
Cyberfundamentals
ISO/IEC 27001
Origin
National (CCB Belgium)
International (ISO)
Structure
Prescriptive controls by level
Flexible ISMS model
Scalability
Moderate (4 fixed leves)
High (customisable across units and regions)
Certification
Not formally available
Globally accredited bodies
Implementation time
Short (weeks to months)
Longer (3-13 months)
Integration
Limited
Easily integrates with ISO 9001, 22301, DORA; etc.
Not sure yet? Ask these 5 questions first.
If you’re a regulated entity, or classified as “essential” or “important,” you’ll likely need a more structured approach, which often means ISO27001.
If you’re working in big supply chains or serving large enterprises, ISO certification can act as an accelerator.
CyFun is nationally focused. If you have international operations, ISO27001 offers the consistency and recognition you need.
ISO27001 integrates well with other frameworks, making it easier to streamline compliance across multiple domains.
ISO27001 requires more time and capacity to manage. If that’s a barrier, CyFun may be the more accessible starting point, or Cingulum can help you scale up with CISO-as-a-Service.
Download our full ISO 27001 vs. CyFun guide.
Still weighing your options? Our ebook ISO27001 vs CyberFundamentals: Which Framework Works for NIS2? provides a clear, side-by-side breakdown.
