Compliance Checklist
CyFun Basic Compliance Status
Control implementation status with cross-framework mapping for all 33 CyFun Basic controls
CyFun Basic — Full Control Mapping
Status legend: Implemented | Partial | Planned | Not Started | N/A Maturity legend: L0 Non-existent | L1 Initial | L2 Repeatable | L3 Defined | L4 Managed | L5 Optimized
IDENTIFY (10 controls)
Asset Management (ID.AM)
| CyFun Control | Description | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|
| ID.AM-1 | Physical device inventory | Implemented | L2 | A.5.9 | 1.1 | Asset Inventory |
| ID.AM-2 | Software inventory | Implemented | L2 | A.5.9 | 2.1 | Software Inventory |
| ID.AM-3 | Communication and data flows | Implemented | L2 | A.5.9 | 12.4 | — |
| ID.AM-4 | External information systems | Implemented | L2 | A.5.9 | 2.1 | Software Inventory |
| ID.AM-5 | Resources prioritised | Implemented | L2 | A.5.12 | 1.1 | Asset Inventory |
Governance (ID.GV)
| CyFun Control | Description | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|
| ID.GV-1 | Cybersecurity policy | Implemented | L2 | A.5.1 | 15.1 | Info Security Policy |
| ID.GV-3 | Legal requirements | Implemented | L2 | A.5.31 | 15.1 | — |
| ID.GV-4 | Risk management | Partial | L2 | A.5.1 | 15.1 | Risk Register |
Risk Assessment (ID.RA)
| CyFun Control | Description | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|
| ID.RA-1 | Vulnerabilities identified | Implemented | L2 | A.8.8 | 7.1 | Risk Register |
| ID.RA-5 | Risk determination | Implemented | L2 | A.5.12 | 7.6 | Risk Register |
PROTECT (18 controls)
Identity Management & Access Control (PR.AC)
| CyFun Control | Description | Key | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|---|
| PR.AC-1 | Credential management | Yes | Partial | L2 | A.5.16, A.5.17 | 5.2, 5.4 | Access Matrix |
| PR.AC-2 | Physical access | No | Partial | L1 | A.7.1, A.7.2 | 6.1 | Asset Inventory |
| PR.AC-3 | Remote access | Yes | Partial | L2 | A.8.20 | 6.4 | Access Matrix |
| PR.AC-4 | Access permissions | Yes | Partial | L2 | A.5.15, A.5.18, A.8.2 | 6.8 | Access Matrix |
| PR.AC-5 | Network integrity | Yes | Implemented | L2 | A.8.22 | 13.1 | Cloud Infrastructure |
Awareness & Training (PR.AT)
| CyFun Control | Description | Key | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|---|
| PR.AT-1 | Users trained | Yes | Planned | L1 | A.6.3 | 14.1 | Training Log |
Data Security (PR.DS)
| CyFun Control | Description | Key | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|---|
| PR.DS-1 | Data-at-rest protected | No | Implemented | L2 | A.8.24 | 3.6 | Cloud Infrastructure |
| PR.DS-2 | Data-in-transit protected | No | Implemented | L2 | A.8.24 | 3.10 | Cloud Infrastructure |
| PR.DS-3 | Asset disposal | No | Partial | L1 | A.7.14 | 3.4 | — |
| PR.DS-7 | Dev/test separation | No | Implemented | L2 | A.8.31 | 16.1 | — |
Information Protection (PR.IP)
| CyFun Control | Description | Key | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|---|
| PR.IP-4 | Backups | Yes | Implemented | L2 | A.8.13 | 11.2 | Cloud Infrastructure |
| PR.IP-11 | HR practices | No | Planned | L1 | A.6.1, A.6.5 | 15.1 | — |
Maintenance (PR.MA)
| CyFun Control | Description | Key | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|---|
| PR.MA-1 | Patching | Yes | Partial | L2 | A.8.9, A.8.19 | 7.3, 7.4 | — |
Protective Technology (PR.PT)
| CyFun Control | Description | Key | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|---|
| PR.PT-1 | Audit logs | Yes | Partial | L2 | A.8.15 | 8.2 | — |
| PR.PT-4 | Communications protection | No | Partial | L2 | A.8.23 | 9.2 | — |
DETECT (4 controls)
| CyFun Control | Description | Key | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|---|
| DE.AE-3 | Event data collected | Yes | Partial | L2 | A.8.15, A.8.16 | 8.2 | — |
| DE.CM-1 | Network monitored | No | Partial | L2 | A.8.16 | 13.6 | Cloud Infrastructure |
| DE.CM-3 | Personnel monitored | No | Partial | L1 | A.8.16 | 13.6 | — |
| DE.CM-4 | Malicious code detected | Yes | Implemented | L2 | A.8.7 | 10.1 | — |
RESPOND (3 controls)
| CyFun Control | Description | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|
| RS.RP-1 | Response plan | Partial | L2 | A.5.26 | 17.4 | Incident Response Plan |
| RS.CO-3 | Information shared | Partial | L1 | A.5.26 | 17.6 | — |
| RS.IM-1 | Lessons learned | Partial | L1 | A.5.27 | 17.8 | Incident Log |
RECOVER (1 control)
| CyFun Control | Description | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|
| RC.RP-1 | Recovery plan | Partial | L2 | A.5.29, A.5.30 | 17.4 | DR/BCP Plan |
Summary
| Metric | Count |
|---|---|
| Total controls | 33 |
| Key measures | 10 |
| Implemented | 15 |
| Partially implemented | 16 |
| Planned | 2 |
Maturity Distribution
| Level | Name | Count |
|---|---|---|
| L1 | Initial | 7 |
| L2 | Repeatable | 26 |
| Average | 1.8 | — |