Compliance Status
Control implementation status with cross-framework mapping for all 33 CyFun Basic controls
Scope: all NextSDS production and corporate systems and the team that operates them. This page tracks the implementation status of all 33 CyFun Basic controls, mapped to ISO 27001 and CIS v8.1.
CyFun Basic — Full Control Mapping
Status legend: Implemented | Partial | Planned | Not Started | N/A Maturity legend: L0 Non-existent | L1 Initial | L2 Repeatable | L3 Defined | L4 Managed | L5 Optimized
IDENTIFY (10 controls)
Asset Management (ID.AM)
| CyFun Control | Description | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|
| ID.AM-1 | Physical device inventory | Implemented | L2 | A.5.9 | 1.1 | Asset Inventory |
| ID.AM-2 | Software inventory | Implemented | L2 | A.5.9 | 2.1 | Software Inventory |
| ID.AM-3 | Communication and data flows | Implemented | L2 | A.5.9 | 12.4 | — |
| ID.AM-4 | External information systems | Implemented | L2 | A.5.9 | 2.1 | Software Inventory |
| ID.AM-5 | Resources prioritised | Implemented | L2 | A.5.12 | 1.1 | Asset Inventory |
Governance (ID.GV)
| CyFun Control | Description | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|
| ID.GV-1 | Cybersecurity policy | Implemented | L2 | A.5.1 | 15.1 | Info Security Policy |
| ID.GV-3 | Legal requirements | Implemented | L2 | A.5.31 | 15.1 | — |
| ID.GV-4 | Risk management | Partial | L2 | A.5.1 | 15.1 | Risk Register |
Risk Assessment (ID.RA)
| CyFun Control | Description | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|
| ID.RA-1 | Vulnerabilities identified | Implemented | L2 | A.8.8 | 7.1 | Risk Register |
| ID.RA-5 | Risk determination | Implemented | L2 | A.5.12 | 7.6 | Risk Register |
PROTECT (15 controls)
Identity Management & Access Control (PR.AC)
| CyFun Control | Description | Key | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|---|
| PR.AC-1 | Credential management | Yes | Partial | L2 | A.5.16, A.5.17 | 5.2, 5.4 | Access Matrix |
| PR.AC-2 | Physical access | No | Partial | L1 | A.7.1, A.7.2 | 6.1 | Asset Inventory |
| PR.AC-3 | Remote access | Yes | Partial | L2 | A.8.20 | 6.4 | Access Matrix |
| PR.AC-4 | Access permissions | Yes | Partial | L2 | A.5.15, A.5.18, A.8.2 | 6.8 | Access Matrix |
| PR.AC-5 | Network integrity | Yes | Implemented | L2 | A.8.22 | 13.1 | Cloud Infrastructure |
Awareness & Training (PR.AT)
| CyFun Control | Description | Key | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|---|
| PR.AT-1 | Users trained | Yes | Planned | L1 | A.6.3 | 14.1 | Training Log |
Data Security (PR.DS)
| CyFun Control | Description | Key | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|---|
| PR.DS-1 | Data-at-rest protected | No | Implemented | L2 | A.8.24 | 3.6 | Cloud Infrastructure |
| PR.DS-2 | Data-in-transit protected | No | Implemented | L2 | A.8.24 | 3.10 | Cloud Infrastructure |
| PR.DS-3 | Asset disposal | No | Partial | L1 | A.7.14 | 3.4 | — |
| PR.DS-7 | Dev/test separation | No | Implemented | L2 | A.8.31 | 16.1 | — |
Information Protection (PR.IP)
| CyFun Control | Description | Key | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|---|
| PR.IP-4 | Backups | Yes | Implemented | L2 | A.8.13 | 11.2 | Cloud Infrastructure |
| PR.IP-11 | HR practices | No | Planned | L1 | A.6.1, A.6.5 | 15.1 | — |
Maintenance (PR.MA)
| CyFun Control | Description | Key | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|---|
| PR.MA-1 | Patching | Yes | Partial | L2 | A.8.9, A.8.19 | 7.3, 7.4 | — |
Protective Technology (PR.PT)
| CyFun Control | Description | Key | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|---|
| PR.PT-1 | Audit logs | Yes | Partial | L2 | A.8.15 | 8.2 | — |
| PR.PT-4 | Communications protection | No | Partial | L2 | A.8.23 | 9.2 | — |
DETECT (4 controls)
| CyFun Control | Description | Key | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|---|
| DE.AE-3 | Event data collected | Yes | Partial | L2 | A.8.15, A.8.16 | 8.2 | — |
| DE.CM-1 | Network monitored | No | Partial | L2 | A.8.16 | 13.6 | Cloud Infrastructure |
| DE.CM-3 | Personnel monitored | No | Partial | L1 | A.8.16 | 13.6 | — |
| DE.CM-4 | Malicious code detected | Yes | Implemented | L2 | A.8.7 | 10.1 | — |
RESPOND (3 controls)
| CyFun Control | Description | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|
| RS.RP-1 | Response plan | Partial | L2 | A.5.26 | 17.4 | Incident Response Plan |
| RS.CO-3 | Information shared | Partial | L1 | A.5.26 | 17.6 | — |
| RS.IM-1 | Lessons learned | Partial | L1 | A.5.27 | 17.8 | Incident Log |
RECOVER (1 control)
| CyFun Control | Description | Status | Maturity | ISO 27001 | CIS v8.1 | Evidence |
|---|---|---|---|---|---|---|
| RC.RP-1 | Recovery plan | Partial | L2 | A.5.29, A.5.30 | 17.4 | DR/BCP Plan |
Summary
| Metric | Count |
|---|---|
| Total controls | 33 |
| Key measures | 10 |
| Implemented | 15 |
| Partially implemented | 16 |
| Planned | 2 |
| Self-assessment date | 2026-03-11 |
| Attested by | CEO |
| Next review | 2027-03-11 |
Maturity Distribution
| Level | Name | Count |
|---|---|---|
| L1 | Initial | 7 |
| L2 | Repeatable | 26 |
| Average | 1.8 | — |