Maturity Roadmap
Strategic progression from CyFun Basic to ISO 27001 certification
Overview
This roadmap documents our deliberate, multi-year progression through the Belgian CyberFundamentals framework levels toward ISO 27001 certification. Each phase builds on the previous one, scaled to organisational maturity and focused on effective security outcomes.
Strategic Rationale
| Phase | Framework | Business Outcome | Why |
|---|---|---|---|
| 1 | CyFun Basic | Baseline hygiene | Belgian CCB minimum requirements |
| 2 | CyFun Important | Customer trust | Demonstrate maturity to enterprise clients |
| 3 | CyFun Essential | Regulatory readiness | NIST CSF alignment, NIS2 preparedness |
| 4 | ISO 27001 | Certification | Formal third-party validation |
Current Status
| Metric | Value |
|---|---|
| Framework level | CyFun Basic |
| Total controls | 34 |
| Controls documented | 34 |
| Controls implemented | 0 |
| Controls partial | 34 |
| ISMS site | Operational |
Roadmap Phases
Phase 1: CyFun Basic (2026) — In Progress
Objective: Achieve full CyFun Basic compliance by implementing all 34 controls with supporting policies, evidence, and procedures.
Key Deliverables
| Deliverable | Target | Status |
|---|---|---|
| ISMS documentation site | Q1 2026 | Complete |
| 34 control pages documented | Q1 2026 | Complete |
| Security policies drafted | Q2 2026 | In Progress |
| Evidence pages populated | Q2 2026 | In Progress |
| Priority controls (key measures) to "implemented" | Q4 2026 | Planned |
| All 34 controls to "implemented" | Q4 2026 | Planned |
Success Criteria
- All 34 CyFun Basic controls at "implemented" status
- All policies approved and published with review dates set
- Evidence pages verified and up to date
- Incident response plan tested via walkthrough
- Risk register reviewed quarterly
Dependencies
- Management commitment (allocated time for security tasks)
- Tooling decisions finalized (monitoring, access management)
Phase 2: CyFun Important (2027) — Planned
Objective: Extend coverage to CyFun Important level, adding controls for enhanced protection and structured risk management.
Key Deliverables
| Deliverable | Target | Status |
|---|---|---|
| Gap analysis: Basic → Important | Q1 2027 | Planned |
| Additional Important-level controls documented | Q2 2027 | Planned |
| Enhanced access control (MFA everywhere, PAM) | Q2 2027 | Planned |
| Structured risk assessment methodology | Q3 2027 | Planned |
| Incident response tabletop exercise | Q3 2027 | Planned |
| Vulnerability management process | Q4 2027 | Planned |
Success Criteria
- All CyFun Important controls at "implemented" status
- Risk assessment completed with documented methodology
- At least one IR tabletop exercise conducted and lessons documented
- Vulnerability scanning running on a scheduled basis
- Security awareness training completed by all team members
Dependencies
- Phase 1 (CyFun Basic) fully complete
- Budget allocation for additional tooling
Phase 3: CyFun Essential (2028) — Planned
Objective: Achieve CyFun Essential compliance with continuous monitoring, supply chain risk management, and security metrics.
Key Deliverables
| Deliverable | Target | Status |
|---|---|---|
| Gap analysis: Important → Essential | Q1 2028 | Planned |
| Continuous monitoring implementation | Q2 2028 | Planned |
| Supply chain risk management process | Q2 2028 | Planned |
| Security metrics dashboard | Q3 2028 | Planned |
| Full NIST CSF alignment verification | Q4 2028 | Planned |
Success Criteria
- All CyFun Essential controls at "implemented" status
- Continuous monitoring operational with alerting
- Supply chain risks documented and mitigated for critical vendors
- Security metrics reported quarterly to management
- Full NIST CSF mapping validated
Dependencies
- Phase 2 (CyFun Important) fully complete
- Monitoring infrastructure in place
Phase 4: ISO 27001 Certification (2029) — Planned
Objective: Obtain ISO 27001:2022 certification through formal audit by an accredited certification body.
Key Deliverables
| Deliverable | Target | Status |
|---|---|---|
| Risk assessment per ISO 27005 | Q1 2029 | Planned |
| Statement of Applicability (SoA) | Q1 2029 | Planned |
| Internal audit program established | Q2 2029 | Planned |
| Management review conducted | Q2 2029 | Planned |
| Stage 1 audit (documentation review) | Q3 2029 | Planned |
| Stage 2 audit (implementation assessment) | Q4 2029 | Planned |
Success Criteria
- Statement of Applicability covers all Annex A controls
- Internal audit completed with findings resolved
- Management review documented with decisions recorded
- Stage 1 audit passed without major nonconformities
- ISO 27001:2022 certificate obtained
Dependencies
- Phase 3 (CyFun Essential) fully complete
- Budget for certification body engagement
- Internal audit competency (training or external auditor)
Phase Dependencies
| Phase | Enables | Key Enabler |
|---|---|---|
| 1. CyFun Basic | Phase 2 | Documented ISMS, baseline controls, operational policies |
| 2. CyFun Important | Phase 3 | Structured risk management, enhanced controls, IR capability |
| 3. CyFun Essential | Phase 4 | Continuous monitoring, metrics, full NIST CSF alignment |
| 4. ISO 27001 | Ongoing | Certified ISMS with continual improvement cycle |
Related Documentation
- Compliance Checklist — Current implementation status across all controls
- CyFun Basic Controls — Detailed documentation for all 34 Basic-level controls
- Evidence — Asset inventories, risk register, access matrix
- Policies — Security policies and procedures