Maturity Roadmap
Strategic progression from CyFun Basic to ISO 27001 certification
Overview
This roadmap documents our accelerated progression through the Belgian CyberFundamentals framework levels toward ISO 27001 certification by Q1 2027. Each phase builds on the previous one, with parallel workstreams to meet the aggressive timeline.
Strategic Rationale
| Phase | Framework | Target | Business Outcome |
|---|---|---|---|
| 1 | CyFun Basic | Q2 2026 | Belgian CCB minimum requirements |
| 2 | CyFun Important + Essential | Q3 2026 | Customer trust, NIS2 preparedness |
| 3 | ISO 27001 | Q1 2027 | Formal third-party certification |
Current Status
| Metric | Value |
|---|---|
| Framework level | CyFun Basic |
| Total controls | 33 |
| Controls documented | 33 |
| Controls implemented | 15 |
| Controls partial | 16 |
| Controls planned | 2 |
| ISMS site | Operational |
Roadmap Phases
Phase 1: CyFun Basic (Q1–Q2 2026) — In Progress
Objective: Achieve full CyFun Basic compliance by implementing all 33 controls with supporting policies, evidence, and procedures.
Key Deliverables
| Deliverable | Target | Status |
|---|---|---|
| ISMS documentation site | Q1 2026 | Complete |
| 33 control pages documented | Q1 2026 | Complete |
| Security policies drafted | Q2 2026 | In Progress |
| Evidence pages populated | Q2 2026 | In Progress |
| Priority controls (key measures) to "implemented" | Q2 2026 | In Progress |
| All 33 controls to "implemented" | Q2 2026 | Planned |
Success Criteria
- All 33 CyFun Basic controls at "implemented" status
- All policies approved and published with review dates set
- Evidence pages verified and up to date
- Incident response plan tested via walkthrough
- Risk register reviewed quarterly
Dependencies
- Management commitment (allocated time for security tasks)
- Tooling decisions finalized (monitoring, access management)
Phase 2: CyFun Important + Essential (Q3–Q4 2026) — Planned
Objective: Extend coverage to CyFun Important and Essential levels in parallel, adding controls for enhanced protection, structured risk management, continuous monitoring, and supply chain security.
Key Deliverables
| Deliverable | Target | Status |
|---|---|---|
| Gap analysis: Basic → Important + Essential | Q3 2026 | Planned |
| Additional controls documented and implemented | Q3 2026 | Planned |
| Enhanced access control (MFA everywhere, PAM) | Q3 2026 | Planned |
| Structured risk assessment methodology (ISO 27005) | Q3 2026 | Planned |
| Continuous monitoring and alerting | Q3 2026 | Planned |
| Incident response tabletop exercise | Q4 2026 | Planned |
| Vulnerability management process | Q4 2026 | Planned |
| Supply chain risk management process | Q4 2026 | Planned |
| Security metrics dashboard | Q4 2026 | Planned |
| Full NIST CSF alignment verification | Q4 2026 | Planned |
Success Criteria
- All CyFun Important and Essential controls at "implemented" status
- Risk assessment completed with documented methodology
- At least one IR tabletop exercise conducted and lessons documented
- Vulnerability scanning running on a scheduled basis
- Continuous monitoring operational with alerting
- Supply chain risks documented and mitigated for critical vendors
- Security awareness training completed by all team members
Dependencies
- Phase 1 (CyFun Basic) fully complete
- Budget allocation for additional tooling and monitoring infrastructure
Phase 3: ISO 27001 Certification (Q1 2027) — Planned
Objective: Obtain ISO 27001:2022 certification through formal audit by an accredited certification body.
Key Deliverables
| Deliverable | Target | Status |
|---|---|---|
| Statement of Applicability (SoA) | Q4 2026 | Planned |
| Internal audit program established | Q4 2026 | Planned |
| Management review conducted | Q4 2026 | Planned |
| Stage 1 audit (documentation review) | Q1 2027 | Planned |
| Stage 2 audit (implementation assessment) | Q1 2027 | Planned |
Success Criteria
- Statement of Applicability covers all Annex A controls
- Internal audit completed with findings resolved
- Management review documented with decisions recorded
- Stage 1 audit passed without major nonconformities
- ISO 27001:2022 certificate obtained
Dependencies
- Phase 2 (CyFun Important + Essential) fully complete
- Budget for certification body engagement
- Internal audit competency (training or external auditor)
Phase Dependencies
| Phase | Enables | Key Enabler |
|---|---|---|
| 1. CyFun Basic (Q2 2026) | Phase 2 | Documented ISMS, baseline controls, operational policies |
| 2. CyFun Important + Essential (Q4 2026) | Phase 3 | Risk management, monitoring, full NIST CSF alignment |
| 3. ISO 27001 (Q1 2027) | Ongoing | Certified ISMS with continual improvement cycle |
Related Documentation
- Compliance Status — Current implementation status across all controls
- CyFun Basic Controls — Detailed documentation for all 33 Basic-level controls
- Evidence — Asset inventories, risk register, access matrix
- Policies — Security policies and procedures