CyberFundamentals vs ISO 27001: Which Do You Need?
Two security frameworks, two different approaches. CyberFundamentals is Belgium's national framework designed for NIS2 compliance. ISO 27001 is the international gold standard. Here's how to choose.
Understanding Both Frameworks
CyberFundamentals
- Developed by CCB (Centre for Cybersecurity Belgium)
- Designed specifically for Belgian NIS2 compliance
- Prescriptive: tells you exactly what to implement
- Four tiers (Small, Basic, Important, Essential)
- Progressive approach - start small, grow as needed
- Based on international standards (NIST, ISO, CIS)
ISO 27001
- International standard from ISO/IEC
- Globally recognized certification
- Risk-based: you determine controls based on your risks
- Requires an Information Security Management System (ISMS)
- More flexible but requires more expertise
- Annex A contains 93 controls across 4 themes
Side-by-Side Comparison
| Aspect | CyberFundamentals | ISO 27001 |
|---|---|---|
| Origin | Belgium (CCB) | International (ISO/IEC) |
| Approach | Prescriptive controls | Risk-based ISMS |
| Structure | 4 tiers with set controls | Single standard, flexible scope |
| Controls | 7-140 (by tier) | ~93 (select based on risk) |
| NIS2 Alignment | Direct alignment | Requires mapping |
| Certification | €1k-25k | €5k-50k+ |
| Implementation Time | 1-12 months | 6-18 months |
| Best For | Belgian NIS2 compliance | International recognition |
When to Choose CyberFundamentals
CyberFundamentals is the right choice when:
- You're a Belgian organization subject to NIS2
- You want clear, prescriptive guidance on what to implement
- You're new to formal security frameworks
- You have limited security expertise internally
- Budget is a concern (lower certification costs)
- You primarily do business in Belgium/EU
When to Choose ISO 27001
ISO 27001 is the right choice when:
- You need international recognition
- Customers/partners specifically require ISO 27001
- You already have an ISMS or risk management framework
- You have mature security operations
- You operate in multiple countries
- You want maximum flexibility in control implementation
Can You Do Both?
Yes, and many organizations do. The good news:
- CyberFundamentals is based on international standards including ISO 27001
- About 70-80% of controls overlap between the frameworks
- Work done for one framework counts toward the other
- Some organizations get CyberFundamentals first, then extend to ISO 27001
- Auditors familiar with both can conduct integrated assessments
How They Map Together
CyberFundamentals controls map well to ISO 27001 Annex A:
| CyberFundamentals | ISO 27001 Annex A |
|---|---|
| Access Control | A.5.15-A.5.18, A.8.2-A.8.5 |
| Asset Management | A.5.9-A.5.14 |
| Business Continuity | A.5.29-A.5.30 |
| Cryptography | A.8.24 |
| Incident Response | A.5.24-A.5.28 |
| Network Security | A.8.20-A.8.22 |
Full mapping available from CCB. If you're already ISO 27001 certified, you likely meet most CyberFundamentals requirements.
Cost Comparison
Typical costs for Belgian SMEs:
| CyberFundamentals | ISO 27001 | |
|---|---|---|
| Implementation (internal) | €5k-30k | €15k-60k |
| Certification audit | €1k-15k | €5k-25k |
| Annual surveillance | €500-5k | €2k-10k |
| Total 3-year cost | €10k-60k | €30k-120k |
Costs vary significantly based on organization size, complexity, and chosen level/scope.
Decision Guide
Are you subject to NIS2 in Belgium?
Do customers require ISO 27001?
Do you operate internationally?
Is this your first security framework?
Not Sure Which to Choose?
Easy Cyber Protection helps you assess your requirements and implement the right framework. Start with our free assessment to understand your needs.
Frequently Asked Questions
Does CyberFundamentals certification satisfy ISO 27001?
No, they're separate certifications. However, if you're CyberFundamentals certified, you've done significant work toward ISO 27001. The gap analysis would be much smaller than starting from scratch.
Is one better than the other?
Neither is objectively "better" - they serve different purposes. CyberFundamentals is optimized for Belgian NIS2 compliance. ISO 27001 provides international recognition. Choose based on your specific needs.
Can I use ISO 27001 for NIS2 compliance?
Yes, but you'll need to demonstrate how your ISO 27001 implementation meets specific NIS2 requirements. CyberFundamentals provides direct NIS2 alignment without additional mapping.
Which is faster to implement?
CyberFundamentals, especially at lower tiers. Small tier can be implemented in weeks. ISO 27001 typically takes 6-18 months due to ISMS requirements.
Will my ISO 27001 auditor understand CyberFundamentals?
Not necessarily. CyberFundamentals requires accredited auditors specifically approved by the CCB. Some auditors are accredited for both.