Apr 14 • Paul C Dwyer

CyFun Cyber Fundamentals: What It Is — and What It Is Not

Across Europe, organisations are grappling with a growing convergence of regulatory pressure, operational risk, and board-level accountability. Frameworks such as NIS2, DORA, ISO/IEC 27001, and NIST CSF 2.0 are no longer theoretical constructs—they are enforceable expectations.


Yet one persistent challenge remains:

How do organisations establish a baseline level of cybersecurity capability that is both credible and scalable—particularly for less mature entities or extended supply chains?

This is precisely where CyFun (Cyber Fundamentals) sits.


What CyFun Cyber Fundamentals Is

1. A Baseline, Outcome-Focused Cybersecurity Framework

CyFun is designed to define and validate minimum viable cybersecurity capability.

It focuses on:

  • Core controls that materially reduce risk
  • Practical, implementable measures
  • Evidence-based attestation (not theoretical compliance)

It answers a critical question:

“What must an organisation demonstrably have in place to be considered fundamentally secure?”


3. A Supply Chain and Ecosystem Enabler

One of CyFun’s strongest strategic positions is in third-party risk management.

It enables organisations to:

  • Establish minimum cybersecurity entry thresholds
  • Perform consistent supplier assessments
  • Scale assurance across large ecosystems


In contrast to heavyweight frameworks, CyFun is:

  • Faster to deploy
  • Easier to validate
  • More accessible to SMEs

2. A NIS2-Aligned Operationalisation Layer

CyFun translates high-level regulatory expectations—particularly under NIS2—into:

  • Clear control objectives
  • Testable outcomes
  • Verifiable declarations


This makes it especially valuable for:

  • Essential and Important Entities
  • Supply chain assurance programmes
  • National-level cybersecurity uplift initiatives

4. An Assurance Mechanism

CyFun supports:

  • Board-level visibility
  • Executive accountability
  • Regulatory defensibility


It provides structured outputs that allow leadership to:

  • Understand baseline risk exposure
  • Demonstrate due diligence
  • Support regulatory reporting

What CyFun Cyber Fundamentals Is Not

1. It Is Not a Replacement for ISO/IEC 27001

ISO 27001 provides:

  • A management system (ISMS)
  • Formal certification pathways
  • Deep governance and control structures


CyFun does not attempt to replicate this.


Instead:

  • It acts as a feeder and foundation
  • It helps organisations prepare for ISO maturity
  • It can coexist as a baseline assurance layer

3. It Is Not a Purely Theoretical or Policy-Based Exercise

CyFun avoids:

  • Excessive documentation burden
  • Policy-heavy, low-evidence compliance
  • Abstract control interpretation


Instead, it emphasises:

  • Real-world implementation
  • Demonstrable controls
  • Verifiable outcomes

2. It Is Not a Comprehensive Risk Framework Like NIST CSF 2.0

NIST CSF 2.0 delivers:

  • Full lifecycle coverage (Govern, Identify, Protect, Detect, Respond, Recover)
  • Strategic and operational depth
  • Customisable maturity modelling


CyFun is intentionally:

  • Narrower in scope
  • Outcome-driven rather than maturity-driven
  • Focused on “minimum acceptable state” rather than optimisation

4. It Is Not a One-Size-Fits-All Silver Bullet

CyFun is:

  • A starting point, not an end state
  • A baseline, not a maturity model
  • A complement, not a competitor


Organisations still require:

  • Broader frameworks (e.g. NIST CSF)
  • Formal governance systems (e.g. ISO 27001)
  • Sector-specific controls (e.g. DORA)

How CyFun Complements ISO 27001 and NIST CSF 2.0

Strategic Positioning

Capability LayerRoleFramework
Baseline SecurityMinimum viable controlsCyFun
Risk & Maturity ManagementFull lifecycle governanceNIST CSF 2.0
Formal Certification & ISMSStructured governance systemISO 27001

Practical Integration Model

  • CyFun → Entry point
    •  Establish baseline controls quickly
    • Enable supplier onboarding

  • NIST CSF 2.0 → Operational maturity
    • Expand into risk-based governance
    • Develop resilience capabilities

  • ISO 27001 → Formalisation
    • Implement ISMS
    • Achieve certification and audit readiness

    • Commercial Insight

    Organisations that position CyFun correctly can:

    • Accelerate compliance timelines
    • Reduce implementation cost
    • Improve supplier assurance at scale
    • Demonstrate proportionate, risk-based governance

    Why This Matters Now

    Regulators are shifting from:

    • “Do you have a framework?”

       to:

    • “Can you demonstrate control effectiveness?”


    CyFun directly supports this transition by:

    • Enabling attestation-based validation
    • Providing evidence-led assurance
    • Supporting regulatory defensibility

    The Certified CyFun Professional (CCFP) Programme

    To operationalise CyFun effectively, organisations require capability—not just awareness.

    The Certified CyFun Professional (CCFP) programme is designed for:

    • Senior executives
    • Compliance leaders
    • Cybersecurity professionals
    • Risk and governance stakeholders


    Participants will:

    • Understand CyFun in a regulatory context (NIS2, DORA)
    • Learn how to implement and validate controls
    • Develop the ability to assess and assure third parties
    • Gain a practical, defensible methodology


    CyFun is best understood not as another framework—but as a strategic enabler:

    A way to establish trust, demonstrate control, and scale cybersecurity assurance across increasingly complex digital ecosystems.