The starting level Small allows an organisation to make an initial assessment. It is intended for micro-organisations or organisations with limited technical knowledge.
The assurance level Basic contains the standard information security measures for all enterprises. These provide an effective security value with technology and processes that are generally already available. Where justified, the measures are tailored and refined.
The assurance level Important is designed to minimise the risks of targeted cyber-attacks by actors with common skills and resources in addition to known cyber security risks.
The assurance level Essential goes one step further and is designed to address the risk of advanced cyber-attacks by actors with extensive skills and resources.
The Cyberfundamentals Framework is a set of concrete measures to:
- protect data,
- significantly reduce the risk of the most common cyber-attacks,
- increase an organisation's cyber resilience.
The framework is based on and linked with 4 commonly used cybersecurity frameworks: NIST CSF, ISO 27001 / ISO 27002, CIS Controls and IEC 62443.
It uses the functions of any cybersecurity framework.
The levels and key measures
To respond to the severity of the threat an organization is exposed to, in addition to the starting level Small, 3 assurance levels are provided: Basic, Important and Essential.
Based on our historical data, retro-fitting was done on successful cyber-attacks using anonymized data. The conclusion is that:
- measures in assurance level Basic are able to cover 82% of the attacks,
- measures in assurance level Important are able to cover 94 % of the attacks,
- measures in assurance level Essential are able to cover 100% of the attacks.
Based on these attacks, key measures were identified at each level to prioritize the countermeasures to protect against the known cyberattacks relevant for that assurance level.