From requirements to a manageable path.

NIS2

We help clarify whether the organisation is in scope, which assets and services are critical, which measures already exist and which evidence must be produced. The goal is not box-ticking, but making compliance manageable.

• scope
• gap analysis
• prioritisation
• evidence

CyFun levels in brief

• Small: an initial assessment for micro-organisations or organisations with limited technical knowledge.
• Basic: standard information security measures to protect against known cybersecurity risks.
• Important: measures designed to reduce risks from targeted attacks by actors with common skills and resources.
• Essential: a stronger level designed to address advanced attacks.

ISO 27001

ISO/IEC 27001 provides a management-system logic: context, risks, objectives, controls and continual improvement. It complements NIS2, which sets regulatory obligations, and CyFun, which provides a progressive Belgian operational reading.

The work is about avoiding decorative paperwork: identifying what exists, linking controls to real risks, building evidence and making the system maintainable.

Risk assessment

Good risk assessment starts with visibility: assets, dependencies, exposure, threats, vulnerabilities, business impacts and possible treatments. It should produce decisions, not just a red-orange-green matrix.

Depending on the context, we can combine EBIOS Risk Manager, NIST, ENISA Threat Landscape, CTI and tools such as OpenCTI to connect broad threats with your organisation's reality.

Governance

Cybersecurity governance should make the organisation able to see where it stands, decide where it is going and measure whether it is progressing. That requires guidelines, clear responsibilities, measurable objectives and a steering rhythm adapted to the organisation.

We help formalise useful policies, readable dashboards, realistic processes and prioritisation that connects risks, obligations and operational constraints.

• asset and responsibility mapping;
• measurable security objectives;
• progress and risk indicators;
• review cadence and continual improvement.

Cyber projects

Cybersecurity projects rarely fail because of tools alone. They fail when risks, costs, benefits, dependencies and responsibilities are not made explicit early enough.

We support S-SDLC, Agile, DevSecOps, logical architecture, control selection, cost-benefit-risk analysis and coordination between business, IT, security and compliance teams.

• security integration into the development lifecycle;
• architecture review and non-functional requirements;
• cost, benefit, risk and compliance trade-offs;
• pragmatic follow-up until deliverables are usable.

Specific needs

Every organisation has its own history, constraints, emergencies and blind spots. We start from the real problem rather than from a fixed catalogue.

Our approach is solution-driven and problem-solving oriented: understand quickly, structure the challenge, identify options, then move forward methodically. Unusual situations do not scare us; they mostly prevent boredom.