From Gap Analysis to Passing the Cyfun Verification: Toreon’s view from Inside a Hospital Cyber Fundamentals Verification

From Gap Analysis to Passing the Cyfun Verification: Toreon’s view from Inside a Hospital Cyber Fundamentals Verification

By Wim Remes

Belgian hospitals are under growing regulatory pressure. As entities falling under NIS2 they are expected to demonstrate a baseline level of cybersecurity maturity through formal verification when using the CCB’s Cyber Fundamentals framework. In theory, the path is clear:

1. implement the required controls.
2. gather your evidence.
3. and submit to an accredited conformity assessment body.

In practice, doing this inside a functioning hospital is a different exercise entirely.

Toreon recently guided several Belgian hospitals through this process from initial gap analysis to successful Cyber Fundamentals verification. We sat down with Wim Remes, one of our principal consultants, to get an honest account of what the work involved: the complexity of the healthcare environment, the realities of the verification itself, and what other hospitals should know before their own verification.

1. Can you briefly introduce the engagement — what kind of hospital was this, and why were they pursuing Cyber Fundamentals verification?

My client is a big Flemish hospital with 1000+ beds that already took security quite seriously. That was evident through the technical controls they had already in place. Our interactions with the teams confirmed that. The security mindset was present, they understood what risk entails, and they were driven by a deeply embedded focus on quality. Cybersecurity fits closely with the core mission of care that the hospital has. The hospital, as a member of Shield V.Z.W., chose the Cyber Fundamentals route because the high-quality collateral provided by Shield offered a head start and the framework, being relatively prescriptive, provided a solid foundation to give direction and make clear decisions.

2. Hospitals are operationally complex environments. What made this preparation different from a typical CyFun engagement with, say, an SME or a public administration?

Our most precious asset is time. My client has a complex environment that needs to always stay operational and at the same time they are in the middle of a merger project. The complexity is largely found in the big number of moving parts. Both technically and organizationally. Making the right decisions on what needs to be done now and what needs to be postponed, while keeping our eye on the looming deadlines, is about making hard choices and maintaining focus across a broad team. In a highly dynamic environment, it is easy to get distracted.

3. Where did you start, and how did you structure the preparation work?

Compliance and security are not always the same thing. One of the goals of NIS2 is to make security provable, which leads to compliance. That’s why several streams started at the same time. Many hospitals already have a rather complete set of technologies that can support a well- organized security program. However, in the Confidentiality/Integrity/Availability triad Availability reigns supreme.

As Voltaire once said : le mieux est l’ennemi du bien. Freely translated: better is the enemy of good.

Compliance is not about doing everything perfect. It is about doing the required things consistently, documenting them, and being able to improve them over time. This means that our first filter was to identify the bigger gaps and identifying what needed to be put in place to enable this approach while keeping risk at the center of everything.

4. What were the most significant gaps or surprises you encountered?

After 30 years in the industry, I’m rarely surprised anymore. Many organizations rely on a combination of informal processes and tribal knowledge. This should not surprise anyone.

However, to make security provable in line with Cyber Fundamentals, you need to document processes and knowledge more extensively. It is only when you define the input of the process, the process itself, and its expected outputs that you will be able to measure exceptions. It implies a culture shift of sorts that isn’t that easy to deal with.

A big aspect here is communication. If everybody is clear about the goals and messaging is both supportive and consistent, there is very little a team can’t do.

5. CyFun Basic requires you to demonstrate implementation, not just policy. How did the hospital handle the evidence challenge?

In the weeks before our verification, we gathered more than 150 evidences and grouped them logically by CyFun control. This required close coordination across many parts of the organization and a concerted effort between our Toreon team and the customer team. This was truly crunch time. The availability of resources on both sides made it difficult to plan review cycles. However, I felt that our evidence collection was of exceptional quality and the outcome of the verification was positive.

6. How does a Cyber Fundamentals verification actually work in practice — who shows up, what do they look at, and how long does it take?

Most organizations that are planning their basic/important verification today shouldbe expecting anywhere between one and three days for their verification. The verificator, possibly accompanied by one or more observers, will come on site and effectively work in an iterative manner:

  1. Analyze the CSAT (Self Assessment) and supporting evidence.
  2. Ask additional questions base on their analysis.

Their main focus is on confirming that the statements you made in your CSAT are supported by the evidence presented. If that is not the case, the verificator can declare a misstatement and lower the score in your CSAT. You’ll have to consider that if the evidence shows that your score should be higher, the verificator is not allowed to increase the score!

At the end of the verification, a closing meeting is held where the verificator will share their findings.

7. Were there any unexpected moments during the verification, and how did the verifier's findings compare to your own assessment — any blind spots on either side?

We were arguably one of the first organizations that went through the verification process, and I understand that finding the right approach takes some time. Personally, I was quite surprised by what seemed like a focus on proving exception percentages. Of course, Cyber Fundamentals is clear about the requirements for a 3 score (i.e. 5% exceptions on documentation, 10% exceptions on implementation), but I did not expect the focus to be that specific especially for organizations going for the BASIC assurance level.

Based on our progress during the implementation phase, we clearly assessed our documentation level – focused on policies – as sufficient. However, during the verification it became clear that the exception handling defined in the policies wasn’t aligned with the verificator’s expectations.

To meet the requirements for level three, much more developed exception handling capabilities were needed. This led to a lower score on the documentation side. Our assessment on the implementation side was scrutinized, but there were no big immediate findings there.

8. Looking back, what is the single most important piece of advice you would give to another hospital that is about to start this journey?

Security and Compliance do not work in isolation. They work together. I feel that our success was primarily rooted in the good understanding between management, compliance specialists, security specialists, and the broader IT team. When each actor understands the others, you can efficiently collaborate and fill in gaps where needed. Strong relationships withstand troubled times. This is not different in the current NIS2 efforts many organizations are working on today and for the next years to come.

5 tips to prepare for your NIS2 verification

  1. The statements in your CSAT (Self Assessment) need to be supported by evidence that shows you meet or exceed the requirements for a score of 3. This means that you should not just show that a control is in place, but that you meet the required maximum level of exceptions (5% for documentation, 10% for implementation).
  2. Policies don’t just have to say what the rules are. They should also be very clear about how exceptions are handled. Without that critical aspect, measuring – and ultimately proving – how well your policy framework works becomes extremely di_icult.
  3. The evidence you provide is considered frozen on the date you send your CSAT to the verificator. Any evidence added after that date can not be considered during the verification.
  4. The score for each control can be decreased by the verificator based on their findings, but it cannot be increased.
  5. The verificator has a limited time to assess your complex organization against a rather complex framework. Your preparation and clear organization of evidence supports them in those efforts.

5 tips to prepare for your NIS2 verification

Security and Compliance do not work in isolation. They work together. I feel that our success was primarily rooted in the good understanding between management, compliance specialists, security specialists, and the broader IT team.

When each actor understands the others, you can efficiently collaborate and fill in gaps where needed. Strong relationships withstand troubled times. This is not different in the current NIS2 efforts many organizations are working on today and for the next years to come.

Want to learn more?

Book a discovery call for Toreon’s threat modeling training and turn the ENISA playbook into a working product-security practice.

About the Author:

Asma is a principal cybersecurity consultant passionate about securing systems and enhancing development practices. With expertise in code analysis and scanning technologies, she specializes in identifying vulnerabilities throughout the software development lifecycle. Asma has conducted research into leveraging generative AI for security improvements, exploring how artificial intelligence can enhance threat detection and automate vulnerability assessment. As a trusted advisor to development teams, she combines technical depth with practical strategies to help organizations build robust security into their development processes.

Start typing and press Enter to search

Shopping Cart