We were arguably one of the first organizations that went through the verification process, and I understand that finding the right approach takes some time. Personally, I was quite surprised by what seemed like a focus on proving exception percentages. Of course, Cyber Fundamentals is clear about the requirements for a 3 score (i.e. 5% exceptions on documentation, 10% exceptions on implementation), but I did not expect the focus to be that specific especially for organizations going for the BASIC assurance level.
Based on our progress during the implementation phase, we clearly assessed our documentation level – focused on policies – as sufficient. However, during the verification it became clear that the exception handling defined in the policies wasn’t aligned with the verificator’s expectations.
To meet the requirements for level three, much more developed exception handling capabilities were needed. This led to a lower score on the documentation side. Our assessment on the implementation side was scrutinized, but there were no big immediate findings there.