CyberFundamentals Framework

CyberFundamentals requirement

Brainframe Solution

ID.AM-1: Physical devices and systems used within the organization are inventoried. 

Organizations must maintain an up-to-date inventory of all assets related to information processing. This inventory should be regularly reviewed and updated to ensure accountability, with details like device type, manufacturer, serial numbers, and physical location. The use of IT asset management tools is recommended to streamline this process.

• Brainframe provides a comprehensive document management system where you can inventory all of your physical assets and visualize it in a helicopter view.
• You can customize each asset's properties to store all the important information such as device type, serial number, owner, etc...
• You can set periodic review dates for assets to ensure they are up-to-date.
• You can assign an asset to the relevant stakeholders and set up notifications to make sure they are accountable for the management of the asset.

ID.AM-2: Software platforms and applications used within the organization are inventoried.

Organizations must maintain a detailed and up-to-date inventory of all software platforms and applications, including those that are outsourced. This inventory should cover essential details like name, description, version, and business purpose. Regular reviews and updates are necessary, and IT asset management tools can be used to streamline the process. Accountability for software management should also be clearly defined.

• With Brainframe's document management system, you can keep an inventory of all your digital assets and visualize it in a helicopter view.
• You can customize each asset's properties to store all the important information such as version, business purpose, supplier, etc...
• You can set periodic review dates for assets to ensure they are up-to-date.
• You can assign an asset to the relevant stakeholders and set up notifications to make sure they are accountable for the management of the asset.

ID.AM-3: Organizational communication and data flows are mapped.

Organizations must identify and map the types of information they store and use, linking this data to physical devices, systems, and software platforms. All connections within the ICT/OT environment should be documented, approved, and regularly updated. This documentation must include details on interfaces, data characteristics, security requirements, and protocols.

• Brainframe allows you to link a document to another, and visualize the dependencies in a helicopter view.
• You can add properties to any asset to ensure proper documentation.
• To visualize the data flow, you have access to a diagram creator where you can graphically map the assets between themselves and direct the information flow.
• To make sure your documentation is approved and up-to-date, you can schedule periodic reviews to automatically notify the stakeholder that a review action must be taken.

ID.AM-4: External information systems are catalogued.

Organizations must map, document, authorize, and regularly update all external services and their connections. This includes systems for which the organization does not have direct control, such as cloud services, SaaS, and APIs. Information flows to and from external systems should also be documented and updated as needed, with external service providers required to specify the functions, ports, protocols, and services necessary for these connections.

• Brainframe allows you to create and customize all your assets in a comprehensive document management system, including external ones.
• You can send out your custom forms to external suppliers and require them to take an action like completing or approving your documentation.
• You can easily visualize your external assets with a helicopter view.
• You can keep track of your suppliers with the Suppliers module, where you can also visualize the assets linked to those suppliers.

ID.AM-5: Resources are prioritized based on their classification, criticality, and business value.

Organizations should prioritize their resources, including hardware, software, data, and personnel, based on their classification, criticality, and business value. This involves assessing the potential impact of data being exposed, damaged, or inaccessible. Resources should be categorized (e.g., Public, Internal, Confidential) and communicated clearly to ensure proper handling. The classification should address confidentiality, integrity, and availability (C-I-A) to ensure comprehensive protection of assets.

• With Brainframe's "everything is a document" concept, you can easily modify any asset's properties, and create templates if you want to reuse them, to assign a criticality level, a business value, or a classification to it. 
• The Risk module allows you to assess the risk related to any asset and configure it according to your business needs so that you have a better overview of where resources should be allocated.
• Brainframe comes with a pre-configured classification system for confidentiality, integrity, and availability.
• You can visualize your risks based on their criticality levels.

ID.AM-6: Cybersecurity roles, responsibilities, and authorities for the entire workforce and third-party stakeholders are established.

Organizations must document, review, and update information security and cybersecurity roles, responsibilities, and authorities, ensuring alignment with internal and external stakeholders. This involves clearly defining who is responsible, accountable, consulted, and informed for various security tasks. Key functions, including legal and threat detection, should have well-established roles, and responsibilities should extend to third-party providers who have access to the organization's ICT/OT environment.

• Brainframe's Document Management system allows you to create roles for your cybersecurity initiatives, and assign them to any employee.
• The properties of each role is fully customizable, allowing you to define all the tasks that a stakeholder is assigned.
• With the Task Management module, you can assign a task to any role, and the relevant stakeholder will be notified, whether they are internal or external.
• The stakeholder can visualize all their tasks in a kanban view to keep track of his responsiblities.

CyberFundamentals requirement

Brainframe Solution

ID.BE-1: The organization’s role in the supply chain is identified and communicated. ​

Organizations must identify, document, and communicate their role within the supply chain, clearly understanding who is upstream and downstream. This includes recognizing which suppliers provide critical services, products, or capabilities. The organization should also ensure that its position and importance within the supply chain are clearly communicated to both upstream and downstream partners.

• Our dedicated "Supplier" module allows you to classify your suppliers based on criticality, position, importance, or any other property you configure.
• It also allows you to link them to the services or the products the provide. 

ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated.

Organizations must establish and communicate clear priorities for their business objectives and activities. This includes determining and prioritizing the organizational mission and goals, as well as assessing information protection needs. Processes should be adjusted as needed to align with these priorities, ensuring a practical and achievable security strategy. 

• Brainframe ​helps allows the creation, documentation, and distribution of security policies that align with business objectives, ensuring consistency across the organization.
• With the Risk module, you can easily assess the risks related to various assets and processes, helping prioritize activities based on their criticality and business impact.
• Tracks compliance with established objectives and standards, sending alerts for any deviations, which ensures that priorities are consistently met.

ID.BE-4: Dependencies and critical functions for delivery of critical services are established.

Organizations must identify, document, and prioritize dependencies and mission-critical functions necessary for delivering essential services. This process should be integrated into the overall risk assessment, ensuring that all critical components, including support services, are recognized and managed based on their importance to business continuity.

• With the Document Management system, you can map functions to services and easily visualize the dependencies between them.
• When doing your risk assessment, you can define the criticality of functions based on their importance to your essential service.
• Brainframe provides a comprehensive view of these risks to help you prioritize based on risk level and function importance.

ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states.

Organizations must identify, document, and test the necessary requirements for cyber resilience, with approval for their implementation. This includes mechanisms such as failsafe systems, load balancing, and redundancy in data and network infrastructure. Effective business continuity management (BCM) practices, including Business Impact Analysis (BIA), Disaster Recovery Plan (DRP), and Business Continuity Plan (BCP), are essential to maintaining service availability. Additionally, organizations should define recovery time objectives (RTO) and recovery point objectives (RPO) to ensure quick restoration of essential systems.

• Brainframe comes with templates for Business Continuity Plans (BCP), Business Impact Analysis (BIA) documents, Disaster Recovery Plans (DRP) to help you adapt your policies to your operations.
• You can send your policies to the relevant stakeholders for approval directly inside the tool, and request an action to ensure they complete it.
• You can assign review dates directly to assets to make sure they are up-to-date.
• For each identified risk, you can create a control and visualize how it affects the risk, with a comprehensive view on the initial risk and the residual risk.

CyberFundamentals requirement

Brainframe Solution

ID.GV-1: Organizational cybersecurity policy is established and communicated.

Organizations must establish, document, and regularly review policies and procedures for information security and cybersecurity. These guidelines should clearly outline acceptable practices, roles, responsibilities, and expectations for protecting the organization’s resources. Policies need to be accessible to all employees, used for training, and updated at least annually or whenever there are changes in the organization or technology. Senior management must approve and disseminate these policies across the organization, ensuring coordination among various security functions throughout the lifecycle of ICT/OT systems.

• Brainframe offers a number of built-in template policies and procedures to help with your documentation. These are fully customizable and adaptable to your organization.
• You can share this document with the relevant stakeholders and responsibles, assign tasks such as the approval or review of the document, and you can track whether the responsible has completed their task, particularly useful when trying to involve senior management.
• You can send out documents directly via Brainframe to your employees to keep them up-to-date with your policies and procedures.

ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood, and managed.

Organizations must ensure that legal and regulatory requirements concerning information and cybersecurity, including privacy obligations, are fully understood, implemented, and managed. Regular reviews are necessary to maintain continuous compliance, and these requirements extend to contractors and service providers who may handle or have access to sensitive information.

• In the "Workbench" module, you have access to a comprehensive view of your legal and regulatory status. This allows you to translate your regulatory processes into a Kanban view, and have a good visibility on your progress.
• Each requirement can be documented, scheduled for review, and managed inside the Workbench module. 
• Optionally, you can add your legal and regulatory document directly to the "Risks" module for further risk management.

ID.GV-4: Governance and risk management processes address cybersecurity risks.

A comprehensive strategy to manage information security and cybersecurity risks must be developed as part of the company's overall risk management. This strategy should outline the allocation of resources necessary to safeguard business-critical assets and ensure that all identified risks are documented, formally approved, and regularly updated to reflect any changes. Utilizing risk management tools can streamline this process.

• With Brainframe, you have access to all the tools to identify, assess, and prioritize cybersecurity risks, ensuring a clear understanding of potential threats via the Risk module.
• Brainframe allow you to m​aintains a comprehensive record of all identified risks, approved strategies, and mitigation plans, ensuring easy updates and access.
• Have a clear view on your risk landscape with a risk matrix, customizable to your risk management process, and allocate your resources according to your needs.

CyberFundamentals requirement

Brainframe Solution

ID.RA-1: Asset vulnerabilities are identified and documented.

Organizations must establish a process to continuously monitor, identify, and document vulnerabilities in their business-critical systems. Effective vulnerability management involves regular scanning, testing, and validation to ensure potential risks are identified and addressed without disrupting normal operations.

• You can create your own risks or use one of the common risks built into the software, and assign it to any asset in your inventory.
• Brainframe provides a dashboard to document, track, and prioritize vulnerabilities, enabling efficient risk mitigation efforts.
• You can set up a periodic testing for all vulnerabilities and prioritize them according to their criticality using the Task Management module and visualize your progress in a kanban view.

ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

Organizations must conduct comprehensive risk assessments to evaluate risks based on identified threats, vulnerabilities, and their impact on business processes and assets. These assessments should consider both internal and external threats and evaluate the potential consequences on the confidentiality, integrity, and availability of assets. Organizations are encouraged to use both qualitative and quantitative analysis methods and document the results. Risk assessment findings should be communicated to relevant stakeholders to ensure appropriate mitigation actions are taken.

• Thanks to the visibility you have on your assets and their dependencies, you can conduct exhaustive risk assessments, ensuring you don't accidentally miss something.
• With the ability to link assets with threats, vulnerabilities, and business processes, you can easily assess a risk and its impact.
• You can organize your risk assessment initiatives by assigning them to the department or business unit responsible for each asset. This method simplifies the process while maintaining full visibility in Brainframe, enabling you to see how assets and processes are interconnected across different departments.
• Communications on your risk assessment findings are easily shared inside Brainframe, which allows you to send them to the stakeholders and request their review.

ID.RA-6: Risk responses are identified and prioritized.

Organizations must develop and implement a comprehensive strategy to manage risks to their critical systems, which involves identifying and prioritizing appropriate risk responses. This strategy should engage both management and employees, clearly define which assets are most critical, understand the potential impact of their compromise, and outline how effective mitigation measures will be implemented to protect these assets.

• Inside the "Risks" module, you have access to various tools that can help you manage your risk strategy.
• The risk matrix can help with risk prioritization, giving you a comprehensive view of your risks according to their level of criticality.
• You can plan your risk response strategy for the future, giving you a clear view on risk reduction.
• You can visualize your risk levels for the future, to ensure that your planned mitigations will be efficient enough to reduce your risks to the desired level.

CyberFundamentals requirement

Brainframe Solution

ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders.

Organizations must establish a cyber risk management process that identifies key internal and external stakeholders. This process should facilitate the effective handling of risk-related issues and information. It should be thoroughly documented, regularly reviewed, and updated whenever there are changes. External stakeholders might include customers, investors, shareholders, suppliers, government agencies, and the wider community.

• Brainframe allows you to assign risks to their stakeholders, whether they are internal or external. 
• You can customize the properties of any risk you have identified and include all the relevant information.
• When an action such as a review or an update is required on a risk, you can quickly notify the relevant stakeholder and require an action to be completed to ensure that their inclusion in the process.

ID.RM-2: Organizational risk tolerance is determined and clearly expressed.

Organizations must clearly define their risk appetite, ensuring that it aligns with their information security and cybersecurity policies. This coherence between risk tolerance and security measures helps demonstrate a consistent and strategic approach to managing risks.

• You can fully customize your risk types, either with your own custom methodologies, or with Brainframe's built-in one. 
• You can define your risk appetite, and your risk matrix will automatically indicate which risks are unacceptable for you to accept based on your configuration, helping you with your prioritization efforts.

CyberFundamentals requirement

Brainframe Solution

ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders.

Organizations must establish a documented cyber supply chain risk management process that is regularly reviewed, approved, and updated when changes occur. This process should facilitate the identification, assessment, and mitigation of risks arising from the interconnected nature of ICT/OT products and service supply chains, ensuring comprehensive management of supply chain security.

• Just like all other assets or processes, you can manage the risks related to your suppliers directly in Brainframe. 
• You can send out tasks to your suppliers even if they are external, and require approvals, reviews, or updates to documentation and ensure their involvement in the risk management process.
• In the Suppliers module, you have access to a comprehensive view of your suppliers, and all the assets or processes they are linked to.

ID.SC-2: Suppliers and third-party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process.

Organizations must conduct cyber supply chain risk assessments at least once a year or whenever there are changes to critical systems, the operational environment, or the supply chain. These assessments should be documented, and the results shared with relevant stakeholders. Additionally, organizations should maintain an up-to-date list of suppliers, vendors, and partners, both online and offline, which includes their contact information and the services they provide.

• With Brainframe, your systems, components, and services that are outsourced can be managed just like they were internal, and the same risk management processes can be applied to them.
• You can perform a dedicated "Supplier onboarding" inside the "Forms" module.
• With the advanced forms, you can use the replies to the questions to automatically perform a risk reading for an initial evaluation, saving you tons of time.
• Assets and processes that are managed by an external provider can be identified by linking them to a supplier.
• All the information related to a supplier and relevant to your organization can be tracked inside the Supplier module.

ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.

Based on the findings of cyber supply chain risk assessments, organizations should establish a contractual framework with suppliers and external partners to manage the sharing of sensitive information and interconnected ICT/OT products and services. Contracts should include specific information security and cybersecurity requirements, ensuring a verifiable flaw remediation process to address identified vulnerabilities. Contracts should also permit the organization to review the cybersecurity programs of suppliers and partners to verify adherence to security requirements.

• All the documents related to your suppliers (contracts, NDAs, DPAs, SLAs,...) can be uploaded directly to Brainframe, and linked to the supplier.
• The reminder feature allows you to never miss out on a review and ensure timely remediation to any issue that could arise.
• You don't have to manually fill in your documents based on your suppliers' answers, you can request them to directly fill in the information inside Brainframe to save precious time.

ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.

Organizations must routinely review assessments of suppliers' and third-party partners' compliance with contractual obligations by examining audits, test results, and other evaluations. The depth of the review should be based on the criticality of the products and services provided, ensuring that independent audits and evaluations are used to verify compliance.

• Brainframe allows you to create any forms of evaluation from due dilligence to risk assessment questionnaires that you can submit directly to your third-party service providers, and store their response inside the tool to ensure their participation.
• Sorting your assets based on their criticality will allow you to prioritize certain suppliers, and customize your forms in depth based on the criticality.
• To ensure that you are up-to-date, you can schedule your reviews and make sure you don't miss out on a deadline.

ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers.

Organizations must identify and document key personnel from suppliers and third-party partners, including them as stakeholders in response and recovery planning activities. This ensures that these partners are actively involved in the testing and execution of response and recovery plans.​

• With Brainframe, you can include external personnel from suppliers and assign them as stakeholders for the assets or processes they are responsible for.
• You can send them tasks such as document approval or review that they can complete directly inside your Brainframe instance to ensure they are involved.

CyberFundamentals requirement

Brainframe Solution

PR.AT-1: All users are informed and trained.  

Organizations must ensure that all employees, including users and managers of ICT/OT systems, receive appropriate training on information security policies upon hiring and on a regular basis thereafter. Training should be continuously updated and reinforced through awareness campaigns. Security awareness training must also include insider threat recognition and reporting, and should be communicated regularly and engagingly to ensure everyone understands their responsibilities. Practical scenarios and regular simulation exercises can help reinforce learning. 

• You can create your trainings in any format you'd like, written or video, and keep it inside Brainframe's Document Management system.
• You can send it directly to your employees and relevant people that should attend it through the document distribution feature.
• Brainframe allows you to keep an audit track of which trainings your employees have completed.
• Send reminders and notifications to ensure completion of the trainings.

CyberFundamentals requirement

Brainframe Solution

PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles.

Organizations must develop, document, and maintain a baseline configuration for their business-critical systems, ensuring that these configurations are regularly reviewed and updated.  Baseline configurations should include details on system versions, patch status, configuration settings, network topology, and the placement of components within the system architecture.

• Brainframe's fully customizable documents allow you to define and document baseline configurations for your business-critical systems.
• You can schedule periodic reviews of the documents, require the responsible to take actions such as review or approval, and track its progress.
• You can add as many properties as relevant, such as settings, versions, patch status, etc...

PR.IP-2: A System Development Life Cycle to manage systems is implemented.

The system and application development life cycle must incorporate security considerations throughout all phases, including specification, design, development, and implementation. This involves ensuring that security is integrated into the acquisition of business-critical systems and their components, and providing training on vulnerability awareness for developers. The development process should also include robust configuration management, flaw tracking, change control, and security testing to ensure security-relevant system interfaces are properly designed and implemented.

• The System Development Life Cycle management is typically a process performed in a dedicated developer tool such as Jira.
• To allow you to represent the tasks that are relevant in those tools, Brainframe integrates with them to provide a visual representation inside the ISMS, giving you a good visibility on your entire architecture.

PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed.

Organizations must establish, maintain, and regularly test incident response and recovery plans, including those for business continuity and disaster recovery, to ensure their effectiveness and readiness. These plans should provide clear instructions for detecting, responding to, and mitigating the effects of cyber-attacks, while addressing recovery objectives, restoration priorities, and personnel roles. 

• Brainframe provides built-in templates for your incident management efforts such as Business Continuity Plans (BCP), that you can adapt to your organization and define relevant information such as instructions, responsibles, communication practices,...
• You can use it to directly notify the relevant stakeholder or any other contact required in the execution of the plan.
• Your communication and overview of an incident can be near real-time with Brainframe, as the person responsible for the management of the incident can update the status directly inside the tool so that everyone involved can track the progress.

PR.IP-12: A vulnerability management plan is developed and implemented.

Organizations must establish and maintain a documented process for the continuous review of vulnerabilities and the development of strategies to mitigate them. Regular updates and proactive measures are essential to ensure vulnerabilities are addressed before they can be exploited.

• Brainframe provides the tools to document your processes for your vulnerability management efforts via the Document Management system, allowing you to have a clear overview of the plan.
• You can use it to track the status of the plan, see what has been done so far and what remains to be done.

CyberFundamentals requirement

Brainframe Solution

RS.RP-1: Response plan is executed during or after an incident.

An incident response process must be in place and executed during or after a cybersecurity event affecting the organization’s critical systems. This process should include predefined instructions for detecting, responding to, and mitigating the impact of malicious cyber-attacks. Clear roles, responsibilities, and authorities must be established, specifying who is involved, their contact information, and who is authorized to initiate recovery procedures and communicate with external stakeholders. 

• Brainframe allows you to efficiently communicate between departments in the event of an incident to respond in a timely manner and ensure that everyone has a clear overview on the status of the incident.
• Roles and responsibilities can be defined beforehand during the policy creation to make sure that upon detection, you always know who to contact.
• It provides a centralized space to track the incident, start the recovery procedures, and communicate the crisis to internal or external stakeholders.

CyberFundamentals requirement

Brainframe Solution

RS.CO-1: Personnel know their roles and order of operations when a response is needed.

Organizations must ensure that all personnel involved in incident response clearly understand their roles, objectives, restoration priorities, task sequences, and specific responsibilities. Regular testing of the incident response plan is essential to ensure its effectiveness, and adjustments should be made after each incident to address any gaps. 

• You can define roles and objectives inside your incident management policy and send it to the involved parties, and request their explicit approval of the document to make sure that they have review their roles and know what to do in case of an incident.
• You can schedule regular testing of the incident response plan to test its effectiveness.

RS.CO-2: Incidents are reported consistent with established criteria.

Organizations must implement a clear process for reporting information and cybersecurity incidents on critical systems within a defined time frame. The reporting process should specify who needs to be informed and ensure that all users have a single point of contact for incident reporting, encouraging prompt communication. Reporting criteria should be outlined in the incident response plan to ensure consistency and clarity on when and how to report incidents.

• Incident reporting is made easy with Brainframe, as it allows you to create the report template once with all the criteria you wish to be outlined, and the stakeholders just have to fill out the form.
• You can directly link the incident report template to the incident response plan and keep it clear and concise.

RS.CO-3: Information is shared consistent with response plans.

Organizations must ensure that information about information/cybersecurity incidents is communicated to employees in a clear and understandable format. Additionally, incident information should be shared with relevant stakeholders, both internal and external, as outlined in the incident response plan to ensure coordinated and effective responses.

• Any findings you wish to share with your employees or stakeholders, internal or external, can be shared inside the tool to avoid confusion and unnecessary headaches about who you have shared it with.

CyberFundamentals requirement

Brainframe Solution

RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks.

Organizations must implement a comprehensive incident handling capability for information and cybersecurity incidents affecting business-critical systems. This process should cover all phases, including preparation, detection and analysis, containment, eradication, recovery, and documented risk acceptance. Risk acceptance involves formally acknowledging risks that are assessed as manageable and within the organization’s risk appetite, with the risk owner taking responsibility for these decisions.

• Using Brainframe's Risk Management capabilities, you can define your incident handling processes depending on how you want to handle them (mitigate, transfer, accept,...)
• It provides a centralized tool to determine the action you want to take on each risk, based on their criticality.
• Each risk can be assigned properties to justify the action taken to handle it.