Reports
Export compliance reports for audits and management review
CSV Export
All 34 controls with scores and details
PDF Report
Print-ready compliance summary
Statement of Applicability
CCB SoA format for NIS2 submission
CyberFundamentals Compliance Report
Generated: 23/3/2026· Basic Level · Overall Score: 63%
| Control ID | Function | Requirement | Key | Status | Score | Doc | Impl |
|---|---|---|---|---|---|---|---|
| ID.AM-1 | Ide | Physical devices and systems are inventoried | Partially | 72% | 3 | 3 | |
| ID.AM-2 | Ide | Software platforms and applications are inventoried | Partially | 65% | 3 | 3 | |
| ID.AM-3 | Ide | Organizational communication and data flows are mapped | Not | — | 1 | 1 | |
| ID.AM-5 | Ide | Resources are prioritized based on classification and business value | Not | — | 1 | 1 | |
| ID.GV-1 | Ide | Organizational cybersecurity policy is established and communicated | Non-Compliant | 30% | 2 | 2 | |
| ID.GV-3 | Ide | Legal and regulatory requirements regarding cybersecurity are understood and managed | Partially | 55% | 3 | 3 | |
| ID.GV-4 | Ide | Governance and risk management processes address cybersecurity risks | Non-Compliant | 25% | 1 | 1 | |
| ID.RA-1 | Ide | Asset vulnerabilities are identified and documented | Partially | 60% | 3 | 3 | |
| ID.RA-5 | Ide | Threats, vulnerabilities, likelihoods, and impacts are used to determine risk | Non-Compliant | 20% | 1 | 1 | |
| PR.AC-1 | Pro | Identities and credentials are issued, managed, verified, revoked, and audited | ★ | Partially | 78% | 4 | 4 |
| PR.AC-2 | Pro | Physical access to assets is managed and protected | Compliant | 95% | 4 | 4 | |
| PR.AC-3(a) | Pro | Remote access is managed | Partially | 70% | 3 | 3 | |
| PR.AC-3(b) | Pro | Remote access is secured with multi-factor authentication (MFA) | ★ | Partially | 82% | 4 | 4 |
| PR.AC-4(a) | Pro | Access permissions and authorizations are managed | ★ | Partially | 75% | 3 | 3 |
| PR.AC-4(b) | Pro | Access to critical information is identified and managed | ★ | Partially | 68% | 3 | 3 |
| PR.AC-4(c) | Pro | Least privilege access is enforced | ★ | Non-Compliant | 45% | 2 | 2 |
| PR.AC-4(d) | Pro | Administrator privileges are not used for daily tasks | ★ | Non-Compliant | 35% | 2 | 2 |
| PR.AC-5(a) | Pro | Network integrity is protected with firewalls | ★ | Compliant | 98% | 4 | 4 |
| PR.AC-5(b) | Pro | Network segmentation is implemented where appropriate | ★ | Not | — | 1 | 1 |
| PR.AT-1 | Pro | All users are informed and trained | Non-Compliant | 40% | 2 | 2 | |
| PR.DS-3 | Pro | Assets are formally managed throughout removal, transfers, and disposition | Not | — | 1 | 1 | |
| PR.IP-4 | Pro | Backups of information are conducted, maintained, and tested | ★ | Partially | 70% | 3 | 3 |
| PR.IP-11 | Pro | Cybersecurity is included in human resources practices | Not | — | 1 | 1 | |
| PR.MA-1 | Pro | Maintenance and repair of assets is performed and logged with approved tools | ★ | Compliant | 92% | 4 | 4 |
| PR.PT-1 | Pro | Audit/log records are determined, documented, implemented, and reviewed | ★ | Compliant | 96% | 4 | 4 |
| PR.PT-4 | Pro | Communications and control networks are protected | Partially | 75% | 3 | 3 | |
| DE.AE-3 | Det | Event data are collected and correlated from multiple sources | ★ | Partially | 80% | 4 | 4 |
| DE.CM-1 | Det | The network is monitored to detect potential cybersecurity events | Partially | 65% | 3 | 3 | |
| DE.CM-3 | Det | Personnel activity is monitored to detect potential cybersecurity events | Compliant | 90% | 4 | 4 | |
| DE.CM-4 | Det | Malicious code is detected | ★ | Compliant | 97% | 4 | 4 |
| RS.RP-1 | Res | Response plan is executed during or after an incident | Non-Compliant | 15% | 1 | 1 | |
| RS.CO-3 | Res | Information is shared consistent with response plans | Not | — | 1 | 1 | |
| RS.IM-1 | Res | Response plans incorporate lessons learned | Not | — | 1 | 1 | |
| RC.RP-1 | Rec | Recovery plan is executed during or after a cybersecurity incident | Non-Compliant | 10% | 1 | 1 |