Frequently Asked Questions about CYRA and the CYRA Method

CYRA is a method (questionnaire) consisting of four levels, each with three maturity stages. There are several modules, each based on an international standard (such as ISO/IEC 27001, IEC 62443 or NEN 7510).

Using the CYRA tool, organisations gain insight into their digital resilience and can improve it step by step. Once all questions at a certain level have been completed, you can download a self-declaration to demonstrate your organisation’s level of digital resilience to clients.

You can also request an independent assessment by an accredited certification body.

CYRA helps organisations to:

• Gain insight into their digital risks
• Improve in a targeted way
• Share this insight with clients, supervisory authorities or supply chain partners through a self-declaration or (after a successful audit) a CYRA certificate.

The CYRA Method currently includes three modules and an add-on module. These are: CYRA-IT, CYRA-OT, CYRA-Healthcare and the add-on module CYRA-NDO.

• CYRA-IT is the CYRA module for the digital resilience of IT environments. The questions and standards align with international information security standards, such as ISO/IEC 27001. CYRA-IT is based on the information security measures set out in Annex A of ISO/IEC 27001.
• CYRA-OT is the CYRA module for operational technology (OT) and industrial automation (such as process and control systems). The module aligns with standards from the IEC 62443 series.
• CYRA-Healthcare is the CYRA module for healthcare organisations. This module aligns with the NEN 7510 standard for information security in healthcare.
• CYRA-NDO is an additional module for CYRA-IT and CYRA-Healthcare. NDO stands for the Digital Criminal Infiltration Framework.

CYRA is a growth model. It is not only about ‘comply or not comply’, but also about insight: what is already in place and what is not (yet). Even if you answer ‘no’ to certain elements, this provides valuable information to support improvements and to justify decisions, and to determine whether and how to progress towards a higher level of digital resilience.

Implementing an entire standard, such as ISO/IEC 27001, can be too demanding or complex for many organisations. In addition, implementing a full standard is not always necessary. CYRA is proportionate and scalable: you choose a level that fits your risks and your role in the supply chain, and you can grow from there when needed.

Having your assessment reviewed by a certification body provides an independent judgement of your digital resilience. This also increases the trust of clients and supply chain partners. Depending on the outcome, an assessment may lead to a CYRA certificate, demonstrating that you structurally address cybersecurity and manage risks.

The CYRA Method includes multiple levels: Entry, Basic, Intermediate and Advanced. Each level describes a different level of ambition and corresponds to a different risk profile. The level that suits your organisation depends on factors such as your role in the supply chain and what supply chain partners expect of you, the type of services you provide and the associated risks.

The CYRA certification scheme defines, among other things, how an assessment (questionnaire) is structured, under what conditions an assessment takes place and how a certificate can be issued.

It also specifies the requirements that certification bodies must meet to carry out audits. The certification scheme therefore ensures clarity and consistency in the application of CYRA.

Determining the right level starts with risk-based consideration. This includes looking at:

• The nature of your services
• The sensitivity of the information you process
• Your role within the supply chain
• The expectations of your clients.

A formal risk analysis is not required, but it can help to support this assessment. Depending on the outcome, you choose a suitable CYRA level. A risk analysis is not part of the CYRA Method itself, but it is important in determining which CYRA level you aim to achieve.

This varies by sector and by client. Each client is responsible for the requirements they set for their suppliers. This may include compliance with a specific standard, or, if full certification is not (yet) appropriate or feasible, demonstrating a certain CYRA level.

Clients are increasingly requesting insight into the digital resilience of their suppliers, particularly if you play a role in their supply chain or have access to systems and/or data.

In addition, the Cybersecurity Act requires organisations to have insight into risks within their supply chain. As a result, direct suppliers are increasingly asked to demonstrate their digital resilience.

CYRA helps you to provide this insight in a structured way. You demonstrate:

• Where you currently stand
• Which measures you have already implemented
• Where further development may be needed to meet specific requirements.

This means you may not always fully meet all client requirements in advance. This often requires discussion: together you determine which level or additional measures are appropriate. CYRA supports this dialogue and makes transparent what is already in place and what still requires attention.

CYRA is a baseline and growth model: it provides structure and a minimum set of requirements appropriate to a chosen level. Clients may impose additional requirements that reflect their specific risks, sector or supply chain. CYRA helps you to establish “a solid foundation” and makes it easier to position and justify any additional requirements. CYRA lays the groundwork and additional measures can be built on top, if needed.

The CYRA tool is the online platform where you:

• Complete a self-assessment (the questionnaire)
• Track your progress
• Download a self-declaration as a PDF
• (If desired) request an audit from an accredited certification body.

The current annual fees can be found on . You pay an annual fee per CYRA module (for example CYRA-IT or CYRA-OT).

CCV uses the payment partner Billie for invoicing. To receive your invoice via Billie, click the ‘Pay’ button in the CYRA tool. After providing some details, invoicing will be handled via Billie and the status ‘Invoicing via Billie’ will appear on your dashboard.

For a quick introduction to the CYRA tool, you can watch the instruction video.

The CYRA tool has been developed by a Dutch developer and is managed in the Netherlands. Security by design was a key principle during development: security and confidentiality were considered from the initial design phase, rather than being added afterwards.

The tool is designed so that users cannot upload documentation, configuration files or other evidence. Only answers to self-assessment questions are entered. There is no automatic extraction of data from technical systems or environments.

This minimises the risk of processing or storing sensitive information. What is not entered into the system cannot be retrieved from it.

Before publication, the CYRA tool was thoroughly tested through an independent penetration test (pentest), carried out by an organisation other than the developer, that holds the Pen Test Quality Mark. Any findings were resolved before the tool was made available. This ensures that the CYRA tool meets current requirements for digital resilience and confidentiality.

Yes, the tool is available in Dutch and English.

You can change the language via the language settings in the tool. There you can select Dutch or English.

You can register via the CYRA tool by creating an account at app.cyberrating.nl using your business email address and company details.

You can update your company details via the dashboard (or your account/company settings). It is important to keep this information up to date.

Company size may affect the annual fee for the tool. That is why you are asked to review and update this information annually where necessary.

As an account administrator, you can add additional users via user management. These users must have the same email domain as the account administrator/your organisation.

Yes. Multiple users within the same organisation can work on the same assessment at the same time. Progress and answers are saved within the account.

Your account data will be retained as long as your account remains active. If the account is terminated, the CCV’s retention periods and privacy conditions will apply.

A self-assessment is an evaluation for your chosen CYRA level in which you answer questions about the measures and working practices of your organisation. You complete this yourself, based on how your organisation actually operates.

Yes. The assessment is based on your own situation. You may involve internal colleagues or seek support from an external advisor.

CYRA includes several levels: Entry, Basic, Intermediate and Advanced. The higher the level, the more extensive and mature the requirements. Each level consists of three maturity stages (ad hoc, best effort and defined).

Per CYRA module (CYRA-IT, CYRA-OT, CYRA-Healthcare), you can work on one assessment at a time. If you want to start a new assessment, you must first complete or overwrite the existing one. If you have multiple CYRA modules linked to your account (for example CYRA-IT and CYRA-OT), you can of course work on an assessment per module.

• In progress: there are still questions open.
• Completed: all questions have been fully answered and the assessment is completed.

A question is fully completed when you have selected “Yes” or “Not applicable”, then selected the most appropriate multiple-choice answer, and provided a justification. This is indicated in the CYRA tool with a green tick.

You can do this in several ways. First, check each question to see whether it has been fully completed. In addition, you can use the search function in the questionnaire to quickly find specific questions or topics. You can then use the filters to display only the questions that are still open or not yet fully completed. This helps you maintain an overview and focus on completing any missing information.

This refers to the structure or numbering of the underlying standard, such as ISO/IEC 27701 if it starts with ‘B’.

The version number refers to the version of the questionnaire. This helps you keep track when a new version is published.

You can start a new self-assessment via the dashboard by selecting “Start new self-assessment”.

The time required varies per organisation and per chosen level. Completing the questionnaire requires careful consideration and alignment. In return, you actively work on improving your digital resilience and gain insight into where improvements are needed.

You can finalise the assessment. After that, you can download a self-declaration or choose to request an audit from a certification body.

A self-declaration is a PDF containing the results of your self-assessment. You can use this to share insight with clients, customers or supply chain partners.

You can download the self-declaration as a PDF via the dashboard in the CYRA tool once the assessment has been fully completed. To download it, click on the three dots next to the assessment and select “Download self-declaration”.

Via the “Request audit” button, you can link the answers from your assessment to a certification body of your choice. All practical arrangements, such as planning and pricing, are agreed directly with the certification body.

Yes. Only fully completed and finalised assessments can be submitted for an audit.

If you have answered “no” to one or more questions, you cannot request a certificate. In that case, the purpose of CYRA is to first gain insight and improve. You can update the assessment later and submit it again for audit.

Your assessment will be reviewed by an auditor from the accredited certification body you have chosen.

An audit provides an independent assessment of your organisation’s digital resilience. If the outcome is positive, this results in an official CYRA certificate, demonstrating that your organisation meets the chosen level and achieved maturity level.

Yes. The audit is requested via the tool, but arrangements regarding planning, costs and execution are made directly with the certification body.

You request an audit via the CYRA tool after completing the assessment. You then contact the certification body directly to arrange the audit.

A CYRA certificate is valid for two years. After that, reassessment is required to extend the certificate.

The costs of an audit may vary per certification body. These arrangements are made directly with the certification body you choose.

The CYRA tool provides guidance and structure, but does not offer substantive support. If there is insufficient knowledge within your organisation to complete the assessment, you may engage an external advisor.

If you need assistance, you can contact support via the Help button in the CYRA tool or via cyra@hetccv.nl.

You can involve colleagues or consult an external advisor.