IISRI® Ratings are an opinion-based, independent evaluation of security and privacy posture 

IISRI® RATINGS

What are IISRI® Ratings

In a glimpse, IISRI® ratings are security and privacy grades given by IISRI® that indicate the level at which an organization is able to protect the data it is entrusted. For others, such as customers, suppliers, partners, investors, etc., this rating helps them to understand the risk of (further) entrusting their data to that organization.

Read more about how ratings help here.


We offer internal and external ratings. All ratings are delivered together with a report of the assessment results, showing the improvement opportunities for better security and privacy of data.

INTERNAL Rating

An internal rating assessment can be commissioned by yourself or by someone else, like your customers, but is always performed with your consent and your cooperation to obtain the most accurate rating.

EXTERNAL Rating

​Sometimes it is not possible or desired to get first consent from an organization to perform an IISRI® rating assessment. An external rating is then the solution. You can then commission IISRI® to do such an external rating assessment on another organization. This can be as part of your due diligence as an investor or as a potential customer of that organization. IISRI® has a propriety method within the regulatory boundaries to be able to perform such a non-invasive assessment without the consent and/or cooperation of the targeted organization.

Rating others

​Rating assessments are sometimes performed on other organizations than on the requestor. Two main use cases are: to manage vendors and to underwrite cyber insurance premiums. Depending on whether consent and cooperation is possible and desired, an internal, or external rating assessment is commissioned.


Vendor assessments and ratings
Rating assessments can also be done for your suppliers (vendors) that you have entrusted your data and that of your customers to. You commission IISRI® then to do such an internal rating assessment. You will then receive periodically the security review results and ratings of your suppliers. This will allow you to identify those suppliers with the lowest ratings and thus the highest risks for you to focus on.


​Cyber insurance ratings
Insurers can commission IISRI® to perform a rating assessment on new cyber insurance customers or when existing customers (insured) make a cyber insurance claim. The insurer will then receive the security assessment results and rating of the (to be) insured. This will allow the underwriter to determine the insurance premium based on the cyber security risk related to the rating.

Purpose of IISRI®Ratings

There are many use cases for IISRI® ratings. Organizations that would like to know how secure they are, organizations that have to assess their suppliers, due diligence during acquisitions, and companies that merge.

 

Many organizations found certifications like ISO27001, PCI DSS, and SOC2 insufficient, providing only binary information if the controls are effective or not as insufficient. IISRI® ratings give you answers to all the above and more.

How much will an IISRI®Rating cost

The price depends on the complexity of the organization, service or product that is submitted to the review. As an indication, for a typical small SaaS cloud service provider an IISRI® rating including report costs between 3000 and 6500 USD.

How does the rating review process look like 

After agreeing on the scope and authorizing IISRI® for the work we start the streamlined investigation. The assessment is usually condensed to 2-3 days and requires the organization to be fully available for those days. Design and operating effectiveness of security and privacy controls of several domains are being reviewed. The last day is processing of the collected evidence material and reporting. If you have been audited recently, such as your internal audit, this might reduce our time. We will still validate the results of that audit and take sample evidences for our final report.

Comparing IISRI®  Ratings to other certifications and security assessments

Like an IISRI® Rating, a security certification, such as an ISO27001 certification or a SOC 2 assurance report, is based on an audit by an independent and qualified auditor. They both provide an attestation of your organization’s security posture and serve the purpose of giving your customers confidence in your capability to protect their data.

The differences lie in the depth and turn-around time of the audit, transparancy, market recognition, and pricing. With a shorter turn around time, lower costs, a security or privacy rating also gives a better view on the level of security or privacy maturity.