Ratings
Security ratings are invaluable tools for organizations seeking to
assess their security posture or evaluate suppliers during
acquisition or merger processes. While certifications like ISO
27001, PCI DSS, and SOC2 provide a solid foundation, they offer
limited insight into the effectiveness of security controls.
At IISRI®, we advocate for transparency in information security and
privacy ratings. By publicly showcasing these ratings, organizations
are motivated to continuously enhance their security and privacy
measures, thereby safeguarding sensitive data. This transparency
fosters a culture of accountability and improvement, driving
collective efforts towards robust information security practices.
Rating Scale
| Rating |
Meaning |
Mark |
Risk |
| AAA |
All information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met. |
Excellent |
None to minimal |
| AA |
Almost all information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. |
Very good |
Very low |
| A |
Almost all information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. A few specific control weaknesses have been noted. Minor additional work on information security or privacy is recommended. |
Good |
Low |
| BBB |
Main information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. A few specific control weaknesses have been noted. Minor additional work on information security or privacy is recommended. |
Satisfactory |
Low |
| BB |
Main information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Some specific control weaknesses have been noted. Moderate additional work on information security or privacy is recommended. |
Sufficient |
Moderate |
| B |
Some information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Many specific control weaknesses have been noted. Major additional work on information security or privacy is highly recommended. |
Moderate |
Moderate |
| CCC |
Main information security and/or privacy controls are unlikely to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Major work on information security or privacy is highly recommended. |
Insufficient |
High |
| CC |
Almost all information security and/or privacy controls are unlikely to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Major work on information security or privacy is highly recommended. |
Very insufficient |
High |
| C |
Almost all information security and/or privacy controls are unlikely to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Major work or complete new program on information security and/or privacy is required. |
Poor |
Very high |
| D |
All information security and/or privacy controls are not providing any assurance that security and/or privacy risks are being managed and objectives are met. Complete new program on information security and/or privacy is required. |
Very poor |
Almost certain |
The rating represents the level of information security or privacy maturity of an assessed organization at a specific
moment in time. Given the audit findings as weaknesses in the ISMS, the risk score is given under the assumption of
an imminent threat to exploit these with a material impact to the (service of the) organisation.
