IISRIRating Security for the Public

IISRI® Rating Scales

The rating scale explains the meaning of each rating and provides a mean on how to compare them. Scroll down for


EXTERNAL Rating Scale

External ratings are only based on publicly available information and as such should be considered as such as an indication of the presented information security posture. They never represent a higher level of reliability than an internal rating.

Rating Meaning Mark Risk
AAA All information security controls are presented in a correct and consistent way, indicating that they are adequate, appropriate, and effective enough to provide reasonable assurance that security risks are being managed and objectives are met. Excellent None to minimal
AA Almost all information security controls are presented in a correct and consistent way, indicating that they are adequate, appropriate, and effective enough to provide reasonable assurance that security risks are being managed and objectives are met. Very good Very low
A Almost all information security controls are presented in a correct and consistent way, indicating that they are adequate, appropriate, and effective enough to provide reasonable assurance that security risks are being managed and objectives are met. Minor additional work on information security and on how it is presented is recommended, since a few requirements have not been sufficiently addressed by the organization. Good Low
BBB Main information security controls are presented in a correct and consistent way, indicating that they are adequate, appropriate, and effective enough to provide reasonable assurance that security risks are being managed and objectives are met. Minor additional work on information security and on how it is presented is recommended, since a few requirements have not been sufficiently addressed by the organization. Satisfactory Low
BB Main information security controls are presented in a correct and consistent way, indicating that they are adequate, appropriate, and effective enough to provide reasonable assurance that security risks are being managed and objectives are met. Moderate additional work on information security and on how it is presented is recommended, since some requirements have not been sufficiently addressed by the organization. Sufficient Moderate
B Some information security controls are presented in a correct and consistent way, indicating that they are adequate, appropriate, and effective enough to provide reasonable assurance that security risks are being managed and objectives are met. Major additional work on information security and on how it is presented is highly recommended, since many requirements have not been sufficiently addressed by the organization. Moderate Moderate
CCC Main information security controls are not presented in a correct or consistent way, indicating that they are unlikely to provide reasonable assurance that security risks are being managed and objectives are met. Major work on information security and on how it is presented is highly recommended. Insufficient High
CC Almost each information security control is presented in an incorrect or inconsistent way, indicating that they are unlikely to provide reasonable assurance that security risks are being managed and objectives are met. Major work on information security and on how it is presented is highly recommended. Very insufficient High
C Almost each information security control is presented in an incorrect or inconsistent way, indicating that they are unlikely to provide reasonable assurance that security risks are being managed and objectives are met. Major work or complete new program on information security and on how it is presented is required. Poor Very high
D All information security controls are presented in an incorrect and inconsistent way, indicating that they are not providing any assurance that security risks are being managed and objectives are met. Complete new program on information security and on how it is presented is required. Very poor Almost certain
*The risk score is given under the assumption of an imminent threat and significant impact on the (service of the) organisation.


INTERNAL Rating Scale

Internal ratings are based on internal and external information about an organisation or their services. The rating is substantive and therefore represents therefore the actual level of information security assurance of an the assessed organization or service.

Rating Meaning Mark Risk
AAA All information security controls are adequate, appropriate, and effective enough to provide reasonable assurance that security risks are being managed and objectives are met. Excellent None to minimal
AA Almost all information security controls are adequate, appropriate, and effective enough to provide reasonable assurance that security risks are being managed and objectives are met. Very good Very low
A Almost all information security controls are adequate, appropriate, and effective enough to provide reasonable assurance that security risks are being managed and objectives are met. A few specific control weaknesses have been noted. Minor additional work on information security is recommended. Good Low
BBB Main information security controls are adequate, appropriate, and effective enough to provide reasonable assurance that security risks are being managed and objectives are met. A few specific control weaknesses have been noted. Minor additional work on information security is recommended. Satisfactory Low
BB Main information security controls are adequate, appropriate, and effective enough to provide reasonable assurance that security risks are being managed and objectives are met. Some specific control weaknesses have been noted. Moderate additional work on information security is recommended. Sufficient Moderate
B Some information security controls are adequate, appropriate, and effective enough to provide reasonable assurance that security risks are being managed and objectives are met. Many specific control weaknesses have been noted. Major additional work on information security is highly recommended. Moderate Moderate
CCC Main information security controls are unlikely to provide reasonable assurance that security risks are being managed and objectives are met. Major work on information security is highly recommended. Insufficient High
CC Almost all information security controls are unlikely to provide reasonable assurance that security risks are being managed and objectives are met. Major work on information security is highly recommended. Very insufficient High
C Almost all information security controls are unlikely to provide reasonable assurance that security risks are being managed and objectives are met. Major work or complete new program on information security is required. Poor Very high
D All information security controls are not providing any assurance that security risks are being managed and objectives are met. Complete new program on information security is required. Very poor Almost certain
*The risk score is given under the assumption of an imminent threat and significant impact on the (service of the) organisation.

Any information, materials and services provided on this website are under Terms and Conditions. By using and/or accessing this website you agree with them. If you don't agree, leave this website.

This website use cookies. You can find our Privacy Policy here.
OK