IISRI performs external assessments by acting as a public user, like a (potential) customer or investor, in a limited time to attest security but also obscurity, i.e. transparency and accessibility of the information on security. The external rating is therefore an indication of the information security posture and reflects the level of the information security posture provided by an organisation to the public and as such to her (potential) customers. Therefore, the external rating may differ from the assessed organization/services actual level of security.
The rating methodology differs from sector to sector. A detailed description is included in each report.
The security indicators that are material to the type of an anssessed organisation are standardised by IISRI and defined in the IISRI security assessment framework. They fall in one of the following security domains:
As the outcome of the external assessment there are always two reports, i.e. a public and a confidential report.
The public report does not contain any sensitive information which could be exploited directly and jeopardize the assessed organization or their customers. The confidential report can only be disclosed to the assessed organization upon their request.
It is important to note that an internal (free) rating overrides the external rating.
Go here if you would like to request an external rating.