EXTERNAL Rating Scale
External ratings are only based on publicly available information and as such should be considered as an indication of the presented information of security or privacy posture. They never represent a higher level of reliability than an internal rating.
Rating | Meaning | Mark | Risk |
---|---|---|---|
AAA | All information security and privacy controls are presented in a correct and consistent way, indicating that they are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met. | Excellent | None to minimal |
AA | Almost all information security and privacy controls are presented in a correct and consistent way, indicating that they are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met. | Very good | Very low |
A | Almost all information security and privacy controls are presented in a correct and consistent way, indicating that they are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met. Minor additional work on information security or privacy and on how it is presented is recommended, since a few requirements have not been sufficiently addressed by the organization. | Good | Low |
BBB | Main information security and privacy controls are presented in a correct and consistent way, indicating that they are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met. Minor additional work on information security or privacy and on how it is presented is recommended, since a few requirements have not been sufficiently addressed by the organization. | Satisfactory | Low |
BB | Main information security and privacy controls are presented in a correct and consistent way, indicating that they are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met. Moderate additional work on information security or privacy and on how it is presented is recommended, since some requirements have not been sufficiently addressed by the organization. | Sufficient | Moderate |
B | Some information security and privacy controls are presented in a correct and consistent way, indicating that they are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met. Major additional work on information security or privacy and on how it is presented is highly recommended, since many requirements have not been sufficiently addressed by the organization. | Moderate | Moderate |
CCC | Main information security and privacy controls are not presented in a correct or consistent way, indicating that they are unlikely to provide reasonable assurance that security and privacy risks are being managed and objectives are met. Major work on information security or privacy and on how it is presented is highly recommended. | Insufficient | High |
CC | Almost each information security and privacy control is presented in an incorrect or inconsistent way, indicating that they are unlikely to provide reasonable assurance that security and privacy risks are being managed and objectives are met. Major work on information security or privacy and on how it is presented is highly recommended. | Very insufficient | High |
C | Almost each information security and privacy control is presented in an incorrect or inconsistent way, indicating that they are unlikely to provide reasonable assurance that security and privacy risks are being managed and objectives are met. Major work or complete new program on information security or privacy and on how it is presented is required. | Poor | Very High |
D | All information security and privacy controls are presented in an incorrect and inconsistent way, indicating that they are not providing any assurance that security and privacy risks are being managed and objectives are met. Complete new program on information security and privacy and on how it is presented is required. | Very Poor | Almost Certain |
*The risk score is given under the assumption of an imminent threat and significant impact on the (service of the) organisation.
INTERNAL Rating Scale
Internal ratings are based on internal and external information about an organisation or their services. The rating is substantive and therefore represents therefore the actual level of information security or privacy assurance of an the assessed organization or service.
Rating | Meaning | Mark | Risk |
---|---|---|---|
AAA | All information security and privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met. | Excellent | None to minimal |
AA | Almost all information security and privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met. | Very good | Very low |
A | Almost all information security and privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met. A few specific control weaknesses have been noted. Minor additional work on information security or privacy is recommended. | Good | Low |
BBB | Main information security and privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met. A few specific control weaknesses have been noted. Minor additional work on information security or privacy is recommended. | Satisfactory | Low |
BB | Main information security and privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met. Some specific control weaknesses have been noted. Moderate additional work on information security or privacy is recommended. | Sufficient | Moderate |
B | Some information security and privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met. Many specific control weaknesses have been noted. Major additional work on information security or privacy is highly recommended. | Moderate | Moderate |
CCC | Main information security and privacy controls are unlikely to provide reasonable assurance that security and privacy risks are being managed and objectives are met. Major work on information security or privacy is highly recommended. | Insufficient | High |
CC | Almost all information security and privacy controls are unlikely to provide reasonable assurance that security and privacy risks are being managed and objectives are met. Major work on information security or privacy is highly recommended. | Very insufficient | High |
C | Almost all information security and privacy controls are unlikely to provide reasonable assurance that security and privacy risks are being managed and objectives are met. Major work or complete new program on information security or privacy is required. | Poor | Very High |
D | All information security and privacy controls are not providing any assurance that security and privacy risks are being managed and objectives are met. Complete new program on information security and privacy is required. | Very Poor | Almost Certain |