๐ Scoring Methodology
Understanding the weighted risk calculation and compliance rating system
How Scoring Works
The Vendor Risk Assessment Tool uses a weighted scoring algorithm to calculate accurate risk ratings. Unlike simple yes/no checklists, our system accounts for the criticality of each security control.
Question Weights (1-5)
| Weight | Criticality | Example Controls |
|---|---|---|
| 5 | Critical | MFA, Data Encryption, Incident Response Plan, CISO Role |
| 4 | High | Access Reviews, Vulnerability Scanning, Security Training |
| 3 | Medium | Password Policies, Log Retention, Physical Security |
| 2 | Low | Visitor Logs, Asset Labeling, Policy Review Frequency |
| 1 | Minimal | Documentation Standards, Awareness Posters |
Answer Types & Point Allocation
โ
Yes
Full credit awarded
100% of weight
โ ๏ธ
Partial
Control exists but incomplete
50% of weight
โ
No
Control not implemented
0 points
N/A (Not Applicable): Questions marked as N/A are excluded from both the achieved and maximum score calculations.
Score Calculation Formula
Compliance Score = (Achieved Points รท Maximum Points) ร 100
Higher percentage = Better security posture
Achieved Points
- โข "Yes" answers: Full question weight
- โข "Partial" answers: 50% of weight
- โข "No" answers: 0 points
- โข Sum all achieved points
Maximum Points
- โข Sum of all question weights
- โข Excludes N/A questions
- โข Represents perfect score (100%)
Example Calculation
Scenario: Quick Due Diligence (10 questions)
| Question | Weight | Answer | Points |
|---|---|---|---|
| Is MFA enabled? | 5 | โ Yes | 5.0 |
| Is data encrypted? | 5 | โ Yes | 5.0 |
| Security patches in 30 days? | 4 | โ ๏ธ Partial | 2.0 |
| Incident response plan? | 4 | โ Yes | 4.0 |
| Daily backups tested? | 5 | โ No | 0.0 |
| Relevant certifications? | 3 | โ ๏ธ Partial | 1.5 |
| Annual security training? | 4 | โ Yes | 4.0 |
| 90-day log retention? | 3 | โ Yes | 3.0 |
| Vendor assessments? | 3 | โ No | 0.0 |
| BAA/DPA signing? | 5 | โ Yes | 5.0 |
Achieved Points
29.5
Maximum Points
41
Compliance Score
71.95%
โ ๏ธ Medium Risk
Risk Rating Bands
๐ข
Low Risk (85-100%)
Strong security posture with comprehensive controls
โ
๐ก
Medium Risk (60-84%)
Acceptable with remediation plan for gaps
โ
๐ด
High Risk (0-59%)
Significant security deficiencies requiring immediate attention
โ
Assessment Best Practices
- โ Request Evidence: Ask vendors to provide documentation (policies, certifications, audit reports) to support their answers.
- โ Use "Partial" Wisely: Reserve for controls that exist but have known gaps (e.g., MFA enabled for some users but not all).
- โ Add Context Notes: Use the evidence/notes field to document specific findings or follow-up items.
- โ Re-Assess Annually: Security posture changes over time. Schedule annual reassessments for critical vendors.
- โ Adjust Weights: Customize question weights in the Template Builder to match your organization's risk tolerance.