IISRI® - Independent Information Security Rating Institute

Differentiating IISRI® Internal and External Ratings

At IISRI®, we provide two distinct approaches to security and privacy evaluations:
Internal ratings and external ratings, each serving unique purposes in assessing organizational resilience.

External Ratings
External ratings rely solely on publicly available information to assess an organization’s security and privacy posture. This ensures a transparent, non-invasive evaluation, ideal for organizations seeking a high-level overview or assessing vendors during acquisitions or partnerships.

CyberRank Public Data Breach Monitoring (VRMS)
IISRI® CyberRank (VRMS) continuously scans public data breach databases to detect any leaks or breaches involving vendor credentials or sensitive information. This real-time monitoring is essential for identifying emerging risks.

CyberRank Asset Discovery (VRMS)
Automated tools map and identify public-facing assets associated with the vendor. By extending the analysis beyond the main website, IISRI® CyberRank (VRMS) ensures a more comprehensive assessment of the vendor’s security and privacy posture.

CyberRank Compliance Evidence (VRMS)
IISRI® CyberRank (VRMS) evaluates whether vendors publicly demonstrate compliance with key security frameworks such as SOC2, ISO 27001, PCI DSS, and NIST CSF. While these certifications indicate foundational practices, CyberRank (VRMS) integrates this data into its broader risk assessment.

CyberRank Non-Invasive Security Testing (VRMS)
IISRI® CyberRank (VRMS) performs external testing of publicly facing servers to detect known vulnerabilities. Combined with sector-specific and regional risk factors, this provides valuable insight into the likelihood of a breach.

CyberRank Privacy Testing (VRMS)
The system analyzes the organization’s privacy practices, including policies, cookie deployments, and consent banners, ensuring alignment with privacy regulations and industry best practices.

CyberRank Vendor Access to Ratings (VRMS)
Vendors can access their ratings and review findings directly. For those seeking improvement, they can upload certifications, assurance reports, and other evidence to request a re-evaluation.

CyberRank Automation and Continuous Monitoring (VRMS)
With IISRI® CyberRank (VRMS), organizations can automate vendor assessments, select vendors for continuous monitoring, and receive real-time alerts for rating downgrades or detected data leaks.

CyberRank Flexible Pricing (VRMS)
IISRI® CyberRank (VRMS) is available on a pay-as-you-go model, making it accessible and scalable based on organizational needs.

Internal Ratings
In contrast, internal ratings go beyond publicly available information, leveraging proprietary methodologies, confidential insights, and deep analysis to provide a more detailed and strategic assessment. These ratings enable organizations to benchmark themselves, identify internal vulnerabilities, and strengthen their security posture comprehensively. By offering both IISRI® CyberRank external ratings (VRMS) and IISRI® internal ratings, IISRI® empowers organizations with the tools needed to safeguard sensitive data, evaluate vendor risks, and drive continuous improvement in cybersecurity and privacy practices.

Internal Audits and Recognition Through IISRI®

At IISRI®, internal audits provide a thorough and strategic and standardized methodology evaluation of an organization's cybersecurity and privacy posture, delving deeper than publicly available information. These audits utilize proprietary methodologies, confidential insights, and sector-specific benchmarks to offer detailed, actionable reports on an organization's security measures.
Internal audits include comprehensive reviews of security controls, risk management frameworks, incident response strategies, and compliance with industry standards such as ISO 27001, SOC2, and GDPR. These audits give organizations a clear roadmap for improving their security measures and ensuring they are resilient to emerging threats.

In recognition of exemplary performance, IISRI® offers an Annual CyberRank Awards Program, honoring organizations that demonstrate leadership and innovation in cybersecurity. Winners of these awards receive exclusive, customizable plaques—a paid service that organizations can order to showcase their achievements. These plaques are made from premium materials and can be personalized with the recipient's logo and award details, making them a prestigious symbol of excellence in security and privacy. Categories for the awards include "Cyber Excellence," "Privacy Champion," "Rising Star," and "Top Industry Performer," offering organizations the opportunity to be recognized for their efforts.

Additionally, recognized companies can purchase email signatures and online branding stamps as part of their award package. These customizable digital assets allow organizations to proudly display their CyberRank achievements in email communications, websites, and marketing materials. The branding stamps, featuring the CyberRank logo and award details, serve as a powerful visual endorsement of a company’s commitment to maintaining the highest security and privacy standards, enhancing their credibility and trust with clients and stakeholders.

With internal audits, prestigious awards, and customizable branding options, IISRI® CyberRank provides organizations with the tools and recognition they need to maintain and showcase their cybersecurity excellence.

Rating Scale

Rating	Meaning	Mark	Risk
AAA	All information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met.	Excellent	None to minimal
AA	Almost all information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met.	Very good	Very low
A	Almost all information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. A few specific control weaknesses have been noted. Minor additional work on information security or privacy is recommended.	Good	Low
BBB	Main information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. A few specific control weaknesses have been noted. Minor additional work on information security or privacy is recommended.	Satisfactory	Low
BB	Main information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Some specific control weaknesses have been noted. Moderate additional work on information security or privacy is recommended.	Sufficient	Moderate
B	Some information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Many specific control weaknesses have been noted. Major additional work on information security or privacy is highly recommended.	Moderate	Moderate
CCC	Main information security and/or privacy controls are unlikely to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Major work on information security or privacy is highly recommended.	Insufficient	High
CC	Almost all information security and/or privacy controls are unlikely to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Major work on information security or privacy is highly recommended.	Very insufficient	High
C	Almost all information security and/or privacy controls are unlikely to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Major work or complete new program on information security and/or privacy is required.	Poor	Very high
D	All information security and/or privacy controls are not providing any assurance that security and/or privacy risks are being managed and objectives are met. Complete new program on information security and/or privacy is required.	Very poor	Almost certain

Rating

Meaning

Mark

Risk

AAA

All information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met.

Excellent

None to minimal

Very good

Very low

Almost all information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. A few specific control weaknesses have been noted. Minor additional work on information security or privacy is recommended.

Good

Low

BBB

Main information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. A few specific control weaknesses have been noted. Minor additional work on information security or privacy is recommended.

Satisfactory

Low

Main information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Some specific control weaknesses have been noted. Moderate additional work on information security or privacy is recommended.

Sufficient

Moderate

Some information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Many specific control weaknesses have been noted. Major additional work on information security or privacy is highly recommended.

Moderate

CCC

Main information security and/or privacy controls are unlikely to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Major work on information security or privacy is highly recommended.

Insufficient

High

Almost all information security and/or privacy controls are unlikely to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Major work on information security or privacy is highly recommended.

Very insufficient

High

Almost all information security and/or privacy controls are unlikely to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Major work or complete new program on information security and/or privacy is required.

Poor

Very high

All information security and/or privacy controls are not providing any assurance that security and/or privacy risks are being managed and objectives are met. Complete new program on information security and/or privacy is required.

Very poor

Almost certain

The rating reflects the publicly available information security or privacy maturity level of an assessed organization at a specific moment in time. IISRI® CyberRank provides daily updates, monitoring, and insights, showcasing which organizations achieve the top CyberRank each day!