IISRI® - Independent Information Security Rating Institute

Differentiating IISRI® Internal and External Ratings

At IISRI®, we provide two distinct approaches to security and privacy evaluations:
Internal ratings and external ratings, each serving unique purposes in assessing organizational resilience.

External Ratings
External ratings rely solely on publicly available information to assess an organization’s security and privacy posture. This ensures a transparent, non-invasive evaluation, ideal for organizations seeking a high-level overview or assessing vendors during acquisitions or partnerships.

Internal Ratings
In contrast, internal ratings go beyond publicly available information, leveraging proprietary methodologies, confidential insights, and deep analysis to provide a more detailed and strategic assessment. These ratings enable organizations to benchmark themselves, identify internal vulnerabilities, and strengthen their security posture comprehensively. By offering both IISRI® CyberRank external ratings (VRMS) and IISRI® internal ratings, IISRI® empowers organizations with the tools needed to safeguard sensitive data, evaluate vendor risks, and drive continuous improvement in cybersecurity and privacy practices.

Internal Audits and Recognition Through IISRI®

At IISRI®, internal audits provide a thorough and strategic and standardized methodology evaluation of an organization's cybersecurity and privacy posture, delving deeper than publicly available information. These audits utilize proprietary methodologies, confidential insights, and sector-specific benchmarks to offer detailed, actionable reports on an organization's security measures.
Internal audits include comprehensive reviews of security controls, risk management frameworks, incident response strategies, and compliance with industry standards such as ISO 27001, SOC2, and GDPR. These audits give organizations a clear roadmap for improving their security measures and ensuring they are resilient to emerging threats.

In recognition of exemplary performance, IISRI® offers an Annual IISRI® Awards Program, honoring organizations that demonstrate leadership and innovation in cybersecurity. Winners of these awards receive exclusive, customizable plaques—a paid service that organizations can order to showcase their achievements. These plaques are made from premium materials and can be personalized with the recipient's logo and award details, making them a prestigious symbol of excellence in security and privacy. Categories for the awards include "Cyber Excellence," "Privacy Champion," "Rising Star," and "Top Industry Performer," offering organizations the opportunity to be recognized for their efforts.

Additionally, recognized companies can purchase email signatures and online branding stamps as part of their award package. These customizable digital assets allow organizations to proudly display their CyberRank achievements in email communications, websites, and marketing materials. The branding stamps, featuring the CyberRank logo and award details, serve as a powerful visual endorsement of a company’s commitment to maintaining the highest security and privacy standards, enhancing their credibility and trust with clients and stakeholders.

With internal audits, prestigious awards, and customizable branding options, IISRI® CyberRank provides organizations with the tools and recognition they need to maintain and showcase their cybersecurity excellence.

Rating Scale

Rating	Meaning	Mark	Risk
AAA	All information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met.	Excellent	None to minimal
AA	Almost all information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met.	Very good	Very low
A	Almost all information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. A few specific control weaknesses have been noted. Minor additional work on information security or privacy is recommended.	Good	Low
BBB	Main information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. A few specific control weaknesses have been noted. Minor additional work on information security or privacy is recommended.	Satisfactory	Low
BB	Main information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Some specific control weaknesses have been noted. Moderate additional work on information security or privacy is recommended.	Sufficient	Moderate
B	Some information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Many specific control weaknesses have been noted. Major additional work on information security or privacy is highly recommended.	Moderate	Moderate
CCC	Main information security and/or privacy controls are unlikely to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Major work on information security or privacy is highly recommended.	Insufficient	High
CC	Almost all information security and/or privacy controls are unlikely to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Major work on information security or privacy is highly recommended.	Very insufficient	High
C	Almost all information security and/or privacy controls are unlikely to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Major work or complete new program on information security and/or privacy is required.	Poor	Very high
D	All information security and/or privacy controls are not providing any assurance that security and/or privacy risks are being managed and objectives are met. Complete new program on information security and/or privacy is required.	Very poor	Almost certain

Rating

Meaning

Mark

Risk

AAA

All information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and privacy risks are being managed and objectives are met.

Excellent

None to minimal

Very good

Very low

Almost all information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. A few specific control weaknesses have been noted. Minor additional work on information security or privacy is recommended.

Good

Low

BBB

Main information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. A few specific control weaknesses have been noted. Minor additional work on information security or privacy is recommended.

Satisfactory

Low

Main information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Some specific control weaknesses have been noted. Moderate additional work on information security or privacy is recommended.

Sufficient

Moderate

Some information security and/or privacy controls are adequate, appropriate, and effective enough to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Many specific control weaknesses have been noted. Major additional work on information security or privacy is highly recommended.

Moderate

CCC

Main information security and/or privacy controls are unlikely to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Major work on information security or privacy is highly recommended.

Insufficient

High

Almost all information security and/or privacy controls are unlikely to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Major work on information security or privacy is highly recommended.

Very insufficient

High

Almost all information security and/or privacy controls are unlikely to provide reasonable assurance that security and/or privacy risks are being managed and objectives are met. Major work or complete new program on information security and/or privacy is required.

Poor

Very high

All information security and/or privacy controls are not providing any assurance that security and/or privacy risks are being managed and objectives are met. Complete new program on information security and/or privacy is required.

Very poor

Almost certain

The rating reflects the publicly available information security or privacy maturity level of an assessed organization at a specific moment in time. IISRI® CyberRank provides daily updates, monitoring, and insights, showcasing which organizations achieve the top CyberRank each day!