At CyberVadis, we follow a tree model structure, where each control contributes its own scores and weights to calculate the different score levels (controls to questions, questions to security categories.... until overall score).
You will find below an example of the score calculation for a sample question (for illustrative purposes only)
How is activity logging ensured?
This will be calculated based on the 4 options below:
First control will contribute 20% to the question
Second control will contribute 30% to the question
Third control will contribute 30% to the question
Fourth control will contribute 20% to the question.
The Question score will be calculated based on each of the security control scores and their own weight of contribution. This also applies to the function score.
It is essential to know that this is not a direct average calculation because we only consider the weight based on each level.
With regards to the expected impact displayed in the Platform per improvement (+2,+3 etc), these expected scores are from the overall score perspective, and how this control could impact, as a maximum, the overall score, as they mentioned increasing 10 points, 2, etc. the overall score.
Important Note: It is essential to consider that the improvement could come from different scenarios (partially validated or not validated), and if you work on an improvement and in the reassessment you declare the control as a practice implemented and attach evidence, our team will evaluate them based on the evidence shared and will give the appropriate score, and you can get from 0 scores and improvement to a full score and strength through the option or partially of the score and improvement (in cases where there is insufficient or partial evidence, e.g. design and implementation only).