Not sure what to expect? Watch our short video walkthrough of the full assessment process before you begin: ▶ Watch: How Does the CyberVadis Assessment Work? | 5 Simple Steps
The CyberVadis assessment has five stages. Here is what to expect at each one.
Stage 1 - Registration (~5 minutes)
Create your company profile on the CyberVadis platform. If your client invited you, click the link in your invitation email to get started. If you are registering without a client request, see [I want to be assessed without a client request].
You will provide basic company information and contact details. Registration takes around five minutes.
Stage 2 - Qualification questionnaire
Answer a short series of yes/no questions about your company's current cybersecurity practices. Your answers here determine which questions appear in the full questionnaire, so this section is tailored to your company's actual context.
Once you submit the qualification section, it is locked and cannot be changed. We recommend completing it with input from your IT, Information Security, or Data Protection team.
Stage 3 - Full questionnaire (typically 2–3 days if documentation is ready)
Complete your personalized online questionnaire, which is customized based on your company's sector, size, and qualification answers. For each question, you will select the applicable controls and upload supporting evidence (policies, procedures, screenshots, etc.).
The questionnaire autosaves as you work. You can complete it across multiple sessions and answer questions in any order.
Deadline: You must submit within 20 days of receiving access, or by a specific deadline agreed with your client.
If you hold a valid ISO 27001 certificate: After the qualification stage, you will be directed through a certificate upload step before accessing the full questionnaire. You will declare your certification version and upload your certificate and Statement of Applicability.
Stage 4 - Expert analysis (4–6 weeks)
Once you submit, our team of cybersecurity analysts reviews your responses and supporting evidence. They assess whether your declared controls are credible and supported by documentation, and assign scores across four functions: Identify, Protect, Detect, and React.
You do not need to take any action during this stage. You will receive an email when your results are ready.
Stage 5 - Results
You receive two outputs:
Scorecard - a detailed breakdown of your cybersecurity performance by function and topic, with strengths and risk areas identified
Improvement plan - a prioritized list of actions you can take to strengthen your security posture, trackable directly on the platform
You can share your scorecard with your client and any other business partners directly from the platform.
If you have questions about your results, see [I disagree with my results or have questions about them].