Skip to main content

How is your score calculated?

Understanding how your score is built helps you prioritize where to focus your evidence and improvement efforts and interpret your results accurately when your scorecard is published.

Written by Ana Nikolaeva

The tree model: how scores roll up

CyberVadis uses a weighted tree model. Your score is calculated in layers:

  • Individual controls (specific security practices) are scored based on your answers and evidence

  • Control scores roll up into question scores, weighted by each control's relative importance

  • Question scores roll up into category scores

  • Category scores roll up into function scores (Identify, Protect, Detect, React)

  • Function scores combine to produce your overall score on a scale of 0 to 1,000

This is not a simple average. Each level applies its own weighting, so a strong answer in a high-weight control contributes more to your overall score than the same answer in a lower-weight one.

A realistic example: password policy

Consider a question about how your company enforces password security. It might include four controls:

  • A formal password policy exists and is accessible to all employees (weight: 20%)

  • Technical controls enforce password complexity requirements (weight: 30%)

  • Password expiry or rotation is enforced (weight: 30%)

  • Privileged accounts have additional authentication controls (weight: 20%)

If you declare and provide evidence for all four controls, you receive the full question score. If you only evidence two of the four, you receive a partial score based on the combined weight of those two controls.

Function scores and your overall score

You receive a separate score for each of the four functions, Identify, Protect, Detect, and React, as well as an overall score. Function scores reflect your maturity in each area independently. The overall score is a weighted combination of all four function scores.

For an explanation of what each score level means (Insufficient, Basic, Moderate, Developed, Mature), see [Understanding your scorecard and the CyberVadis scoring scale].

What the "expected impact" indicators mean

Each improvement action in your improvement plan shows an expected impact, for example, +3 or +10 points on your overall score. This figure represents the maximum possible uplift that control could contribute if fully validated in a reassessment. It is a ceiling, not a guarantee.

The actual score change you receive depends on the quality and completeness of the evidence you provide. Partial or insufficient evidence results in partial credit, not the full expected impact.

How partial credit works

When our analysts review your submission, each control can receive one of several outcomes:

  • Full score - the control is declared and supported by strong, complete evidence

  • Partial score - the control is declared but evidence is incomplete (for example, a policy exists but there is no proof it is actively enforced)

  • No score - the control is declared but no supporting evidence is provided, or the evidence does not credibly support the claim

This means working on an improvement and declaring a control in a reassessment does not automatically guarantee the full expected impact. The score you receive reflects what your evidence demonstrates, not what you declare.

Related Articles
Glossary: key terms used in the CyberVadis assessment
How to get a full score: evidence best practices
How long does the analysis take? What happens after I submit?
Understanding your scorecard and the CyberVadis scoring scale
I disagree with my results or have questions about them
Did this answer your question?