Glossary: key terms used in the CyberVadis assessment

The platform role with full permissions on your company's CyberVadis account. Admin users can add and remove colleagues, manage billing details, and control document sharing settings. See [User roles on the CyberVadis platform].

A CyberVadis cybersecurity expert who reviews your questionnaire responses and supporting evidence. Every assessment is reviewed by a human analyst before a scorecard is published.

The full process of evaluating your company's cybersecurity posture through CyberVadis, from registration and questionnaire completion through to scorecard publication. The assessment covers four functions: Identify, Protect, Detect, and React.

A specific security practice or measure evaluated within the questionnaire. Each question contains one or more controls. For example, a question about password security might include controls for policy documentation, technical enforcement, and privileged account management.

A European Union regulation requiring financial sector organizations and their ICT providers to demonstrate operational resilience against cybersecurity threats. The CyberVadis methodology maps to DORA requirements.

An automated monthly scan of your company's publicly accessible domains and subdomains. It identifies potential security misconfigurations and produces a separate security score that does not affect your main CyberVadis scorecard. See [External Attack Surface Management (EASM): automated external security monitoring].

Documents, screenshots, policies, or other files you upload to the questionnaire to support your answers. Evidence is required for analysts to credit your declared controls. Without it, a declared control cannot receive a score.

The four areas of cybersecurity practice that the CyberVadis assessment evaluates:

You receive a score for each function as well as an overall score.

European Union data protection law. The CyberVadis questionnaire includes controls that assess whether your company meets GDPR requirements for data handling and privacy.
​

A prioritized list of recommended actions generated after your scorecard is published. Each action is linked to a specific control gap and includes an expected impact on your overall score. You can track progress on each action directly on the platform. See [How to use the Improvement Plan].
​

The combination of policies, procedures, processes, and controls your company uses to manage information security. The CyberVadis assessment evaluates the maturity of your ISMS across the four functions.

The United Nations system for classifying economic activities. CyberVadis uses ISIC codes during registration to categorize your company's sector, which influences which questions appear in your questionnaire. See [How to choose the right company category].

An international standard for information security management systems. Companies certified to ISO 27001 may follow a modified assessment pathway. The CyberVadis methodology maps to ISO 27001 requirements.

The specific company or organizational unit being assessed. For example, a subsidiary, a parent company, or a single production site. Your assessment scope is defined at the level of a legal entity. See [What is the assessment scope?].

A measure of how systematically and consistently your company manages cybersecurity, not just whether individual controls exist. A higher maturity level means security practices are defined, implemented, and actively monitored. See [Understanding your scorecard and the CyberVadis scoring scale].

A login security method that requires a second form of verification (such as a code sent to your phone) in addition to your password. MFA is required for all CyberVadis platform accounts. See [Setting up multi-factor authentication].

A European Union directive requiring organizations in critical sectors to implement cybersecurity risk management measures. The CyberVadis methodology maps to NIS2 requirements.

A widely adopted US framework for managing cybersecurity risk, organized around five functions: Identify, Protect, Detect, Respond, Recover. The CyberVadis methodology draws on NIST principles.

A short set of yes/no questions completed at the start of the assessment, before the full questionnaire. Your answers determine which questions appear in your customized questionnaire. Once submitted, the qualification section is locked.

A repeat of the assessment process, conducted after your initial scorecard has been published. Typically, annually at subscription renewal, or earlier if you request an additional assessment. Your questionnaire is pre-filled with your previous answers to save time. See [Making reassessments easy].

The specific legal entity and the boundaries of what is being evaluated in your assessment. Your scope is confirmed during registration and displayed on your questionnaire. See [What is the assessment scope?].

The output of the CyberVadis assessment: a validated summary of your company's cybersecurity performance, broken down by function and topic. It includes your overall score, function scores, identified strengths, and risk areas. You can share your scorecard with clients and partners directly from the platform.

An automatic renewal of your subscription at the end of each annual period, unless you cancel in accordance with the agreed terms. CyberVadis subscriptions renew tacitly each year. See [Subscription period and scorecard validity].

An internal term used to refer to an assessment credit, the entitlement to conduct one assessment cycle. Your subscription includes one token per year. An additional assessment (mid-year reassessment) requires purchasing an additional token.