Achieving a score that accurately represents your company's cybersecurity maturity comes down to one thing: the quality and completeness of your evidence. Our analysts can only credit what they can verify. Here is what to focus on.
1. Select every control that applies to your company
Each question contains multiple controls. To receive the full question score, you need to address every control that genuinely applies to your company.
Unselected controls automatically receive a score of zero, regardless of your actual practices.
If a control does not apply to your company, do not simply leave it unselected. Instead, select it and use the comment field to explain why it is not applicable. Our analysts will take your explanation into account. Selecting a control without any supporting evidence or explanation, however, will not earn credit.
2. Provide evidence at all three levels
For each control, aim to provide evidence that covers all three layers:
Definition: a formal policy or procedure confirming the practice is established
Implementation: proof the practice is being followed (screenshots, audit reports, configuration records)
Monitoring: evidence the practice is actively maintained and reviewed (logs, review reports, scan results)
A written policy alone is rarely sufficient for a full score. Analysts look for proof that security measures are not just documented but actively operated and controlled.
A practical example: password policy
Consider a control asking whether your organisation enforces password complexity requirements. A strong submission would include:
The relevant section of your password policy (definition)
A screenshot showing an error message when a user enters a weak password (implementation)
A periodic access review report or system audit confirming the control is still active (monitoring)
Usernames, IP addresses, and other sensitive identifiers should be masked before uploading. Our analysts do not need this information to verify the control.
3. Upload complete documents, not just summaries
Redacted or partial versions of policies are acceptable. However, a table of contents alone is not sufficient evidence. Our analysts need enough content to verify that the policy covers the relevant security practice in substance, not just in name.
Similarly, a written statement or explanation in your own words earns only partial credit at best. Formal documentation carries significantly more weight.
4. Evidence by function: what analysts look for
To give you a sense of what strong evidence looks like across the four functions:
Identify: asset inventories, risk registers, data classification policies, RACI matrices for security roles
Protect: access control procedures, encryption configurations, network diagrams, security awareness training records
Detect: log management policies, vulnerability scan reports, monitoring tool configurations, anomaly detection records
React: incident response plans, business continuity procedures, post-incident review reports, crisis communication protocols
5. Partial evidence earns partial credit
If you cannot provide complete evidence for a control, submit what you have. Partial evidence earns partial credit. An incomplete submission is always better than a missing one, and our analysts will score what they can verify from what you provide.
For details on how partial credit affects your overall score, see [How is your score calculated?]. For the scoring levels and what they mean, see [Understanding your scorecard and the CyberVadis scoring scale].