PROVEN. CONNECTED. RESILIENT.

Organizations vary significantly in size, complexity, and cybersecurity maturity. As a result, a one-size-fits-all approach rarely delivers optimal value. Our evaluation model, built upon a proven industry framework, is structured into four progressive tiers that encompass an expanding set of cybersecurity risk management practices so that you can define the coverage depth that best aligns with your needs.

FOUNDATION

Designed to establish a clear view of how effectively an organization performs the essential cybersecurity practices that nearly every program should have in place, the Foundation tier concentrates on baseline practices that are broadly applicable across industries and operating models and that typically represent the minimum expected capabilities for responsible cybersecurity risk management.

Ideal for organizations:

  • Seeking baseline cybersecurity evaluation

  • In the early stage of cybersecurity program development

  • Undergoing independent evaluation for the first time

CORE

Building upon the previous tier, the Core evaluation encompasses a broad set of outcomes commonly present in established cybersecurity risk management programs and includes practices that are still widely applicable, yet typically require more structure, coordination, and operational discipline to execute consistently. It is designed for organizations that already have the basics in place and want an evaluation that reflects what a “standard” mature program is generally expected to demonstrate.

Ideal for organizations:

  • Managing established cybersecurity programs

  • Subject to regulatory or contractual requirements

  • Seeking broader coverage of relevant domains

Platform

Healthy business relationships require a deep understanding of third party cybersecurity risk exposure. The Platform tier goes beyond a mere examination of cybersecurity controls and incident response techniques to ascertain how organizations frame, measure, and remediate cybersecurity risk and includes practices critical to managing cybersecurity risk management as a durable, repeatable program across multiple business units.

Ideal for organizations:

  • With dedicated cybersecurity leadership

  • Managing complex, large-scale technology environments

  • Seeking deep due diligence solutions for third party risk

aRCHITECTURE

Mature organizations with substantial resource capacity are better positioned to oversee sophisticated cybersecurity risk management programs. The Architecture tier extends coverage to advanced practices typically present in mature cybersecurity programs, emphasizing intentional design, long-term sustainability, and the ability to support evolving business and threat environments.

Ideal for organizations:

  • Operating in highly regulated environments

  • With advanced cybersecurity risk management capabilities

  • Seeking complete coverage of all relevant domains

CUSTOM

For organizations that prefer to define their own cybersecurity requirements for potential suppliers, our Custom option was designed with you in mind. This flexible approach lets you leverage our best-in-class evaluation process while maintaining the freedom to prioritize what matters most to your organization. You can also draw from our curated requirements library to build a tailored evaluation solution that aligns with your most critical needs.

Talk to us

Are you interested in understanding and reducing cybersecurity risks in your supply chain? Would you like an additional input into your due diligence process during the negotiation phase of a business relationship? Does your regulatory burden require independent validation on the state and quality of internal cybersecurity risk management practices?

We would like to hear from you.