Skip to main content

Understanding Assessment Tiers

Courtney Cohen
  • Updated

As a customer, it's important to evaluate your objectives and decide which tier of assessment makes the most sense for each third party. The tier of assessment should be determined by the level of sensitive data that the third party may handle, store, or have access to. By completing the Impact Questionnaire, CyberGRX will use the data to calculate an inherent risk score of High Exposure, Medium Exposure, or Low Exposure. Upon moving through the requesting process, CyberGRX will also recommend a tier based on the calculated inherent risk score.

 

Screen_Shot_2023-02-22_at_10.59.22_AM.png

Tier

Description

Question Count

Tier 2 Automated

Medium resolution report with automated-validation which checks for inconsistencies across assessment answers.

Ideal for determining if a moderate-risk Third Party is actively implementing and managing their cyber security program.

Scores are presented as maturity of control families and coverage of sub controls. Coverage alone does not indicate how well a control is implemented.

Maturity: 35
Control Family: 27
Control: 108
Sub-Control: 220

Total: 390

Tier 2 Remote

Medium resolution report with automated-validation as well as remote validation to check accuracy of which controls the Third Party indicated they have implemented.

Ideal for determining if a high-to-moderate-risk Third Party is actively implementing and managing their cyber security program.

Scores are presented as maturity of control families and coverage of sub controls. Coverage alone does not indicate how well a control is implemented.

Maturity: 35
Control Family: 27
Control: 108
Sub-Control: 220

Total: 390
Tier 1

Highest resolution validated report. The Tier 1 gauges the effectiveness of the implementation of controls based on metrics and validation. The Tier 1 is validated through remote evidence verification of the implementation of a targeted set of controls.

A Tier 1 is ideal for examining a critical Third-Party's sub control effectiveness (i.e. strength, coverage, and timeliness) in order to fully understand the risk they present. The Tier 1 gauges the effectiveness of the implementation of controls based on metrics and validation. 

Scores are presented as maturity of control families and effectiveness of sub controls.

Maturity: 35
Control Family: 27
Control: 108
Sub-Control: 220
Metric: 660

Total: 1050

 

 

Was this article helpful?
1 out of 1 found this helpful
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.