Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Vendor Score: Trust Score

Ingrid

The Trust Score is a 0–100 rating that measures the trustworthiness of a vendor based on documentation, assessments, and third-party data. It is calculated using a weighted combination of specific categories that reflect a vendor’s security posture.

Trust Scores are used to:

  • Classify vendors based on trust level
  • Support residual risk calculations as part of broader vendor risk scoring
  • Support decision-making in third-party risk management programs

Configuring the Trust Score

The Trust Score is distributed across the following default categories.

Category Description
External Audits / Assessments Security audits and assessments submitted by the vendor
Certifications Compliance certifications and privacy standards by the vendor
Full-Time CISO Whether the vendor has a dedicated, full-time Chief Information Security Officer
Insurances Insurance documentation by the vendor
Questionnaires Scores from completed vendor questionnaires
Bitsight Rating External security ratings from Bitsight

Each category can be weighted between 0% and 100%, and the total must equal 100%. Weights can be assigned in Assessment Setup → Scoring  based on the importance you want to give to each category.

Calculating Trust Score

For Managed Vendors:

Trust Score =
(External Audit Score × weight) +
(Certification Score × weight) +
(CISO Score × weight) +
(Insurance Score × weight) +
(Questionnaire Score × weight) +
(Bitsight Score × weight) –
(Findings Deductions) ±
(Manual Adjustments)

For Managed Vendors, all documents shared by the vendor are considered, not just those explicitly required by the assessment.

  • In most categories (e.g., questionnaires, Full-Time CISO), the highest scoring individual item is used.
  • In other categories — specifically External Audits, Certifications, and Insurances — scores from multiple documents may be added together to calculate the raw category score.
  • If the combined total exceeds 100, it is capped at 100 before the assigned weight is applied to the Trust Score.

Example:
A vendor uploads three valid certifications:

  • ISO 27001 (100 points)
  • SOC 2 Type I (50 points)
  • ISO 27018 (50 points)

Combined score = 200 → Capped at 100
If the "Certifications" category is weighted at 20%, the contribution to the Trust Score will be:
→ 100 × 20% = 20 points

For Monitored Vendors:

Trust Score =
(Bitsight Score × 100%) –
(Findings Deductions) ±
(Manual Adjustments)


For Monitored Vendors, only Bitsight data is used to calculate the Trust Score, as there is no connection with the vendor and no access to their security documentation. Even if your Trust Score configuration includes other categories, those weights are ignored for Monitored Vendors. Instead:

  • The system automatically normalizes the Bitsight score to represent 100% of the Trust Score.
  • This means the Trust Score is entirely based on the vendor’s Bitsight Security Rating.

Example:
If your Trust Score weights are set as:

  • Bitsight: 40%
  • Certifications: 60%

Then for Monitored Vendors:
→ Trust Score = Bitsight Score × 100%

Trust Score Category Scoring

External Audits / Assessments

Scoring is based on audit type and document expiration:

  • Example scores: General Security Audit = 100, Penetration Test = 50
  • Expired documents = 0
  • Multiple audit scores are added and capped at 100

Certifications

Scoring depends on certification type, expiration, and scope:

  • Examples scores: ISO 27001 = 100, SOC 2 Type I = 50, SOC 2 Type II = 100
  • Full scope = full score
  • Partial scope = 50% score
  • Expired certifications = 0
  • Multiple certification scores are added and capped at 100

Insurances

Only specific insurance types contribute to the score.

  • Examples: Cyber Liability / Data Privacy = 100, Commercial General Liability = 0
  • Expired documents = 0
  • Scores from multiple valid policies are summed and capped at 100

Full-Time CISO

Binary vendor self-reported field:

  • Checked = 100
  • Unchecked = 0

The field is self-reported and depends entirely on the vendor marking it. Vendors can update it in the Trust Management Hub under Settings → Company & Profile Information → Financials.

Questionnaires

The system uses the highest-scoring questionnaire shared by the vendor, regardless of whether it was required. The score is calculated by:

  • Assigning weights to answers
  • Applying question priority (0–4)
  • Calculating:

Question Score = Answer Impact × Priority  
Category Score = (Σ Question Scores / Σ Priorities) × 100  
Questionnaire Score = (Σ Category Scores / Σ Priorities) × 100

See Calculating Questionnaire Scores for full methodology.

Bitsight Rating

The Bitsight Rating category is normalized to a 0–100 scale to align with the Trust Score methodology. This normalization adjusts for the Bitsight Rating range (250–900) using the following formula:

Trust Score Category = ((Bitsight Rating – 250) / (900 – 250)) × 100

This ensures consistent impact regardless of Bitsight’s native scoring scale.

Example: A Bitsight Rating of 390 is calculated as:

→ ((390 – 250) / 650) × 100 = 21.5 pointsTrust Score Adjustments

Automatic Deductions from Findings

The Trust Score can also be impacted by open findings associated with the vendor.

When findings are created, automatic point deductions are applied based on the criticality of each open finding. These deductions help reflect a vendor’s unresolved security risks in the overall Trust Score.

Findings Trust Score adjustments are configured in Assessment Setup → Scoring and apply to both Managed and Monitored Vendors.

Criticality Sample Deduction
Critical -4
High -3
Medium -2
Low -1
None 0

Manual Trust Score Adjustments

Trust Scores can be manually adjusted to reflect risk insights not captured by the platform’s automated scoring. Manual adjustments can be made via Vendor Profile → Tierin and.can either increase or decrease the Trust Score based on your organization’s policies and the severity of the external information.

Use manual adjustments to:

  • Reflect additional or external risk factors accurately
  • Maintain scores that are responsive to time-sensitive or high-impact issues
  • Ensure assessments align with the most current information available

Examples:

  • A security breach that is not yet recorded in the system may justify reducing the Trust Score.
  • If a monitored vendor is sanctioned, the Trust Score can be set to 0 to disqualify them from further consideration.

Additional Notes

  • Trust Scores are dynamic: Vendor Trust Scores are recalculated automatically when relevant inputs change, such as document uploads, questionnaire responses, or Bitsight Rating updates.
  • Expired documents are not scored: Documents with past expiration dates are excluded from scoring. This applies to audits, certifications, and insurance policies.
  • Category scores are capped at 100 before weighting:  If multiple valid documents in a category exceed 100 points combined, the total is capped at 100 before applying the category’s weight.
  • Credit is given for all qualifying uploads: Vendors receive Trust Score credit for any valid documents or assessments they share,  whether required or not.
  • Trust Scores are not vendor-visible: Vendors do not see their Trust Score or its components.January 31, 2025: "Factor" terminology changed to "category" for consistency.
  • December 17, 2025: Article rewrite for clarity.
  • December 19, 2024: Trust Score adjustment.
Was this article helpful?
1 out of 1 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.