Vendor Score: Trust Score Ingrid The Trust Score is a 0–100 rating that measures the trustworthiness of a vendor based on documentation, assessments, and third-party data. It is calculated using a weighted combination of specific categories that reflect a vendor’s security posture.Trust Scores are used to: Classify vendors based on trust level Support residual risk calculations as part of broader vendor risk scoring Support decision-making in third-party risk management programs Configuring the Trust ScoreThe Trust Score is distributed across the following default categories. Category Description External Audits / Assessments Security audits and assessments submitted by the vendor Certifications Compliance certifications and privacy standards by the vendor Full-Time CISO Whether the vendor has a dedicated, full-time Chief Information Security Officer Insurances Insurance documentation by the vendor Questionnaires Scores from completed vendor questionnaires Bitsight Rating External security ratings from Bitsight Each category can be weighted between 0% and 100%, and the total must equal 100%. Weights can be assigned in Assessment Setup → Scoring based on the importance you want to give to each category.Calculating Trust ScoreFor Managed Vendors:Trust Score =(External Audit Score × weight) +(Certification Score × weight) +(CISO Score × weight) +(Insurance Score × weight) +(Questionnaire Score × weight) +(Bitsight Score × weight) –(Findings Deductions) ±(Manual Adjustments)For Managed Vendors, all documents shared by the vendor are considered, not just those explicitly required by the assessment. In most categories (e.g., questionnaires, Full-Time CISO), the highest scoring individual item is used. In other categories — specifically External Audits, Certifications, and Insurances — scores from multiple documents may be added together to calculate the raw category score. If the combined total exceeds 100, it is capped at 100 before the assigned weight is applied to the Trust Score. Example:A vendor uploads three valid certifications: ISO 27001 (100 points) SOC 2 Type I (50 points) ISO 27018 (50 points) Combined score = 200 → Capped at 100If the "Certifications" category is weighted at 20%, the contribution to the Trust Score will be:→ 100 × 20% = 20 pointsFor Monitored Vendors:Trust Score =(Bitsight Score × 100%) –(Findings Deductions) ±(Manual Adjustments)For Monitored Vendors, only Bitsight data is used to calculate the Trust Score, as there is no connection with the vendor and no access to their security documentation. Even if your Trust Score configuration includes other categories, those weights are ignored for Monitored Vendors. Instead: The system automatically normalizes the Bitsight score to represent 100% of the Trust Score. This means the Trust Score is entirely based on the vendor’s Bitsight Security Rating. Example:If your Trust Score weights are set as: Bitsight: 40% Certifications: 60% Then for Monitored Vendors:→ Trust Score = Bitsight Score × 100%Trust Score Category ScoringExternal Audits / AssessmentsScoring is based on audit type and document expiration: Example scores: General Security Audit = 100, Penetration Test = 50 Expired documents = 0 Multiple audit scores are added and capped at 100 CertificationsScoring depends on certification type, expiration, and scope: Examples scores: ISO 27001 = 100, SOC 2 Type I = 50, SOC 2 Type II = 100 Full scope = full score Partial scope = 50% score Expired certifications = 0 Multiple certification scores are added and capped at 100 InsurancesOnly specific insurance types contribute to the score. Examples: Cyber Liability / Data Privacy = 100, Commercial General Liability = 0 Expired documents = 0 Scores from multiple valid policies are summed and capped at 100 Full-Time CISOBinary vendor self-reported field: Checked = 100 Unchecked = 0 The field is self-reported and depends entirely on the vendor marking it. Vendors can update it in the Trust Management Hub under Settings → Company & Profile Information → Financials.QuestionnairesThe system uses the highest-scoring questionnaire shared by the vendor, regardless of whether it was required. The score is calculated by: Assigning weights to answers Applying question priority (0–4) Calculating: Question Score = Answer Impact × Priority Category Score = (Σ Question Scores / Σ Priorities) × 100 Questionnaire Score = (Σ Category Scores / Σ Priorities) × 100See Calculating Questionnaire Scores for full methodology.Bitsight RatingThe Bitsight Rating category is normalized to a 0–100 scale to align with the Trust Score methodology. This normalization adjusts for the Bitsight Rating range (250–900) using the following formula:Trust Score Category = ((Bitsight Rating – 250) / (900 – 250)) × 100This ensures consistent impact regardless of Bitsight’s native scoring scale.Example: A Bitsight Rating of 390 is calculated as:→ ((390 – 250) / 650) × 100 = 21.5 pointsTrust Score AdjustmentsAutomatic Deductions from FindingsThe Trust Score can also be impacted by open findings associated with the vendor.When findings are created, automatic point deductions are applied based on the criticality of each open finding. These deductions help reflect a vendor’s unresolved security risks in the overall Trust Score.Findings Trust Score adjustments are configured in Assessment Setup → Scoring and apply to both Managed and Monitored Vendors. Criticality Sample Deduction Critical -4 High -3 Medium -2 Low -1 None 0 Manual Trust Score AdjustmentsTrust Scores can be manually adjusted to reflect risk insights not captured by the platform’s automated scoring. Manual adjustments can be made via Vendor Profile → Tierin and.can either increase or decrease the Trust Score based on your organization’s policies and the severity of the external information.Use manual adjustments to: Reflect additional or external risk factors accurately Maintain scores that are responsive to time-sensitive or high-impact issues Ensure assessments align with the most current information available Examples: A security breach that is not yet recorded in the system may justify reducing the Trust Score. If a monitored vendor is sanctioned, the Trust Score can be set to 0 to disqualify them from further consideration. Additional Notes Trust Scores are dynamic: Vendor Trust Scores are recalculated automatically when relevant inputs change, such as document uploads, questionnaire responses, or Bitsight Rating updates. Expired documents are not scored: Documents with past expiration dates are excluded from scoring. This applies to audits, certifications, and insurance policies. Category scores are capped at 100 before weighting: If multiple valid documents in a category exceed 100 points combined, the total is capped at 100 before applying the category’s weight. Credit is given for all qualifying uploads: Vendors receive Trust Score credit for any valid documents or assessments they share, whether required or not. Trust Scores are not vendor-visible: Vendors do not see their Trust Score or its components.January 31, 2025: "Factor" terminology changed to "category" for consistency. December 17, 2025: Article rewrite for clarity. December 19, 2024: Trust Score adjustment. Related articles Vendor Scoring: Trust, Impact, & Risk Default Trust Score Categories Trust Score Adjustment – December 19, 2024 Assessment Setup: Scoring Bitsight VRM Guides Feedback 0 comments Please sign in to leave a comment.