Rating Methodology

Learn how Finnovia assesses and rates your organization's cybersecurity posture.

Overview

Finnovia assesses organizations against three European cybersecurity frameworks: ISO 27001, NIS2, and DORA. Each assessment is based on a structured questionnaire organized by domains, where answers are converted into weighted scores to produce an overall FR-Rating.

Our methodology is designed to be transparent, reproducible, and aligned with European regulatory requirements. Domain weights reflect each framework's regulatory priorities.

ISO 27001

55 questions · 10 domains

NIS2

34 questions · 7 domains

DORA

38 questions · 7 domains

Maturity Scale

Each question is assessed on a 5-level maturity scale, from 0 (no measures in place) to 4 (optimized process with continuous improvement).

Level	Maturity	Description	Score
0	None	No measures in place or undocumented practice.	0%
1	Initial	Ad hoc practices, not formalized or repeatable.	25%
2	Defined	Documented process applied consistently.	50%
3	Managed	Process measured, controlled, and regularly audited.	75%
4	Optimized	Continuous improvement, benchmarking, and proactive adaptation.	100%

Questions marked "Not Applicable" are excluded from the calculation and do not penalize the score.

Scoring Process

Step 1 — Domain Score

For each domain, the score is the average of provided answers, converted to a percentage. "Not Applicable" answers are excluded. A domain where all questions score level 3 (Managed) will have a 75% score.

Step 2 — Weighted Overall Score

The overall score is calculated as the weighted sum of each domain score. Each domain contributes proportionally to its weight, which reflects its importance within the framework.

Step 3 — FR-Rating Assignment

The overall score is converted to an FR-Rating using a fixed 7-level scale, from FR-Caa (score below 25%) to FR-Aaa (score of 95% or above).

FR-Rating Scale

The FR-Rating translates the overall score into a comparable grade, inspired by financial credit ratings. It provides an immediate reading of compliance maturity.

FR-Aaa — Excellence

≥ 95%

FR-Aa — Very High

≥ 85%

FR-A — High

≥ 70%

FR-Baa — Satisfactory

≥ 55%

FR-Ba — Moderate

≥ 40%

FR-B — Low

≥ 25%

FR-Caa — Insufficient

< 25%

Domain Weights by Framework

Each framework assigns different weights to its domains, reflecting regulatory priorities. Higher-weighted domains have a greater impact on the final rating.

ISO 27001

55 questions · 10 domains

ISMS Scope, Governance & Leadership15%

Risk Management & Assessment15%

Access Control & Identity Management13%

Incident Management & Monitoring12%

Supplier & Third-Party Security10%

Business Continuity10%

Asset Management & Information Transfer8%

Cryptography & Data Protection8%

Physical & Environmental Security5%

Vulnerability & Patch Management4%

NIS2

34 questions · 7 domains

Cybersecurity Risk Management Measures25%

Governance & Risk Management18%

Incident Reporting18%

Supply Chain Security12%

Risk Framework & Resilience12%

Access Control & Identity8%

Business Continuity & Crisis Management7%

DORA

38 questions · 7 domains

ICT Risk Management Framework20%

ICT Incident Management & Reporting20%

ICT Third-Party Risk Management18%

Digital Operational Resilience Testing17%

Information Sharing10%

Governance & Oversight10%

Data Management & Resilience5%

Our Commitments

Finnovia's methodology is built on transparency and rigor:

Public weights — domain weights are openly communicated.
Deterministic scoring — identical answers always produce identical scores. No subjective factors.
Regulatory alignment — questionnaires exhaustively cover each framework's requirements.
Independent verification — submitted assessments can be verified by a Finnovia analyst before publication.