Frequently Asked Questions
Contact details in case you have any questions: KSV1870 Nimbusec GmbH office@nimbusec.com +43 (732) / 860 626 Kaisergasse 16b, 4020 Linz
Table of contents
- What are the benefits for customers?
- What does the CyberRisk Rating by KSV1870 cost?
- Where can the CRR be used?
- Why do I get a request for a cyberrisk rating?
- How does the cyberrisk rating process work?
- Is there a time limit by which an assessment must be submitted?
- Is it possible for more than one person to work on the assessment?
- Do you have to complete the assessment all at once?
- Will I receive my answers including a valuation later?
- Who else gets the answers?
- Do the answers have to be provided for each client?
- Are the answers saved temporarily?
- How is the confidentiality of my own information guaranteed?
What are the benefits for customers?
Users of the CyberRisk Rating by KSV1870 receive a standardised process to rate all service providers, suppliers and other third parties concerning their cyber risk. Rated companies receive an efficient, objective process that only needs to be carried out once a year to disclose their cyber risk to all interested customers. Through the published standard of the "Kompetenzzentrum Sicheres Österreich" rated companies can positively influence their cyber risk management. All companies receive a guideline, free of charge, in order to be able to reduce their own cyber risk in a targeted and structured manner. This guideline is continuously maintained by Austria's most recognised experts and adapted to new technical requirements. Austria's economy becomes more resilient by reducing the cyber risk of its supply chains. This is the basis for the necessary digitalisation to maintain our international competitiveness.
What does the CyberRisk Rating by KSV1870 cost?
Companies that are rated do not have to bear any costs. Currently, the CyberRisk Rating is only offered for large companies and critical infrastructure. If you are interested in more information, we will be happy to answer your questions.
Where can the CRR be used?
The CyberRisk Rating by KSV1870 is based on the requirements of the Cyber Risk Scheme of the "Kompetenzzentrum Sicheres Österreich". These requirements were defined by leading cyber risk managers of Austrian companies from all sectors of critical infrastructure and representatives of the Federal Ministry of Internal Affairs. The CyberRisk Rating can therefore be used in every industry and economic sector in which an assessment of the cyber risk of companies - especially suppliers - is necessary.
In particular, operators of essential services are legally obliged under Section 11 (1) (2) in conjunction with Annex 1 NISV to take appropriate security precautions with regard to their dealings with service providers, suppliers and other third parties. The present CyberRisk Rating by KSV1870 aims at fulfilling this requirement (monitoring of suppliers of an energy group or an airport), but does not replace the necessary proof of an operator of essential services according to § 17 para. 3 NISG (= comprehensive audit of an operator of essential services, such as an energy group or an airport itself).
Why do I get a request for a cyberrisk rating?
Cyber risks such as IT security, data protection and business continuity are becoming increasingly significant due to digitalisation.
With the CyberRisk Rating, KSV1870 offers a transparent, time-saving process to evaluate companies in these dimensions.
This assessment is often required due to the DSGVO or the NIS law.
As a rated company, you bear no costs and receive an objective picture of your own cyber risk.
How does the cyberrisk rating process work?
The rating consists of an assessment based on 25 requirements of the publicly available KSÖ Cyber Risk Scheme. You can find information on the KSÖ Cyber Risk Scheme at https://www.kuratorium-sicheres-oesterreich.at.
After finishing the assessment, the positively answered requirements are verified by an independent expert. This expert does not know which company is being assessed.
Is there a time limit by which an assessment must be submitted?
Yes, after the invitation, you have to complete the assessment within 14 days.
If you need more time to answer the questions, please contact the cyberrisk service team by cr@nimbusec.com.
Is it possible for more than one person to work on the assessment?
Anyone who has a user account with rights to the CyberRisk portal under the company account is able to complete the assessment.
However, only the first person to start filling out the assessment is considered the contact person for the assessment.
Do you have to complete the assessment all at once?
No. It is important to be prepared for the answers to the requirements, or to be able to consider them well.
This also facilitates and speeds up the verification process. The more precisely a fulfilled requirement is described, the fewer questions the assessor will have to ask.
The requirements and questions for the assessment are published by the Kuratorium Sicheres Österreich (KSÖ) and can be downloaded/viewed there: https://kuratorium-sicheres-oesterreich.at/wp-content/uploads/2020/09/CRR-Schema-Policy-2020.pdf
Will I receive my answers including a valuation later?
Yes. After completing the assessment, you must download and keep a package consisting of the details of the assessment. The package will contain the following information:
- CyberRisk Rating Certificate + Signature
- CyberRisk Rating Assessment Details complete, including examiner responses + signature.
- CyberRisk Rating Assessment Details without assessor answers + signature
Who else gets the answers?
The rating itself can be purchased by all clients. Only the rating score is shown. However, the customer can request the details of the rating. Here you can decide individually whether the requested data is released or not.
Do the answers have to be provided for each client?
No. You only have to complete the assessment for the first enquiry of a customer and max. once a year.
Are the answers saved temporarily?
You can take the time you need to answer the assessment. Click on "Save and continue" to save the answer temporarily. You can then close the browser window or log out and continue at a later time.
How is the confidentiality of my own information guaranteed?
Confidentiality is ensured by the fact that Nimbusec never passes on your details to third parties. Within the rating process, all commissioned data processors are obliged to maintain confidentiality. In contrast to common questionnaires, Nimbusec clients only receive the CyberRisk rating without further details. In the event of an external audit or a request from our client, you decide whether you wish to pass on your details to the auditor or to our client. If yes, the CyberRisk Rating provides you with a standardised, machine-readable data package that can be processed efficiently. If not, you can refer to the validated CyberRisk Rating.