Skip to main content

Über uns

GeneralAllgemeine Information: Informationen

The CyberRisk Rating by KSV1870 was invented 2020.
The concept has been made by Kompetenzzentrum Sicheres Österreich in co-operation with CISOs, DPOs and managers from
critical infrastructure, government and industry to develop a standard for the assessment.
The requirements of the Cyber Risk scheme were defined by leading cyber risk managers from all sectors of critical infrastructure, as well as representatives of well-known Austrian companies - the rating is therefore suitable for every industry and every sector of the economy.
The aim is to provide a higher level of IT security throughout the EU and identify digital risks in supply chains.
The publicly and freely accessible scheme is updated and revised annually by the Cyber Risk Advisory Board in order to be able to react quickly to new requirements from practice or the executive NIS authority (BMI)
These standards form the basis of the CyberRisk Rating by KSV1870.

KSÖ Scheme:
https://cyberrisk-rating.at/cyberrisk-2023-schema-en.pdf

GDPR and EU-NIS Directive require all organisations, especially operators of essential services, to establish cyber risk management for suppliers and third parties.
The CyberRisk Rating by KSV1870 represents a standardised process to meet these requirements.
Cyber risks in global supply chains become transparent and can thus be reduced in a targeted manner.

 https://www.nis.gv.at/

The CyberRisk Rating by KSV1870 is divided into two areas:

On the one hand, a platform for cyber risk management for all suppliers worldwide for critical infrastructure & enterprise and on the other hand, an efficient assessement process for rated companies.


For critical infrastructure & enterprise


The CyberRisk Rating by KSV1870 offers you a unified system to meet the requirements of the EU-NIS Act and the GDPR
for suppliers.

 

CyberRisk Rating by KSV1870 uses three basic processes to evaluate global supplier bases:

 1. The assessment of public IT security data for all suppliers of your organisation,

 2. The validated CyberRisk Rating Assessment according to the KSÖ Cyber Risk Scheme based on direct information from suppliers, and if required:

 3. Audits of the CyberRisk Assessments by third party auditors.

 

 

The Rating process

1. WebRisk Indicator:

Once your suppliers have been listed in the CyberRisk portal, the WebRisk Indicator (C-Score) is available for all of them at short notice.
The WebRisk Indicator serves as an initial assessment of cyber risks and automatically evaluates publicly accessible IT information.

The WebRisk Indicator is a fully automated external security check, which checks an organization's applications accessible from the Internet in a non-intrusive way and, based on this, allows conclusions to be drawn about the underlying technical and organizational cyber security in this area.

The domains and IP address ranges belonging to the organization, which are part of this verification must be disclosed at the time of application and are supplemented by technically assignable applications accessible from the Internet. The WebRisk-Score is taken into account as an indicator in the validation of the B- and A-ratings and is shown separately.



You can view your ordered companies in our portal under "CyberRisk Ratings". Here you can also see the column "WebRisk".


 

Selecting the WebRisk indicator opens a window with a detailed insight into the WebRisk score.
You can see the development of the risk over the last 12 months.



On the right bottom corner you can select the button "Display WebRisk Report". 
Afterwards you can see the risk estimation between 100 and 700. 700 indicates a very high cyber risk and 100 indicates a minimal risk.



The following security deficiencies are investigated: Malware, Defacement, Reputation and TLS issues.
The exact domain, where the issue is located, is displayed. The respective issue is also explained in detail.
Cookies and forms 








2. CyberRisk Rating Assessment:

 

You can now choose which rating you would like to request for your suppliers.

The selected suppliers receive an invitation link to the assessment by e-mail. After completion, the assessment is professionally validated and a CyberRisk Rating is calculated, which also includes the C-Score.

 

3. CRR with an audit:

 

To obtain an A+ rating, you can commission audits by qualified bodies for desired suppliers. The auditor checks the completed assessment of the respective company for evidence and proof listed in the scheme.

 

 

For rated companies




Our solution provides two levels of assessment depth: First, the automated Web Risk Indicator creates a baseline for all your suppliers. You then decide which suppliers will be selected for the Rating process that leads to a full A (+) or B rating.

As soon as a CyberRisk rating is requested for your company, you will receive an e-mail with the invitation link to the assessment. Your cyber risk assessment consists of 25 yes/no questions. If you answer with “yes”, please describe your organization’s implementation of the requirement. After the assessment, your answers will be validated by an IT security professional.

 

It may happen that the validation declares one or more of your answers unclear. We will then provide feedback and ask for more details. In this case, you will receive a notification from us. You will have the opportunity to correct your answers once. Your assessment will then be validated again resulting in the final rating.

 

As a last step, you can select which CyberRisk Rating should be published for your organization – A (advanced requirements) or B (base requirements)? To make this choice easier for you, a recommendation will be displayed. After you have selected the desired rating, the process is completed. Your CyberRisk Rating will be valid for one year.