// Rating Methodology //

Rating Methodology

Learn how Finnovia assesses and rates your organization's cybersecurity posture.

Overview

Finnovia assesses organizations against three European cybersecurity frameworks: ISO 27001, NIS2, and DORA. Each assessment is based on a structured questionnaire organized by domains, where answers are converted into weighted scores to produce an overall FR-Rating.

Our methodology is designed to be transparent, reproducible, and aligned with European regulatory requirements. Domain weights reflect each framework's regulatory priorities.

DORA

38 questions · 7 domains

ISO 27001

56 questions · 10 domains

NIS2

37 questions · 7 domains

Maturity Scale

Each question is assessed on a 5-level maturity scale, from 0 (no measures in place) to 4 (optimized process with continuous improvement).

Level	Maturity	Description	Score
0	None	No measures in place or undocumented practice.	0%
1	Initial	Ad hoc practices, not formalized or repeatable.	25%
2	Defined	Documented process applied consistently.	50%
3	Managed	Process measured, controlled, and regularly audited.	75%
4	Optimized	Continuous improvement, benchmarking, and proactive adaptation.	100%

Questions marked "Not Applicable" are excluded from the calculation and do not penalize the score.

Scoring Process

Step 1 — Domain Score

For each domain, the score is the average of provided answers, converted to a percentage. "Not Applicable" answers are excluded. A domain where all questions score level 3 (Managed) will have a 75% score.

Step 2 — Weighted Overall Score

The overall score is calculated as the weighted sum of each domain score. Each domain contributes proportionally to its weight, which reflects its importance within the framework.

Step 3 — FR-Rating Assignment

The overall score is converted to an FR-Rating using a fixed 7-level scale, from FR-Caa (score below 25%) to FR-Aaa (score of 95% or above).

FR-Rating Scale

The FR-Rating translates the overall score into a comparable grade, inspired by financial credit ratings. It provides an immediate reading of compliance maturity.

FR-Aaa — Excellence

≥ 90%

FR-Aa — Very High

≥ 80%

FR-A — High

≥ 70%

FR-Baa — Satisfactory

≥ 60%

FR-Ba — Moderate

≥ 50%

FR-B — Low

≥ 40%

FR-Caa — Insufficient

≥ 20%

FR-Ca — Critical

< 20%

Domain Weights by Framework

Each framework assigns different weights to its domains, reflecting regulatory priorities. Higher-weighted domains have a greater impact on the final rating.

DORA

38 questions · 7 domains

ICT Risk Management Framework20%

ICT Incident Management & Reporting20%

Digital Operational Resilience Testing17%

ICT Third-Party Risk Management18%

Cyber Threat Intelligence & Sharing10%

Governance & Accountability10%

Data Protection & Recovery5%

ISO 27001

56 questions · 10 domains

Governance & Leadership15%

Risk Management15%

Access Control & Identity13%

Incident Management12%

Supplier & Third-Party Risk10%

Business Continuity10%

Asset Management & Classification8%

Cryptography & Data Protection8%

Physical & Environmental Security5%

Vulnerability & Patch Management4%

NIS2

37 questions · 7 domains

Governance & Board Accountability18%

Incident Reporting18%

Technical Security Measures25%

Supply Chain Security12%

Risk Management & Resilience12%

Access Control & Authentication8%

Business Continuity & Crisis Management7%

Our Commitments

Finnovia's methodology is built on transparency and rigor:

Public weights — domain weights are openly communicated.
Deterministic scoring — identical answers always produce identical scores. No subjective factors.
Regulatory alignment — questionnaires exhaustively cover each framework's requirements.
Independent verification — submitted assessments can be verified by a Finnovia analyst before publication.