How VISO TRUST Risk Scoring Works

Keith Kirkland Updated by Keith Kirkland

How VISO TRUST Risk Scoring Works

The Big Picture

When you evaluate a vendor, you’re really asking two questions:

  1. How much potential risk is there if something goes wrong?
  2. How much of that risk is actually reduced by the security measures the vendor can prove are in place?

VISO TRUST answers those questions by starting with the inherent risk (based on what type of data and services are in scope) and then adjusting it downward as vendors provide credible evidence of their controls. The result is the residual risk - the risk that remains after considering safeguards.

Step 1: Establish the Inherent Risk

  • We look at the most sensitive type of data a vendor will handle (e.g., PII, payment card data, health data).
  • The more sensitive the data, the higher the potential risk score starts.

Step 2: Identify What Matters for This Relationship

Not all security controls matter equally for every vendor.

  • For example, physical security may matter a lot if the vendor hosts your servers, but not if they’re a SaaS provider on a hyperscale cloud.
  • Our model automatically determines which control domains are relevant for the way you’ll use the vendor.

Step 3: Gather the Evidence

We collect and validate artifacts such as:

  • Independent audits (SOC 2, ISO 27001)
  • Security policies and procedures
  • Technical test results (e.g., penetration tests)
  • Questionnaire responses

Our AI plus human auditors classify each artifact and map it to the controls it supports.

Step 4: Weigh the Strength of the Evidence

Controls are not all equal. Each gets credit based on three factors:

  • Influence: how important that area is for the type of relationship
  • Coverage: how much of the domain the evidence addresses
  • Assurance: how strong and trustworthy the evidence is (e.g., an independent audit gets more credit than a self-attested policy)

Step 5: Calculate the Scores

  • Inherent Risk: the starting point: potential risk before looking at evidence.
  • Residual Risk: the end point: inherent risk minus credit for proven controls.

Both are placed on a scale (e.g., Low / Medium / High / Extreme) for easy interpretation.

What Makes the Model Different

  • Evidence-driven - risk goes down only when there’s proof, not just promises.
  • Context-aware - the same vendor may have different scores depending on the data they handle for you.
  • Transparent - every assessment shows which controls were credited and which gaps remain.
  • Customizable - thresholds and tolerances can be tuned to match your program or regulatory needs.

Why It Matters

This approach lets you:

  • Prioritize vendor reviews based on actual risk, not gut feel.
  • Have clear conversations with vendors about what’s missing.
  • Demonstrate due diligence to regulators, auditors, and boards.
  • Continuously monitor vendors as new evidence comes in.

How did we do?

Compliance Certifications and Publicly Derived Control Coverage

Customizing Risk Tolerance

Contact