How Scoring Works

The Framework

BESTcyberIQ assessments are based on the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0), published by the National Institute of Standards and Technology. NIST CSF 2.0 organizes cybersecurity activities into six core Functions:

• Govern (GV)— Establish cybersecurity strategy, policies, and accountability
• Identify (ID)— Understand your assets, risks, and environment
• Protect (PR)— Implement safeguards to reduce cybersecurity risk
• Detect (DE)— Identify cybersecurity events when they occur
• Respond (RS)— Take action when an incident is detected
• Recover (RC)— Restore capabilities after an incident

Each Function is divided into Categories and Subcategories representing specific cybersecurity outcomes.

The Assessment

BESTcyberIQ's assessment consists of questions covering all six NIST CSF 2.0 Functions. Questions are written in plain English to be accessible to non-technical owners and operators — you do not need to be a security professional to complete an assessment.

Each question asks you to describe your current state: whether a control or practice is not in place, partially in place, or fully implemented. Your answers drive your maturity scores.

Maturity Scores

Scores are reported on a 1.0 – 5.0 scale per Function and as an overall weighted average:

• 1.0 – 1.9Initial / Ad Hoc— Limited or no formal controls in place
• 2.0 – 2.9Developing— Some controls exist but inconsistently applied
• 3.0 – 3.9Defined— Controls are documented and consistently followed
• 4.0 – 4.9Managed— Controls are measured and actively monitored
• 5.0Optimizing— Continuous improvement is embedded in operations

Scores reflect your self-reported responses. They are not independently verified or audited.

Recommendations

Based on your assessment responses, BESTcyberIQ generates prioritized recommendations across all six NIST CSF 2.0 Functions. Recommendations are ranked to surface the highest-impact improvements for your specific gap profile.

Pro, Team, and Enterprise subscribers receive all recommendations. Free and Report tier users receive a curated subset of the highest-priority items.

What scores represent — and don't

Your BESTcyberIQ score is a self-assessment tool. It is designed to help you:

• Understand where your organization stands relative to the NIST CSF 2.0 framework
• Identify the most important gaps to address
• Track improvement over time as controls are implemented
• Communicate your security posture to executives, boards, or stakeholders

It is not a compliance certification, a penetration test finding, an audit result, or a guarantee of security. Scores should be reviewed by qualified staff or advisors before being used for regulatory, insurance, or contractual purposes.

Updating your assessment

We recommend re-running your assessment after implementing significant controls, or at least annually, to track your improvement over time.