💡 📊 Assessments — How NexCyber computes your readiness score, why we never round up, and how to interpret the number in front of an auditor or a board.

Scoring methodology — what the percentage means

The number at the top of your assessment results is the single most-asked-about element of NexCyber. This article makes the methodology fully transparent — what's in the score, what's not, and how to defend it under questioning.

The headline score in one sentence

Your headline score is the share of applicable obligations you cover today, weighted by regulatory criticality.

How it's built

1. Applicable obligations only — obligations marked "Not applicable" never count against you. The denominator is your real perimeter, not a generic checklist.
2. Status weighting — Covered = 1.0, Partial = 0.5, Gap = 0.0. There's no implicit credit for "we're working on it".
3. Criticality weighting — each obligation carries a criticality weight (1 to 5) based on its position in the regulation (an Annex I requirement weighs more than a definitional clause).
4. Sum and normalise — (sum of status × criticality) / (sum of max possible) × 100.

The result is a percentage between 0 and 100, displayed as an integer.

Why we never round up

If your real score is 78.4%, we display 78%, not 80%. Auditors notice rounding. Buyers notice rounding. Your future self running an audit defence notices rounding. We'd rather you see the harder number now.

What's NOT in the score

Several things are deliberately excluded :

• Planned actions — actions you've scheduled but not completed don't count. A roadmap is not coverage.
• Self-attestations without evidence — answering "yes" to an obligation without uploading evidence keeps the obligation at Partial, not Covered. The Free plan and Starter can declare coverage without evidence (single-tenant trust). From Launch onwards, evidence is recommended for full Covered status.
• Sub-thresholds — partial coverage of an obligation is recorded as Partial (50%), not promoted to Covered. We don't grade on a curve.
• External certifications you cite but haven't proven — claiming ISO 27001 without uploading the certificate does not credit your score.

How to interpret a specific number

Defending your score under questioning

A common question : "Why isn't this 100% ?"

The honest answer is that 100% coverage is rare and often suspicious. A 100% Covered status across 30+ obligations either means the assessment is too shallow, the evidence isn't being scrutinised, or the obligations being measured are too generic. A score in the 80s with clearly identified residual gaps reads as mature to an auditor. Trying to display 100% reads as immature — or worse, as overclaiming.

What auditors typically focus on

Audit questions tend to land on :

• Gaps marked Not Applicable — they'll want the legal reasoning. NexCyber surfaces it (the article + threshold that excluded you).
• Partial-status obligations — they'll want to see your closure plan. NexCyber's Workspace section gives you it.
• High-criticality Gap obligations — these are red flags. Address them before audit.

Score history

Every re-run is dated. Your score history chart over the last 12 months gives auditors the trajectory : are you improving, plateauing, or sliding ? A clear upward trajectory is one of the strongest signals an auditor can see.

→ See "Reading your assessment results" → See "Common mistakes to avoid in your first assessment"

💬 Need help?

• Reach out via our live chat (bottom-right) — Captain AI replies instantly, human experts within business hours.
• Email support@nexcyber.eu with [P1] for Command/Strategic priority issues.

ℹ️ Disclaimer — RICE provides a readiness analysis, not legal advice. Final compliance may require legal review or notified body certification.

Last reviewed: 2026-06-02 · NexCyber Help Center