A score derived from the S2Score Assessment, a comprehensive information security assessment based on ISO and NIST. Comprised of 663 statements and covering all 4 control areas - administrative, physical, internal technical, and external technical. The score is based on a scale of 300 to 850 with 850 being perfect.
780 - 850: Excellent
An "Excellent" S2Score is a rarity and something to take pride in. It's obvious that the organization has spent significant amounts of time, money, and effort to build a best-in-class information security program. They have the proper structures in place to maintain what they have painstakingly built, and now they can focus on 1) continuous improvement and 2) finding more tangible returns for their investment.
660 - 780: Good
A "Good" S2Score means that the organization has really spent time, money, and effort building a good information security program. The foundation of their program is laid, and now they are in "maintenance mode," although they still have some major projects and tasks to accomplish. The return on each information security dollar starts to diminish for organizations with a "Good" S2Score, so it's very important to spend each information security dollar wisely.
600 - 660: Fair
A "Fair" estimated S2Score means that the organization has done some really good things with respect to their organization's information security; however, significant gaps/risks still exist. Some of the foundational components of the program are in place, and it's time for the program to mature into a more formal business initiative. This is the point in the program where information security expenditures need to start providing real and tangible results.
500 - 600: Poor
A "Poor" estimated S2Score means that the organization has significant areas of improvement for information security in their organization. Their information security program is not mature enough for sustained improvement, and a significant compromise is possible in the short term. Whether or not their organization would notice the threat, attack, and eventual compromise is not well known.
300 - 500: Very Poor
A "Very Poor" estimated S2Score usually means that the organization hasn’t taken the necessary basic steps to protect their organization from a variety of threats. The information security program lacks formality, and a significant compromise is likely in the short term. To make matters worse, depending upon the type of threat, the compromise may go unnoticed for an extended period of time.