Resiliscore
How Resiliscore works

How your report is created

Resiliscore uses a structured assessment to show where your business is most exposed, how a breach could happen, what it could cost, and what to fix first.

Start free assessmentBack to home
What Resiliscore looks at
  • Weak points — where your business is most exposed to avoidable disruption.
  • Consistency — whether key protections happen reliably, not just occasionally.
  • Proof — whether you could show a client, insurer, or partner that the basics are in place.
How to answer
  • Answer based on what is true today.
  • If something is only partly in place, score it lower.
  • If different teams do things differently, answer for the overall business.
  • Think: could we prove this quickly if someone asked?
Areas covered

The business risk areas Resiliscore reviews

Resiliscore focuses on the areas that most often create disruption for small and medium-sized businesses — access, recovery, daily security routines, suppliers, and response.

Governance
Governance & Leadership
Risk
Risk & Compliance
Assets
Asset & Data Management
Identity
Identity & Access Management
Operations
Secure Operations
Exposure
Threat & Vulnerability Management
Response
Incident Detection & Response
Recovery
Resilience & Recovery
Suppliers
Third-Party & Supply Chain
How the report is built

What happens after you complete the assessment

Your answers are used to turn technical risk into a simple business report that is easier to act on.

How results are created
  • Each answer contributes to a score across key business risk areas.
  • We identify the weakest areas that are most likely to cause disruption first.
  • Those weaker areas are translated into likely breach routes and practical priorities.
  • The final report focuses on risk, impact, and what to do next.
What you receive
  • Business risk summary — your main weaknesses in plain English.
  • Likely breach routes — how a problem is most likely to happen.
  • Estimated impact range — what disruption could cost your business.
  • Top 5 actions — what to fix in the next 90 days.
  • Benchmark and checklist — how you compare and what you can show others.
The goal is not to create a technical audit. The goal is to give a business owner a report they can understand quickly and use immediately.
Evidence examples

What useful evidence usually looks like

You do not need perfect documentation. You need clear ownership and simple proof that the basics are actually happening.

Access & accounts
  • MFA enabled on email and key systems
  • Leaver access removed quickly
  • Admin accounts reviewed
  • Strong password or sign-in controls in place
Backups & recovery
  • Backups running successfully
  • Restore test completed
  • Critical systems identified
  • Simple recovery steps written down
Day-to-day security
  • Devices updated regularly
  • Known issues tracked and fixed
  • Suspicious emails reported
  • Key supplier access reviewed
Ownership & proof
  • Named owner for cyber risk
  • Simple risk list
  • Leadership review notes
  • Incident or lessons-learned log
Good evidence reduces the risk of saying “we think we do this” when a client, insurer, or incident later proves otherwise.
Frameworks in the background

Why frameworks still matter

Resiliscore uses recognised frameworks in the background to keep the assessment structured and credible, but the customer-facing report is designed to stay simple and business-focused.

NIST CSF
Helps structure cyber outcomes such as identifying weaknesses, protecting systems, responding to incidents, and recovering from disruption.
ISO / IEC 27001 themes
Provides recognised control themes across access, operations, suppliers, incident handling, and governance.
Practical business assurance
Supports clearer conversations with clients, insurers, procurement teams, and partners without making the main report feel compliance-heavy.
Resiliscore is not a certification. Frameworks help structure the assessment in the background, but the report is designed first and foremost as a practical business risk tool.
Limits

What this does not replace

  • It is an indicative business risk report based on your responses.
  • It does not replace a penetration test, forensic investigation, or formal external audit.
  • It is designed to help you prioritise action, not create paperwork for its own sake.
  • The biggest improvements usually come from fixing the weakest few areas first and reviewing progress regularly.