Skip to main content

Compliance Scoring for Suppliers

This article explains what compliance scoring is, how it is calculated and what you can do to improve it

ish avatar
Written by ish
Updated this week

What is a compliance score?

Your compliance score shows how well your organisation meets a client’s security requirements on Risk Ledger. It’s calculated by comparing your assessment responses against the specific controls your client requires, and is displayed as a percentage.

You’re only scored on controls that are required by your client’s policies and relevant to your organisation.

This helps ensure your score reflects the requirements that matter to each client, rather than every possible control in the framework.

How is compliance calculated?

Your compliance score is determined by the policies and tags that each client applies to your security profile.

Clients categorise suppliers using criteria such as:

  • Criticality – how essential your service is

  • Confidentiality – the sensitivity of the data you handle

  • Personally Identifiable Information (PII) – whether you store or process personal data

These tags determine which policies and controls apply to you.

How scoring works

Your score is calculated by comparing your assessment responses against the specific controls your client requires in their policies.

Only controls that are:

  • required by a client policy, and

  • relevant to your organisation

are included in the calculation.

What is not scored

A control will be marked Not scored and excluded from your compliance score when:

  • the client has not attached a policy rule to that control

  • your answers make an entire domain out of scope (for example, you do not develop software)

  • a parent scoping question makes related child controls not applicable

Not scored controls do not count positively or negatively towards your percentage.

This ensures you are only assessed on requirements that are relevant to your business.

Additional scoring behaviour

  • If a policy requirement exists, incomplete answers are still scored

  • If a client requires evidence and no evidence is provided, the control will be marked non-compliant

  • Clients may apply exemptions or overrides where appropriate

Where can I find it?

Compliance scores are generated against specific clients:

  1. Navigate to Clients

  2. Click into any client to open their Overview page

  3. Here you will see a Compliance overview:

If your compliance score is less than 100%, you can easily see which domains and risk controls you are non-compliant with by clicking into the associated sections.

If your score is showing as 100% compliant this usually means that your security profile is compliant with all the required controls for the policy your client has assigned to you and they can approve your profile.

💡 Keep an eye on the Action Centre and your email notifications. Clients may contact you with follow-up questions or remediation requests.

View a specific control

Click into any control to:

  • review your response

  • see your client’s requirement

  • view supporting evidence

  • track updates over time

Review non-compliant controls

If a control is marked non-compliant, your client may:

  • start a discussion with you

  • request remediation

  • or apply an exemption if the control is not applicable

If remediation is requested, you can update your response and upload evidence where required.

You can also proactively improve your responses by referring to our Knowledge Base for implementation guidance.

You can also proactively improve your responses by referring to our Knowledge Base for implementation guidance.

How is compliance calculated?

Your compliance score is determined by the policies and tags that each client applies to your security profile.

Clients categorise suppliers using criteria such as:

  • Criticality – how essential your service is

  • Confidentiality – the sensitivity of the data you handle

  • Personally Identifiable Information (PII) – whether you store or process personal data

These tags determine which policies and controls apply to you.

How scoring works

Your score is calculated by comparing your assessment responses against the specific controls your client requires in their policies.

Only controls that are:

  • required by a client policy, and

  • relevant to your organisation

are included in the calculation.

What is not scored

A control will be marked Not scored and excluded from your compliance score when:

  • the client has not attached a policy rule to that control

  • your answers make an entire domain out of scope (for example, you do not develop software)

  • a parent scoping question makes related child controls not applicable

Not scored controls do not count positively or negatively towards your percentage.

This ensures you are only assessed on requirements that are relevant to your business.

Additional scoring behaviour

  • If a policy requirement exists, incomplete answers are still scored

  • If a client requires evidence and no evidence is provided, the control will be marked non-compliant

  • Clients may apply exemptions or overrides where appropriate

💡 View compliance scoring examples

💡 If there is anything we haven't covered, please feel free to contact us at support@riskledger.com or alternatively, select the Chat icon in the bottom right corner.

Did this answer your question?