loader
SECURITY COMPLIANCE: SIMPLIFIED

How the JAS Score is Tallied?

Scoring

JAS uses an incremental scoring system based on a number scale from zero to one, which increases fractionally based on the answer provided during assessments. When answering within assessments, the following options are available when evaluating a given standard:

  • Control Not Met = 0 point
  • Control Somewhat Met = 0.25 point
  • Control Partially Met = 0.50 point
  • Control Mostly Met = 0.75 point
  • Control Met = 1 point

An Assessment’s score is tallied based the corresponding numerical value of answers given, representing how closely an organization is adhering to industry security standards.

Compliance Average

When an assessment is completed, a compliance average is tallied using the scoring component.

JAS Score

The compliance average will give us a JAS score. The JAS score indicates the foundational level of applied security controls present within an organization.

Scores range from very poor to exceptional:

  • Exceptional (90-100%) – A compliance score between 90% and 100% indicates that the majority of security controls for an assessment have been met. This indicates that the security measures in place are very mature.
  • Very Good (80-90%) – A compliance score between 80% and 90% indicates that most of the security controls for an assessment have been met. This indicates that the security measures in place are mostly effective, but can be improved upon.
  • Good (70-80%) – A compliance score between 70% and 80% indicates that the many of the security controls for an assessment have been met. This indicates the security measures in place are above average, but several areas should be reviewed for improvement.
  • Fair (50-70%) – A compliance score between 50% and 70% indicates a foundational level of applied security controls are present. A closer review of the security controls should be accomplished to identify areas that can be improved upon.
  • Very Poor (Less than 50%) – A compliance score less than 50% indicates that a large number of security controls for an assessment have not been met. The security assessor should develop a plan to improve the existing security score and then re-accomplish the assessment at a later date.