CyberGRX is a SaaS platform whose mission is to help customers and the third parties with whom they do business solve the challenge of risk management. It is built on NIST-based assessments, mapped to the ISO 27001 framework and can be mapped to most other frameworks as well.

Onboarding vendors is simple with a search feature for checking if companies are already in the system, as well as for any previously conducted assessments. Several vendors can easily be onboarded at once with bulk import functionality.

Assessments have three tiers: Tier 1 provides the strongest level of due diligence while Tier 3 is the shortest-self assessment. Their offerings range from automated validation all the way up to onsite validation. If no tier is present, that means a community member has never performed an assessment on that company.

You can easily order an assessment at the appropriate tier level based on inherent risk. You can also submit special requests to the vendor. A lot of behind-the-scenes automation takes place once an order is submitted. Assessments are built with a great deal of logic, and the skip-level feature simplifies completion by jumping sections that are not applicable based on provided answers.

Business exposure is scored as low, medium or high risk and is determined by standardized questions that are not customizable. Users receive a report on the back end to show which controls matter most for remediation. Everyone’s progress is trackable.

The Portfolio Overview shows company statistics accompanied by a colorful bubble graphic that visualizes the likelihood of a cyber event. Circle sizes directly correlate to the likelihood of risk. The assessment is based on the user’s industry, current threat intelligence and a security ratings tool. Also shown are outliers with higher likelihoods of being attacked and their impacts.

CyberGRX built a table that outlines different controls and scores them on maturity (on a scale up to five) and effectiveness (on a scale up to 100). Comments are invited on the scores for enhanced collaboration. The Top Risks Chart ranks risks from low to high, prioritizing remediation with top suggestions for moving a company toward an acceptable posture. A variety of metrics can be added for company comparisons.

It appears the CyberGRX team is attempting to shift the industry away from an aggressive assessment approach to one more focused on collaboration. Basic, no-cost support is offered through 8/5 phone support. Overall, we found this to be an intuitive, simplified platform.

Tested by Matthew Hreben