HOW SCORES ARE CALCULATED

Every percentage you see in Zothommog is derived from your actual data. There are no padded metrics and no hidden boosts. This page explains exactly how each score is calculated so you can trust — and explain — what you're seeing.

Alignment with CIS Controls v8.1

Direct from CIS v8.1

Canonical data — not modified or interpreted by Zothommog

18 Controls The official groupings (Inventory of Assets, Data Protection, Secure Configuration…). Numbers and titles are unchanged from the published framework.

153 Safeguards Every safeguard from v8.1 — numbers, titles, descriptions, and IG assignments exactly as published by the Center for Internet Security.

IG assignments IG1: 56 safeguards (essential hygiene, all orgs) · IG2: 130 cumulative (adds 74) · IG3: 153 cumulative (adds 23). These boundaries come directly from CIS — Zothommog only filters by them.

708 Assessment Measures CIS v8.1 defines specific implementation evidence criteria for each safeguard (1–12 per safeguard). Sourced directly from the CIS Controls Assessment Specification (CSAT) published on CIS WorkBench (WB #5601) and the source Markdown files on CIS Bitbucket. Copies are retained in zothommogapp/docs/.

NIS2 mapping source CIS Controls v8.1 Mapping to NIS2 Directive (February 2025), published by CIS on WorkBench (WB #5901).

DORA mapping source CIS Controls v8.1 Mapping to DORA (January 2025), published by CIS on WorkBench.

ISO 27001 mapping source CIS Controls v8.1 Mapping to ISO/IEC 27001:2022 (June 2024), published by CIS on WorkBench.

Our implementation choices

Reasonable interpretations — not prescribed by CIS

Compliance percentage The formula counts statuses — not M-value completions. CIS does not prescribe a rollup formula, so this is a straightforward count: implemented and monitored safeguards divided by everything in scope.

Status labels The six statuses map to CIS CSAT maturity levels: Planned → Policy, In Progress → Procedure, Implemented → Implemented, Monitored → Automated / Reported. Only the top two levels count toward the score — consistent with how CIS defines a safeguard as "done." The status is set by the practitioner; the M values on each safeguard's detail page serve as a self-assessment guide to help make that call.

Mapping strength ratings The CIS mapping documents identify which safeguards address each requirement, but do not assign numeric weights. The Strong / Moderate / Weak ratings used for scoring are Zothommog's own editorial judgement applied on top of those published mappings.

ⓘ

Zothommog is not affiliated with, endorsed by, or certified by the Center for Internet Security (CIS). CIS Controls® is a registered trademark of CIS. The framework data used in Zothommog is sourced from CIS's publicly available publications and is used for tracking and educational purposes. For official CIS assessment tools and certification programmes, visit cisecurity.org.

CIS Controls score

        score = (implemented + monitored) ÷ (total_in_scope − excluded) × 100
    

Implemented Counts as done. The safeguard is fully in place.

Monitored Also counts as done — implemented and actively measured.

In Progress Does not count. Visible in the breakdown but not in the headline score.

Excluded Removed from both numerator and denominator — it doesn't help or hurt. Use it for safeguards that genuinely don't apply (e.g. no servers, no cloud).

Example. You're tracking IG1 (56 safeguards). 10 are implemented, 4 are monitored, 2 are excluded, the rest are in progress or not started:

        (10 + 4) ÷ (56 − 2) × 100 = 25.9%
    

Global Variables score

        category score = completed ÷ total_in_category × 100

        overall score  = total_completed ÷ total_variables × 100

Variables are grouped into four priority categories. Each shows its own completion percentage. Only Completed variables count — In Progress and Skipped do not.

Category What it contains Counts toward score?

Critical Core org facts — staff count, key assets, primary contacts Completed only

Important Security tooling, network facts, authentication details Completed only

Standard Policies, procedures, training and compliance dates Completed only

Optional Nice-to-have context that improves report quality Completed only

Why is In Progress excluded? A variable only generates reliable report data once it's confirmed complete. Marking something in progress means the value may still change — counting it would give you a false sense of readiness.

Framework compliance scores (NIS2, DORA, ISO 27001)

        requirement score = Σ(status_weight × mapping_strength) ÷ Σ(mapping_strength) × 100

        overall score     = average of all requirement scores

Each framework's requirements (NIS2 articles, DORA chapters, ISO 27001 controls) map to specific CIS safeguards. Not all mappings are equally direct — a safeguard may strongly address a requirement or only weakly support it. Both the status of each safeguard and the strength of the mapping affect the score. The same formula applies to all frameworks.

Safeguard status → weight

Implemented / Monitored 100%

In Progress 50%

Planned 10%

Not Started / Untracked 0%

Mapping strength → weight

Strong 1.0×

Moderate 0.7×

Weak 0.3×

Example. NIS2 Art. 21(2)(a) maps to three safeguards:

        Safeguard 1.1 — Implemented (1.0) × Strong (1.0) = 1.00

        Safeguard 1.2 — In Progress (0.5) × Strong (1.0) = 0.50

        Safeguard 2.1 — Planned (0.1) × Moderate (0.7) = 0.07

        article score = (1.00 + 0.50 + 0.07) ÷ (1.0 + 1.0 + 0.7) × 100
                      = 1.57 ÷ 2.7 × 100 = 58%

Why does Planned count as 10%? A safeguard that's on the roadmap gives a regulator something to point to — intent matters. But it's only 10% of full credit, so it can't meaningfully inflate your score.

Why can my framework score be higher than my CIS score? The CIS Controls percentage is strict — only fully Implemented or Monitored safeguards count. Framework scores use a graduated scale where In Progress work contributes at 50% weight. So if you have many safeguards in progress, your framework scores will reflect that partial effort while your CIS score stays low until you finish the work. Both numbers are correct — they just measure different things: CIS measures what's done, frameworks measure how far along you are.

Next Steps ranking

        priority = (ig_weight × 4) + effort_bonus + fill_bonus + planned_bonus

        ig_weight     = IG1 → 3  · IG2 → 2  · IG3 → 1

        effort_bonus  = max(0, 4 − step_count)  — fewer steps = higher score

        fill_bonus    = (filled_steps ÷ total_steps) × 2  — closer to done = higher score

        planned_bonus = +1 if already Planned

The "Next Steps" panel on the dashboard and CIS Controls page ranks your remaining safeguards by this score. It's not a compliance metric — it's a triage helper that surfaces the highest-return work first. IG1 safeguards always come first because CIS v8 defines them as the minimum baseline for every organisation regardless of size.

A note on what scores don't tell you. A high CIS score means you've implemented the controls — not that you've tested them. A high framework score means your controls map well to the requirements — not that an auditor will agree. Use these numbers to track your own progress over time, not to claim compliance.