Frequently Asked Questions (FAQ)

For the Cyber Trust Gold Label an audit is performed by a qualified auditor, which has been accredited by the authorities according to the NIS law §18. For the Standard Label a validation takes place, which evaluates the self-declaration with regards to completeness, consistence and plausibility. Additionally, every organisation which requests a Cyber Trust Label agrees to provide evidence on demand (e.g. for a on demand control audit). Intentional or grossly negligent incorrect declarations result in the withdrawal of the label.

An automated web risk score is evaluated. This done solely using non-intrusive methods. The security and stability of systems are not endangered at any time. There are no penetration tests performed throughout the label process. However, the regular conduction of penetration tests within the organisation is part of the requirements of the B- and A-ratings and are therefore demanded by the scheme.

For the Standard Label the answering of the questions usually takes not more than one or two hours. For the A-Label the effort is a little bit higher but should usually also not be much more than a day. However, these are indicative efforts only and they assume that the requirements are already fulfilled, and the necessary evidence is readily available.

The Cyber Risk Rating scheme orientates itself by proven security standards, which have been developed and approved by leading security experts. To validate them, the validation and audit mechanisms described by the Cyber Risk Rating Scheme are used very diligently. An organization carrying the Cyber Trust Label demonstrates, that it takes cybersecurity very seriously and has implemented essential security measures. However, no scheme or evaluation can guarantee 100% cybersecurity or rule out the possibility of cyber incidents completely.

The Cyber Trust Label is a quality label based on a defined scheme (the Cyber Risk Rating Scheme Policy of KSÖ). It is not a certification. Besides, ISO 27000 aims for the availability of a management system for cybersecurity, whereas the Cyber Risk Rating checks the existence of defined concrete security controls.

Every organisation going through a KSV1870 Cyber Risk Rating agrees to an eventual surveillance audit. Such audits can become necessary e.g. after a severe security incident or if there are any indications of misuse or false information. Surveillance audits can also be conducted randomly without citing specific reasons.

If a surveillance audit identifies a significant deviation, the rating will be revoked. This includes invalidating the Cyber Trust Label. In such a case an organisation must remove the label within one month from all websites and marketing materials. Only after a cool off period of 6 months a new rating and label can be requested.

The Cyber Trust Label is issued for one year and can afterwards be renewed, provided that the requirements are still fulfilled.

If the cyber risk rating is not adequate for a qualification, the organisation must implement the necessary improvement measures and can afterwards go through a new request process. If this happens within one year from the initial request, the label issuing fee (but not the rating fee) will be credited.

The Cyber Trust Label is issued by CTS Cyber Trust Services GmbH in cooperation with Kompetenzzentrum Sicheres Österreich. The rating process itself is performed by KSV1870.

Yes, the Cyber Trust Label is a protected registered trademark in Austria and the European Union. Misuse will be legally prosecuted.

The Cyber Risk Advisory Board acts as escalation and reclamation instance for any kinds of unclarities and disputes with regards to the Cyber Trust Label.

The ordering can be done online. Payment is done on invoice.