Understanding Your Compliance Score

Your compliance score is the clearest real-time signal of where your compliance program stands. This guide explains exactly how the score is calculated, what moves it, and how to use it to prioritize work and report progress to clients and stakeholders.

‍

How the compliance score is calculated

Your compliance score is a percentage — the number of controls in your adopted framework that are fully implemented and evidenced, divided by the total number of controls in that framework, expressed as a percentage. A score of 74% means 74 out of every 100 controls are in a fully implemented state. The remaining 26% represent open gaps at various stages of completion.

Controls in Regentra carry one of three statuses that determine how they contribute to the score:

• Implemented — the control has been marked as implemented and has at least one piece of evidence attributed to it, either collected automatically through an integration or uploaded manually. Implemented controls count fully toward the score.
• In Progress — work on the control has begun but implementation is not yet complete, evidence is missing, or the control has been partially addressed. In-progress controls do not count toward the score.
• Not Started — the control has not been addressed. Not started controls do not count toward the score and represent the clearest gap in the current program.

The score updates in real time. When a control moves to Implemented — whether because a technician manually updated it or because automated evidence collection attributed sufficient evidence to it — the score increases immediately. There is no manual refresh required and no delay between completing work and seeing the score reflect it.

New tenant starting scores: When you first adopt a framework, your score will reflect whatever evidence has already been collected from connected integrations. If Microsoft 365 is already connected, your starting score will typically be higher than zero because automated evidence has already satisfied a number of controls. If no integrations are connected yet, the starting score will be zero — which is accurate, not an error.

What the score reflects — and what it does not

The compliance score is a reliable measure of control implementation progress within your adopted framework. It tells you, at any point in time, how much of your compliance program is complete — and by implication, how much remains to be done.

What the score does not tell you:

• It is not a pass or fail threshold. There is no universal score at which an organization is considered compliant. Different frameworks, different auditors, and different regulatory contexts have different standards. A 90% score does not guarantee a clean audit; a 70% score does not guarantee a failed one. The score is a progress measure, not a certification.
• It does not reflect the severity weighting of open gaps. A single critical control gap — one that an auditor would flag as a material finding — counts the same in the score calculation as a minor documentation gap. Two organizations with a 75% score may have very different risk profiles depending on which 25% remains incomplete. Use the domain breakdown and the gap report alongside the overall score to understand what the open gaps actually represent.
• It is not equivalent to audit readiness. A high score means your controls are implemented and evidenced — which is excellent preparation for an audit. But audit readiness also depends on the quality of that evidence, the completeness of your documentation, and the specific requirements of the auditor you are working with. The score measures implementation; audit readiness requires judgment on top of it.

What moves the score up

The score increases when controls move from In Progress or Not Started to Implemented. The following actions directly move controls to Implemented status and increase your score:

Connecting an integration

Connecting your Microsoft 365, Entra ID, Intune, AWS, or GCP environment triggers automatic evidence collection that immediately attributes evidence to the controls those integrations support. For most organizations, connecting Microsoft 365 and Entra ID alone moves the score up by a meaningful amount on the first day — because the evidence those integrations pull satisfies a significant number of access control, identity management, and monitoring controls that were previously unsupported.

Uploading manual evidence

For controls that require evidence not available through an integration — physical security documentation, vendor contracts, risk assessment outputs, training records — uploading the evidence to the control's record and marking the control as Implemented updates the score immediately.

Completing policy workflows

Some controls require an active, approved policy as evidence of implementation. When a policy moves through the Draft → Review → Approved → Active workflow and reaches Active status, it satisfies the policy-level evidence requirement for the controls it is mapped to, contributing to the score.

Implementing and documenting controls

For technical controls that require active implementation — enabling a security setting, deploying a configuration, establishing a procedure — marking the control as Implemented in the compliance dashboard after completing the work updates the score. Where automated evidence is not available, the documentation of the implementation and any supporting manual evidence uploads serve as the record.

What moves the score down

The score can decrease as well as increase. Understanding why helps you avoid being surprised by a falling score when the team has not made any obvious mistakes.

Evidence expiry

Some evidence types have a defined validity period. A penetration test report is typically valid for twelve months. A risk assessment may be valid for a defined review cycle. When evidence passes its expiry date, the control it was supporting may drop from Implemented to In Progress, reducing the score until fresh evidence is uploaded. Expiry dates are visible on each evidence record in the control's detail view.

Integration disconnection

If a connected integration becomes inactive — due to an expired authorization or a permission change — Regentra stops receiving updated evidence from that environment. If the evidence collected before the disconnection ages out or if the absence of a live connection causes controls to lose their Implemented status, the score will fall. Reconnecting the integration restores the flow of evidence and stabilizes the score.

New controls added to an adopted framework

When Regentra adds new controls to a framework based on regulatory updates or framework revisions, those controls appear in your compliance dashboard as Not Started. Adding controls to the total without immediately having evidence for them dilutes the score. This reflects an accurate change in your compliance position — the framework requirements have grown — rather than any deterioration in the work already done.

Adopting an additional framework

When you adopt a new framework, the controls it contains that are not yet implemented appear in the score calculation. If the new framework has controls that overlap with your existing program, cross-framework mapping will carry existing evidence across and reduce the gap. Controls unique to the new framework start as Not Started and pull the score down proportionally until they are addressed.

How scores work across multiple frameworks

Each adopted framework has its own independent compliance score. The score you see in the dashboard updates to reflect whichever framework is currently selected in the framework selector. Switching between frameworks switches the score and the underlying control view simultaneously — the numbers reflect that framework's controls and evidence only.

There is no single combined score across all adopted frameworks. This is intentional: a combined score would obscure performance differences between frameworks and make it harder to communicate clearly with clients or auditors who are asking about a specific regulatory standard. The per-framework score gives you a precise, defensible number for each compliance obligation independently.

Cross-framework control mapping means that a control implemented under one framework is automatically counted as implemented in every other framework that requires it. This means adopting a second framework does not start from zero — evidence already collected and controls already implemented carry across wherever the mapping applies. The gap you actually need to close for the new framework is only the portion not already covered by your existing program.

Reading the domain breakdown

The overall score tells you how much of the framework is complete. The domain breakdown tells you where the gaps are concentrated. Both views are available on the compliance dashboard and are equally important for managing the program effectively.

Each security domain in the framework — Access Control, Incident Response, Risk Management, Asset Management, and so on — shows its own completion percentage alongside the overall score. A domain at 100% means every control within it is implemented and evidenced. A domain at 0% means none of its controls have been addressed yet.

Use the domain breakdown to prioritize remediation work in three situations:

• When the overall score is low and everything feels like a gap — identify the two or three domains with the most controls and the lowest completion percentage. Concentrated effort in high-control-count domains moves the overall score more efficiently than scattered effort across all domains simultaneously.
• When preparing for an audit — auditors often focus their scrutiny on specific domains based on the framework and the organization's industry. A healthcare organization should ensure access control and incident response domains are close to 100% before an audit, regardless of the overall score.
• When reporting to a client or executive stakeholder — the domain view makes compliance progress concrete and specific. Showing a client that their Access Control domain moved from 40% to 85% in a quarter is more meaningful than citing an overall score change.

Using the score trend over time

The score trend chart shows how your compliance score has changed over time, plotted as a line across the period you select. It is one of the most useful views in the compliance dashboard for understanding whether a program is making consistent progress, stalling, or declining — and for communicating that trajectory to clients and stakeholders.

A steadily rising trend line indicates that controls are being implemented and evidenced at a consistent pace. A flat line indicates that progress has stalled — either because the remaining gaps are harder to address, because team capacity has shifted away from compliance work, or because evidence expiry is offsetting new implementations. A declining line indicates that controls or evidence are lapsing faster than new ones are being completed, which warrants immediate investigation.

For MSPs, the score trend is a client-facing reporting asset. Showing a client a chart of their compliance posture improving over the months since onboarding demonstrates tangible, measurable value delivered by the managed compliance program — in a format that a non-technical decision-maker can read and understand without explanation.

Compliance scores across an MSP client portfolio

The MSP dashboard displays compliance scores for every client in the portfolio simultaneously, without needing to switch into each client tenant individually. Each client appears with their current score per adopted framework, giving an at-a-glance view of which clients are progressing well and which need attention.

Sorting the portfolio view by compliance score surfaces the clients with the lowest scores at the top — making it straightforward to prioritize where the compliance team's effort should be directed in any given week. Clients approaching an audit deadline with a low score can be identified and resourced proactively rather than reactively.

Because each client tenant is fully isolated, a score change in one client's environment has no effect on any other client's score. The portfolio view is a read-only aggregation — it shows you each client's independent position, not a blended or averaged figure across the portfolio.

Sharing your score with clients and stakeholders

The compliance score is designed to be shared — with clients, with leadership, with auditors, and with prospects evaluating your security posture. Regentra provides two mechanisms for sharing compliance posture information without giving direct platform access to external parties.

Compliance reports

The compliance report export generates a formatted document showing the current score, the domain breakdown, the control status summary, and the evidence collection overview for a selected framework and time period. Reports are suitable for quarterly business reviews with clients, for executive briefings, and for responding to security questionnaires from prospects or partners. Reports are generated from the Reports section of the compliance dashboard and can be exported as a PDF.

Trust Center

The Trust Center is a public-facing page that displays your organization's adopted frameworks, compliance posture, security practices, and any certifications or attestations you have chosen to publish. It is accessible via a custom URL without requiring the viewer to have a Regentra account. For clients who want to share their compliance posture with their own customers or partners, the Trust Center provides a live, always-current view — not a point-in-time document that ages the moment it is generated.

Your compliance score is most useful when you look at it regularly rather than only when an audit is approaching. A score that is checked weekly and used to guide prioritization decisions is a program management tool. A score that is checked once before an audit is a reporting number. The difference in the compliance posture those two habits produce — over a year of operation — is the difference between a program that is genuinely ready and one that is prepared to look ready.

‍