Org Score

Org Score is the foundation of how Forest measures your security program. It expresses, on a 0 to 100 scale, how mature your in-scope capabilities are once you account for how much each one matters.

What it measures

Every capability you assess in CAMP carries two values: a maturity score from 0 to 5 and a criticality rating from 1 to 3. Org Score combines them so that weak performance on a compliance-required capability moves the number more than weak performance on a nice-to-have one.

The Forest Intelligence Service computes Org Score as a criticality-weighted average of maturity across the capabilities in your scope, then normalizes the result to 0 to 100. A program with strong maturity on its most critical capabilities will score high. A program with strong maturity only on low-criticality work will not.

Why it matters

A flat average of maturity scores hides risk. It treats Identity Provisioning and a peripheral process as equals. Org Score does not, because it lets criticality carry weight. That gives you a single number you can defend to a board without pretending all security work is equal.

Org Score reflects only the capabilities in your current scope. Widening or narrowing scope changes what the number represents, so keep scope consistent when you compare over time.

Org Score is also the largest input to your headline Forest Score, and the same formula applied within a single domain produces your domain scores.