This guide is designed to provide you with a clear and repeatable routine, regardless of the security policy you follow (ISO 27001, NIS2, or other).
1. Associate a policy with your perimeter
The different compliance frameworks you manage do not apply uniformly across your entire organization.
That is why in Tenacy, a policy (compliance framework) applies at a perimeter's level. Example: NIS 2 France will apply to your French subsidiary only, ISO 27001 to the defined certification scope, etc.
To manage your compliance in Tenacy, the first step is therefore to associate a policy with the relevant scope.
Go to Security Base.
Two situations are possible:
The policy is already associated with one or more perimeters: it appears in the policy blocks. Click on the relevant policy, then on "Associate perimeter" to extend it to a new perimeter.
The policy has never been associated with a perimeter: it does not appear in the policy blocks. Click on "Associate a policy" to select a public policy from our catalogue or a private policy (ISSP, security insurance plan, etc.).
In both cases, once the association is initiated, two parameters need to be configured:
You can define a weight (default 100) that indicates the relative importance of this policy in calculating your overall compliance score for this perimeter. A weight of 0 lets you associate the policy without it affecting your score.
If the policy has priority levels, select the level that applies to the perimeter in question. Example: Essential and Important levels in ReCyF (NIS 2 France) for respectively essential or important entities. Choosing the right priority level lets you apply the requirements relevant to your scope.
2. Understanding the security base
The security base is the central view for managing your perimeter's compliance. It brings together all the security measures you need to implement to meet your compliance objectives on a perimeter, and lets you track their status at a glance.
Example: Security Base > NIS 2 FR > Perimeter 2
➩ You access the list of all security measures to implement to achieve NIS 2 FR compliance on your Perimeter 2, and their status.
4 statuses inform you of the implementation level of each measure:
To be handled: you have not yet declared anything about the implementation of this measure on your perimeter.
Implemented: the measure is in place and operational on your perimeter.
Implemented by: the perimeter benefits from a security measure managed by another perimeter. This may for example be the case for a SOC or CSIRT managed centrally for the entire organization.
Not implemented: the measure is not yet in place on your perimeter.
The security base lets you carry out a compliance assessment on a perimeter. Handling compliance measure by measure makes multi-compliance work more efficient:
If you have just associated a first policy with this perimeter, most measures will appear as "To be handled" and you will know exactly where you are starting from.
If this perimeter was already used in Tenacy with other policies, some measures may already be implemented: you are not starting from scratch, and the security base shows you precisely what still needs to be done for this new compliance framework.
3. Assigning a status to measures to be handled
Let's start the assessment. Filter on "To be handled" measures in your security base.
For each of these measures, ask yourself: is this measure already in place on my perimeter?
If yes, mark it as "Implemented"
If no, mark it as "Not implemented"
💡 Our advice: reserve the Not implemented status for measures where you are truly starting from scratch. If a measure already exists in your organization, even partially or imperfectly, mark it as Implemented and improve it afterwards through improvement actions. The goal is that no measure remains durably "Not implemented": this is a signal that concrete work needs to be engaged.
4. Checking whether actions should be planned to improve measure efficiency
For measures that are already implemented, their efficiency may still have room for improvement. If you identify areas for improvement, you can create one or more improvement actions linked to that measure.
For each action, you indicate by how much it could increase the efficiency (for example 25%).
When an improvement action is created, the measure's efficiency is automatically reduced by that percentage (100% - 25% = 75%).
💡 If several actions are in progress, their impacts cumulate (for example, two actions of 25% will bring efficiency down to 50%).
Each time an action is completed, the measure's efficiency recovers the points from that action.
To create an improvement action, open the relevant measure in the security base, then click on "Add an improvement action".
You can then:
Enter its name (by default the name of the measure)
Specify the impact on the measure's efficiency
Place the action in the action plan of your choice
Assign a manager
5. Planning implementation actions for non-implemented measures
By filtering on "Not implemented" in your security base, you find the measures that are not yet in place.
For each measure you want to implement, you will create an implementation action. Once completed, this action will automatically move the measure to "Implemented" status and directly improve your compliance score.
To create an implementation action, open the relevant measure in the security base, then click on "Add an implementation action".
You can then:
Enter its name (by default the name of the measure)
Place the action in the action plan of your choice
Assign a manager
To go further in tracking your action plan
Once your actions are created, go to your action plan to complete them. For each action, you can enter a start date and a target date, define a priority, and make proof of completion mandatory if you wish.
These elements will make collaboration smoother and tracking more rigorous: each action manager knows what they need to do, by when, and with what proof required.
💡 Our advice: prioritize measures that are realistically achievable in the short term and that cover priority requirements of your policy. Focused effort on a few well-chosen measures can significantly improve your score.
6. Adding recurring controls to your implemented measures
An implemented measure alone is not enough to guarantee a good level of security over time. Recurring controls are verifications scheduled at regular intervals that measure whether a measure is working properly.
Example: checking every month that backups are completed, or every quarter that access to sensitive systems is up to date.
💡 Why are recurring controls important?
Without a recurring control, Tenacy applies a default operations score of 75% to the measure. By adding real controls with actual results, you get a measured score that reflects the reality of your security.
Controls let you quickly detect a drop in a measure's efficiency before it becomes a problem.
Finally, in the event of an audit, auditors will ask for evidence that your measures are being properly followed over time. Recurring controls let you meet this requirement easily and demonstrate, with supporting evidence, that your approach is genuinely operational.
Filter on "Implemented" measures in your security base. Open a measure and click on "Add a control".
For each security measure, Tenacy automatically suggests two types of recurring controls: recurring tasks and indicators.
Check the recurring tasks and/or indicators you want to use to monitor the security measure.
You can view the details by clicking the "info" icon next to each control.
Assign a manager.
Place the recurring tasks in the registry of your choice.
💡 Our advice: only add controls that you are genuinely able to carry out regularly. An unrealized control counts as a failure and damages your score. No need to check everything: a single well-maintained control per measure can be enough to keep it on track over time. A few well-maintained controls are far better than many abandoned ones.
7. Tracking the progress of controls and actions, and following up with overdue contributors
Once your action and control plans are built, regularly monitor their progress:
For your implementation and improvement actions: from the Action Plans module
For your recurring controls:
from the Recurring Tasks module
or from the Dashboard module for indicators
If you notice delays, you can send email reminders to contributors directly from the platform. To do so, follow the instructions in this article.
💡 Our advice: a weekly or bi-weekly review of actions and controls lets you anticipate delays before they impact your compliance score or significantly slow down your compliance journey. Build this check into your compliance management routine.
8. Understanding the different scores of a policy
Now that you have associated a policy, qualified your measures, planned your actions and put recurring controls in place, you have all the elements to truly understand what your compliance scores represent. These scores directly reflect the quality and maturity of the work carried out in your security base.
Tenacy distinguishes three compliance scores, which evolve automatically with your progress:
Declarative score
Calculated from the assessments you manually enter for each requirement. This is the starting mode, before any concrete measures are put in place (➡️ learn more).
Coverage score
Calculated automatically based on the measures you have implemented, their coverage rate of requirements, and their efficiency (➡️ learn more).
Coverage: Tenacy translates each policy requirement into security measures (software, processes, teams allowing a scope to be secured). A single measure can on its own cover a requirement at 100%. Other combinations are possible if several measures are needed to cover a requirement: 4 measures each covering 25, 1 measure at 60 and another at 40, etc.
Efficiency: Your level of confidence in the proper functioning of the security measure. When you identify issues to resolve, you create improvement actions that mechanically reduce the efficiency of your measure.
Measured score
The most accurate of the three, it also integrates the operational performance of your measures: results of recurring controls and indicators (➡️ learn more).
💡 These 3 scores are accessible from the "Policies" module.
9. Repeating the cycle to maintain and improve your compliance
Compliance is not a state you reach once and for all: it is a continuous process. Once you have completed the previous steps, repeat them regularly from step 4 onwards to identify new improvement opportunities.
This cycle can be run at whatever frequency suits you: monthly for a well-structured organization, quarterly for a gradual start.
In summary, here is the cycle to follow on a recurring basis:
Identify measures to improve among implemented measures.
Plan new implementation actions for non-implemented measures.
Put recurring controls in place to guarantee the long-term performance of implemented measures.
Check that your actions and recurring controls are being carried out and follow up with overdue contributors.
Analyze the evolution of your score and adjust your priorities.
💡 Your compliance score in Tenacy reflects the real state of your measures and controls. The more regularly you update the platform, the more it becomes a reliable management tool for your organization.












