You have just taken over an existing Tenacy account, either as a new pilot resuming an already-initiated monitoring process, or as a local CISO stepping in to cover part of a perimeter.
You did not have a formal handover, so you need to figure out on your own what has been done, what is in progress, and what still needs to be handled.
This guide offers a 4-step getting-started checklist to help you quickly get your bearings in Tenacy and identify your priority actions.
1. Check which frameworks are a priority for your context
Start by identifying the policies (compliance frameworks) associated with your perimeter.
💡 This is the starting point of all monitoring in Tenacy: each policy associated with a perimeter defines the security measures to implement, generates a compliance score, and lets you track your progress over time against your regulatory obligations or internal commitments.
To do this, go to Performance > Perimeters. Find the perimeter you are interested in using the tree view or the search bar. Clicking on it displays the list of policies tracked for that perimeter.
Example: this perimeter is subject to the Group Policy and NIS 2 FR.
Ask yourself the following questions:
Are these policies aligned with your organization's regulatory obligations or commitments?
Are there associated policies that do not apply to your context and are unnecessarily adding to your monitoring workload?
Are there policies that should apply to this perimeter but are missing?
This first step gives you a clear picture of the context you will be working within before going further.
2. Check the state of your security base
ℹ️ The Tenacy model in brief
In Tenacy, each requirement in a policy is translated into a concrete security measure: software, processes, and teams contributing to securing the perimeter.
This mapping relies on a unified measure repository, which makes multi-compliance possible: a single measure can cover multiple policies at once. Implementing a measure can therefore improve your score across several frameworks simultaneously.
The security base is the central view for managing your perimeter's compliance. It brings together all the security measures you need to put in place to meet your compliance objectives for a given perimeter, and lets you track their status at a glance.
Example: Security Base > NIS 2 FR > Perimeter 02
➩ You access the full list of security measures to implement to reach NIS 2 FR compliance on Perimeter 02, along with their status.
Before anything else, take stock of what has been filled in and what still needs to be handled. Go to Security Bases > All measures > your perimeter.
💡 This view is especially useful if your perimeter is subject to multiple policies: all measures are consolidated in one place.
Check the following points:
Measures to be handled: assign an implementation status
Filter on measures marked "To be handled." For each one, ask yourself: is this measure already in place in my perimeter?
If yes, mark it as "Implemented"
If no, mark it as "Not implemented"
💡 Our recommendation: reserve the Not implemented status for measures where you are truly starting from scratch. If a measure already exists in your organization, even partially or imperfectly, mark it as Implemented and improve it later using improvement actions (see below). The goal is to avoid leaving measures permanently in "Not implemented" — that is a signal that concrete work needs to start.
Implemented measures: identify potential improvement areas
For measures that are already implemented, their efficiency may still be improvable. If you identify areas for improvement, you can create one or more improvement actions linked to that measure.
Example: The "Awareness program" measure is implemented, but you know it is partially effective because only certain teams have been trained. A linked improvement action could be: "Extend the awareness program to all employees in the perimeter."
To create an improvement action, open the relevant measure in the security base, then click "Add an improvement action."
You can then:
Enter its name (defaults to the measure name)
Specify the impact on the measure's efficiency
Assign the action to the action plan of your choice
Assign an owner.
Not-implemented measures: confirm or update their status
Filter on "Not implemented." Are the measures declared as not implemented still in that state? It is possible that work has been done since, without Tenacy being updated.
Clicking on a measure gives you access to its description and shows whether an implementation action is linked to it: this is a good first indicator of whether any work has already been started.
If you find that the status is no longer accurate, you have two options to switch the measure to implemented:
If an implementation action is linked: follow the link to that action, set its status to "Finished," and save. In the pop-up that opens, click "Implement the measure" on hover, then "Create" to confirm.
You can also reset the measure by clicking the button in the top-right corner. Its status will revert to "To be handled" and any linked implementation action will be deleted. You can then qualify it as implemented.
⚠️ If you have filtered on "Not implemented," remember to switch the filter to "To be handled" to find your measure again after resetting it.
3. Check that controls are being actively monitored
An implemented measure alone is not enough to guarantee a good security level over time. Recurring controls (recurring tasks and indicators) are regularly scheduled checks that verify whether a measure is working as intended.
Controls created by a previous pilot may no longer be monitored if no one is responsible for them. Review the recurring tasks and active indicators on your perimeter.
Are recurring tasks being monitored?
In the Recurring tasks module, filter on recurring tasks linked to your perimeter. The color coding will quickly show you whether tasks are being kept up to date.
If most occurrences are green (Done OK) or blue (Done KO), the recurring task is being followed and is fulfilling its control role. You can keep it.
If most occurrences are red (Not done) or yellow (Late), the recurring task is not being properly monitored.
You can reassign it if someone else is better placed to execute it. Open the task, change the owner, and save.
Or you can delete it if no one can take it on or if it is no longer relevant. Select the task in the list and click on "delete".
Are indicators up to date?
In Tenacy, indicators are calculated from metrics: these are the building blocks that feed the calculation.Example: The indicator "Internal scan completion" is the ratio between the metrics "Internal IP ranges to scan" and "Internal IP ranges scanned."
For an indicator to reflect reality, each of its component metrics must be filled in for every period.
To check the state of metrics on your perimeter, go to Contributions > Metrics and filter on the relevant perimeter. Clicking on a metric lets you see whether the most recent periods have been filled in or whether values are missing.
If a metric's monitoring is unsatisfactory, you have two options from Dashboards > Metrics:
Reassign the metric: open it and select the right user or group from the "Assignments and delegations" tab. Someone needs to be clearly responsible for keeping it up to date.
Delete the metric: if no one can ensure its monitoring, it is better to delete it. Note that you will need to delete any indicator containing this metric first. More detailed instructions are available in this dedicated article.
💡 Our recommendation: if a control is not being monitored, it is better to delete it than to leave it inactive. Untracked controls have a negative impact on your score and add unnecessary overhead to your monitoring. The aim is to keep only those controls that you can actually monitor. A smaller but reliable monitoring setup is always preferable to an incomplete dashboard.
4. Review your action plans
Action plans group together the implementation actions and improvement actions linked to the measures in your security base. When taking over an account, it is common to find actions whose status is no longer accurate: actions marked "ongoing" that have actually been completed, or "planned" actions that are no longer relevant.
For each active action plan on your perimeter:
Verify that each action's status accurately reflects the current situation.
Close out any actions that have been completed but not updated.
Identify any open actions that require your attention.
💡 An up-to-date action plan is essential for your Tenacy score to accurately reflect the real state of your security. Outdated or incorrectly qualified actions can distort your monitoring picture.
What's next?
After completing this checklist, you have a clear view of the account you are taking over: the active and relevant frameworks, the measures to prioritize, the controls that are genuinely being monitored, and up-to-date action plans. You are ready to start a reliable monitoring process that accurately represents your context. We recommend reading our article Setting up your compliance in Tenacy to go further in your compliance approach.







