Third-party management in Tenacy has two distinct phases: mapping (identifying and qualifying your suppliers and providers) and evaluation (measuring their compliance against a security policy). You can start with mapping only and add assessments later.
1. Create your suppliers
In Tenacy, suppliers are separate objects from internal perimeters, accessible from the Organization module.
By default, Tenacy creates a dedicated tree called "Third parties". You can also integrate your suppliers into your main tree for a consolidated view alongside your internal perimeters.
Before creating your first supplier, think about structuring your tree: each grouping automatically consolidates the indicators of its children. A common approach is to create two groups, "Critical" and "Non-critical", so you can filter your reporting from the start.
To create a supplier:
In Organization, select the "Third parties" tree (or your preferred tree).
Click + in the relevant group and select New provider.
Enter a meaningful identifier and a recognizable name.
The Policies and Campaigns sections can be skipped at this stage.
In Users, you can create Tenacy contributor accounts for this supplier: they will be able to complete the evaluations sent to them.
Confirm by clicking "Create provider".
2. Complete the identity card: contacts and properties
A supplier's identity card centralises what you know about them: your contacts (security manager, DPO, project manager...) and the properties you have defined (service type, criticality, size, personal data processed...).
Contacts are added via the Contacts > Add tab, directly from the identity card. It is a reference directory, useful for knowing who to reach without having to search through your emails.
Properties are configured in ⚙️ > Properties, then filled in from the identity card of each perimeter, or via import. You can make them mandatory: an orange dot appears in the organization tree on the provider card until they are filled in. Full details in this article.
💡 Dashboards can be filtered by property: the more qualified your suppliers are, the more powerful your reporting.
3. Understand the elements of an assessment
Before creating your first campaign, here are the three building blocks to know.
The policy defines the structure of the assessment: it lists the security requirements against which you will assess your supplier. You can use a public policy from the catalog (CESIN, ISO 27002...) or a private policy you have created yourself (for example, your own provider security baseline). Each requirement becomes a "question" the supplier will need to answer.
The scale defines the granularity of the response: from a simple compliant / non-compliant to more detailed maturity levels, it is your choice. Tenacy offers public scales in the catalog, and you can create your own from ⚙️ > Scales. More details in this article.
The questionnaire is a form sent to the supplier ahead of the evaluation. It qualifies the supplier and can, depending on its configuration, activate or deactivate certain requirements in the policy. More details in this article.
A campaign must be based on a policy, a questionnaire, or both, but only one of each.
💡 To explore what is available or already configured in your context, go to ⚙️ > Catalog (tabs Policies and Questionnaires) and ⚙️ > Scales.
4. Create your evaluation campaign
A campaign is a deployment template: you define an evaluation structure (policy, questionnaire, scale, options) and send it at once to multiple suppliers. Each supplier receives their own evaluation, configured in the same way.
To create a campaign, go to the Evaluation module from the main menu and configure:
The perimeters to assess: an individual provider, or an entire tree or group.
The questionnaire (optional): pre-qualifies the supplier and dynamically activates certain requirements based on their answers (see this article for details).
The policy against which suppliers will be assessed. You can associate it directly with supplier perimeters to keep this information visible from your organisational tree.
Response options: rating scale, non-applicable authorisation, comments and proofs. You can make certain elements conditional on the response level (example: mandatory comment if the level is 0, mandatory evidence if the level is at maximum).
The campaign title.
The response deadline (optional: if you plan to add perimeters on an ongoing basis, it is better to leave it open).
The respondent: an internal contact managing this supplier, or the supplier themselves if you have created an account for them (see step 1).
The campaign manager: user(s) or group(s) notified upon each assessment submission.
Click Save and launch to send evaluations immediately, or Save and close to save as a draft (you will find the campaign in the In preparation tab).
💡 Our tip: to manage your suppliers on an ongoing basis without recreating a campaign each time, leave the deadline open, launch the campaign, then go back to edit it (pencil icon on hover) and tick "Add new perimeters to campaign". As soon as a new supplier is added to the tree or grouping linked to the campaign, their assessment launches automatically with the same parameters. All your results are centralized in a single campaign.
5. Track progress and following up with suppliers
From Evaluations > In progress, open your campaign to see in real time where each supplier stands: responses completed, evaluation submitted, or not yet started.
If some suppliers have not yet started or submitted their evaluation, click Send reminder to automatically follow up with all of them at once.
6. Review submitted evaluations
Once a supplier has submitted their assessment, you can access the review from the notification email, or via the campaign > Submitted tab > click on the perimeter.
All responses start at the to review status, so you can keep track of where you are if you review in multiple sessions.
You can approve or reject each response, and exchange with the supplier via a timestamped comment thread, visible on both sides. You can change your decision at any time until you click Finish evaluation review.
In case of rejection, the supplier can only modify the rejected responses - approved ones are locked. On resubmission, you only need to review what has changed, not the entire assessment.
💡 Our tip - No need to manually review every response: clicking Finish evaluation review approves all unreviewed responses by default. You can therefore focus only on the responses that warrant attention.
7. Interpret your suppliers' evaluation results
In Evaluations > your campaign > Results, Tenacy automatically generates an analysis of your evaluations, saving you from consolidating data manually. Results are available from the first responses, even before the evaluation is submitted or the campaign is complete.
You will find the score by policy chapter, which you can expand to drill down to each individual requirement.
By selecting the tree or group covered by the campaign, you get a consolidated view for each requirement: average score, completion rate and response distribution. You can also zoom in on a specific provider to see the detail of their responses: ideal for identifying priority improvement areas across your supplier portfolio.
👏 You now have everything you need to structure your third-party management in Tenacy: a qualified supplier repository, evaluations deployed in a few clicks, collaborative review, and automatically consolidated results.







