Kantyra Kantyra

← Alle artikelen

Aantonen

What an auditor really wants to see

Alain Rees · 07-07-2026 · 2 min leestijd

A stubborn misunderstanding surrounds audits: that the auditor comes to check whether everything is perfect. That is not the case. An auditor comes to check whether your organisation knows where it stands, whether the choices are substantiated and whether the evidence matches the story. Demonstrate, the final phase of the model, is therefore not about perfection but about traceability.

Evidence should live with the judgement

The classic audit problem is not that evidence is missing, but that it is everywhere and nowhere: in folders, mailboxes and the heads of colleagues. The solution is a simple residence rule: every piece of evidence lives with the judgement it supports. A screenshot of the MFA settings hangs on the access control; the signed policy hangs on the governance requirement. Whoever sticks to that rule turns audit preparation from weeks of searching into a check of what is already there.

The Statement of Applicability as an export

The Statement of Applicability is the first document every auditor requests, and in many organisations it is an annual reconstruction after the fact. It can work the other way around: when you maintain the status, rationale and evidence per control, the statement is a printout of the current situation, including the version of the standard. The same applies to the other frameworks, from NIS2 to your clients' own requirements: one click, dated and ready to sign.

The chain asks more often than the regulator

Whoever thinks only of the regulator underestimates how often demonstrability is requested. Supplier assessments from major clients, tenders, insurers and certification tracks all ask the same question in a different guise: show that you are in control. Every request you answer within a day is a commercial head start, because the competitor who needs three weeks of searching raises exactly the doubt you remove.

And the board?

Finally, demonstrating also points inward. NIS2 places responsibility explicitly with the board, and a board can only carry responsibility for what it can see. A management report with the open risks, the progress per framework and the incident trend turns the quarterly security conversation into a conversation about facts. That closes the circle of the model: what you detect, assess and resolve, you can demonstrate, and what you demonstrate steers the next round.

Zien hoe dit in Kantyra werkt?

In een demo van 30 minuten lopen we het model door aan de hand van jouw situatie.

Plan een demo