Alain Rees · 07-07-2026 · 2 min read
Anyone responsible for information security soon ends up juggling separate lists: a risk register here, a compliance framework there, policies on the intranet and evidence scattered across folders and mailboxes. Each list is correct on its own, and yet the overview is missing. That is why Kantyra works with a single model that connects everything, in four phases: detect, assess, resolve and demonstrate.
Everything starts with what actually exists and happens. You map your assets and processes, you register your suppliers with their criticality, and you record incidents the moment they occur. This phase does not produce judgements; it produces the facts on which every judgement must rest.
With the facts on the table, you can weigh them. You assess risks on likelihood and impact, you determine per requirement whether you comply, and you record a rationale with every decision. The result of this phase is an honest picture: this is under control, here is a gap, and that gap has an owner.
Every gap deserves a solution you can maintain. That is a control with an effectiveness test, a policy with an approval workflow and a review cycle, or a project for what still needs to be built. For risks you consciously accept there is the exception: a formally approved deviation with an end date, so that acceptance never quietly becomes permanent.
The final phase makes the difference in every audit and every client enquiry. Because every judgement carries its rationale and every control carries its evidence, the Statement of Applicability is no longer an annual reconstruction but an export. Whoever asks for it receives it the same day.
Between the phases runs a quiet engine. Tasks and automatic monitoring keep the model current: review dates, test dates and expiry dates automatically alert the right person. The phases also feed back into each other: a serious incident forces a reassessment of the linked risk, and a delivered project becomes an active control with a single click, including all its links.
Information security thus stops being a project with an end date and becomes a rhythm that keeps running. In the articles per phase we explore each part in more depth.
In a 30-minute demo we walk through the model based on your situation.
Book a demo