Periodic activities

Periodic task	Who	When (each year)
Update all governing documents, QMS, ISMS, KBP, HMS, ES ¹	Responsible for Management Systems and KBP-owners	April + when changes
Update performing documents (procedures etc): QMS, ISMS, KBP, HMS, ES	Responsible for Management Systems and KBP-owners	April + when changes
Conduct training in: QMS, ISMS, KBP, HMS, ES	Responsible for Management Systems and KBP-owners	April + for new employees
Management's review of QMS, ISMS, KBP, HMS, ES	CEO + Responsible for Management Systems	At the end of April
Yearly Security Audit	CISO	January (to December)
Review of access to systems, in addition to ongoing access administration	All Product Owner and System Owners	April + regularly
Conduct or update risk assessments for Products and System, in addition to ongoing risk assessment	All Product Owner and System Owners	April + regularly
Conduct or update risk assessments for Key Business Processes ²	Key Business Processes Owners	April + regularly
Update Records of Processing Activities (Iconfirm) and Data Processor Agreement	All Product Owner and System Owners	April + when changes
Update Privacy statement (Personvernerklæring)	All Product Owner and System Owners	April + when changes
Update Subcontractors in Iconfirm, DPAs and Privacy Statements	All Product and System Owners	April + when changes

Update all technical system documentation	All Solution and System Owners	April + when changes
Update documentation on security in the development or configuration process	All Solution and System Owners	April + when changes

External technical Audit of external systems	CISO arranges	Juni, July, August each year
External Audit of ISMS	CISO arranges	Every 3 Years, starting from 2023 (2nd half)

¹ QMS=Quality Management System, ISMS=Information Security Management System, KBP=Key Business Processes, HMS=Health, work environment and Safety and ES=Environment & Sustainability

²Administration, Marketing and Sales, Support, Customer Success, Product development, Operation and Projects.