Periodic activities

Periodic task	Who	When (each year)	Documentation

Periodic task	Who	When (each year)	Documentation
Update all governing documents, QMS, ISMS, KBP, HSE, ES ¹	Responsible for Management Systems and KBP-owners	April + when changes	https://cxschool.atlassian.net/wiki/spaces/CONTR/pages/100401184 Responsible for Management systems
Update performing documents (procedures etc): QMS, ISMS, KBP, HSE, ES	Responsible for Management Systems and KBP-owners	April + when changes	https://cxschool.atlassian.net/wiki/spaces/CONTR/pages/100401184 Responsible for Management systems
Conduct training in: QMS, ISMS, KBP, HSE, ES	Responsible for Management Systems and KBP-owners	April + for new employees	https://cxschool.atlassian.net/wiki/spaces/CONTR/pages/100401184 Responsible for Management systems
Management's review of QMS, ISMS, KBP, HSE, ES	CEO + Responsible for Management Systems	At the end of April	https://cxschool.atlassian.net/wiki/spaces/CONTR/pages/100401184 Responsible for Management systems
Yearly Security Audit	CISO	January (to December)
Review of access to systems, in addition to ongoing access administration	All Product Owner and System Owners	April + regularly	https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100171788
Conduct or update risk assessments for Products and System, in addition to ongoing risk assessment	All Product Owner and System Owners	April + regularly	https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100171788 ISMS Risk assessments are documented here: https://cxschool.atlassian.net/wiki/spaces/PERF/pages/72548353
Conduct or update risk assessments for Key Business Processes	Key Business Processes Owners	April + regularly	https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100827159
Conduct or update risk assessments for Conexus overall	Management team	Before Board meetings
Update Records of Processing Activities (Iconfirm) and Data Processor Agreement	All Product Owner and System Owners	April + when changes	https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100171788
Update Privacy statement (Personvernerklæring)	All Product Owner and System Owners	April + when changes	https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100171788
Update Subcontractors in Iconfirm, DPAs and Privacy Statements	All Product and System Owners	April + when changes	https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100171788
Update all technical system documentation	All Solution and System Owners	April + when changes	https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100171788
Update documentation on security in the development or configuration process	All Solution and System Owners	April + when changes	https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100171788
ISMS - Self assessments - Products and Systems			https://cxschool.atlassian.net/wiki/x/DID4BQ

ISMS - Management review of status	CISO arranges	Juni-August/September - before September Boardmeeting	https://cxschool.atlassian.net/wiki/spaces/CONTR/pages/267124757
QMS - Self assessment	CISO arranges	Juni-August/September - before September Boardmeeting
Management review	CISO arranges	August/September - before Board meeting regarding QMS Management review summary	https://cxschool.atlassian.net/wiki/spaces/CONTR/pages/78610437
External technical Audit of external systems	CISO arranges	June-August each year	https://cxschool.atlassian.net/wiki/spaces/CONTR/pages/78249990
External Audit of ISMS	CISO arranges	Every 3 Years, starting from 2024 November	Records / Self assessment - documentation of implemented measures
HSE rounds (Vernerunder)	Health, Safety and Environment (HMS) responsible arranges	January each year + when changes	https://cxschool.atlassian.net/wiki/x/AYBTJw

¹ QMS=Quality Management System, ISMS=Information Security Management System, KBP=Key Business Processes, HMS=Health, work environment and Safety and ES=Environment & Sustainability