ISMS is a part of the Quality Management system in Conexus
ISMS Policy
Conexus' CEO has the overall responsibility for all information security and privacy at Conexus and approves governing documents.
As Controller, Conexus processes personal information to manage the relationship with its employees (personnel management) and the relationship with its customers.
A Processor, Conexus processes personal information for its customers on the services Conexus offers (CX School, Insight, Engage, Stafettloggen and others).
“ISMS governing documents” covers information security for both for personal information and non-personal business information.
Conexus shall through the ISMS comply with the Norwegian privacy act, including the GDPR regulation (Personopplysningsloven), ISO 27001 and other relevant laws on information security and privacy.
The security goals describe what is desired to be achieved, while the security strategy describes what actions will be taken to achieve the security goals.
Security goals and strategy are applicable to all Conexus employees and temporary staff. In cases where it is difficult to meet goals and strategy, any deviation from this must be agreed with the CISO.
Continuous improvements is secured through risk assessments, deviation handling, periodic internal and external audits and through information and education of employees.
Policy, strategy, security goals and the full ISMS are revised and approved through the yearly management review of ISMS.
Useful documents for Security organisation:
GDPR easy access
Chapters in the ISMS policy
ISMS - Goals and strategies
ISMS - Roles and responsibilities
ISMS - Periodic activities
ISMS - Information classification
ISMS - Records of processing activities
ISMS - Risk Assessments
ISMS - Audit and Self Assessment
ISMS - IT Guidelines
ISMS - Information Security and Privacy for Employees
ISMS - Privacy & GDPR
ISMS - Human recourses security
ISMS - Training