Periodic activities
- Stian Jonson
Periodic task | Who | When (each year) | Documentation |
|---|---|---|---|
Update all governing documents, QMS, ISMS, KBP, HSE, ES 1 | Responsible for Management Systems and KBP-owners | April + when changes | https://cxschool.atlassian.net/wiki/spaces/CONTR/pages/100401184 |
Update performing documents (procedures etc): QMS, ISMS, KBP, HSE, ES | Responsible for Management Systems and KBP-owners
| April + when changes | https://cxschool.atlassian.net/wiki/spaces/CONTR/pages/100401184 |
Conduct training in: QMS, ISMS, KBP, HSE, ES | Responsible for Management Systems and KBP-owners | April + for new employees | https://cxschool.atlassian.net/wiki/spaces/CONTR/pages/100401184 |
Management's review of QMS, ISMS, KBP, HSE, ES | CEO + Responsible for Management Systems | At the end of April | https://cxschool.atlassian.net/wiki/spaces/CONTR/pages/100401184 |
Yearly Security Audit | CISO | January (to December) |
|
Review of access to systems, in addition to ongoing access administration | All Product Owner and System Owners | April + regularly | https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100171788 |
Conduct or update risk assessments for Products and System, in addition to ongoing risk assessment | All Product Owner and System Owners | April + regularly | https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100171788 ISMS Risk assessments are documented here: https://cxschool.atlassian.net/wiki/spaces/PERF/pages/72548353 |
Conduct or update risk assessments for Key Business Processes | Key Business Processes Owners | April + regularly | https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100827159 |
Conduct or update risk assessments for Conexus overall | Management team | Before Board meetings |
|
Update Records of Processing Activities (Iconfirm) and Data Processor Agreement | All Product Owner and System Owners | April + when changes | https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100171788 |
Update Privacy statement (Personvernerklæring) | All Product Owner and System Owners | April + when changes | https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100171788 |
Update Subcontractors in Iconfirm, DPAs and Privacy Statements | All Product and System Owners | April + when changes | https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100171788 |
Update all technical system documentation | All Solution and System Owners | April + when changes | https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100171788 |
Update documentation on security in the development or configuration process | All Solution and System Owners | April + when changes | https://cxschool.atlassian.net/wiki/spaces/ContrOpen/pages/100171788 |
ISMS - Self assessments - Products and Systems |
|
| |
|
|
|
|
ISMS - Management review of status | CISO arranges | Juni-August/September - before September Boardmeeting | https://cxschool.atlassian.net/wiki/spaces/CONTR/pages/267124757 |
QMS - Self assessment | CISO arranges | Juni-August/September - before September Boardmeeting |
|
Management review | CISO arranges | August/September - before Board meeting regarding QMS Management review summary | https://cxschool.atlassian.net/wiki/spaces/CONTR/pages/78610437 |
External technical Audit of external systems | CISO arranges | June-August each year | https://cxschool.atlassian.net/wiki/spaces/CONTR/pages/78249990 |
External Audit of ISMS | CISO arranges | Every 3 Years, starting from 2024 November | Records / Self assessment - documentation of implemented measures |
HSE rounds (Vernerunder) | Health, Safety and Environment (HMS) responsible arranges | January each year + when changes |
1 QMS=Quality Management System, ISMS=Information Security Management System, KBP=Key Business Processes, HMS=Health, work environment and Safety and ES=Environment & Sustainability