Skip to main content

Information Management Schedule

The Information Management Schedule defines how often activities defined in the Core 12 Security Policy should be performed. The items for each category that need to be managed are defined in the Core 12 - Information Management Log. All activities are documented and reviewed by the security team.

Additional reference material for completing ISMS reviews can be found in the ISMS Reference

Clients

Schedule: Quarterly, New Client, New Project

Requirements: Client Review - required per schedule

  • Risk Assessment - required

  • Data Protection Assessment - required if there are active digital projects

Client Digital Project Review - required per schedule for all active digital projects

  • Risk Assessment - required

  • Website / Web Application Review - required for web projects

  • Access Control Review - required

  • BCP DR Plan - required

Templates: Core 12 IM - Client Review

Core 12 IM - Client Digital Project Review

IT Services

Schedule: Quarterly, New IT Service

Requirements: IT Service Review - required per schedule

  • Risk Assessment - required

  • Service Agreements - required

  • Access Control Review - required

  • Data Protection Assessment - required for IT Services that contain PII

  • BCP DR Plan - required for critical IT Services, otherwise in Core 12 BCP DR Plan.

Templates: Core 12 IM - IT Service Review

Managed Devices

Schedule: Quarterly, New Device, Inactive Device

Requirements: Managed Devices (All) Review - required per schedule

  • Risk Assessment - required

  • Access Control Review - required

  • Data Protection Assessment - required

  • BCP DR Plan - required

Managed Device Review - required per schedule

  • Device Information - required

  • Threat Protection - required

  • Access Control Review - required

Managed Device Inactive - required not assigned to employee

  • Office Infrastructure - required for all workstations and physical storage

  • Cloud Infrastructure - required for all cloud devices and attached cloud storage

Templates: Core 12 IM - Managed Devices (All) Review

Core 12 IM - Managed Device Review

3rd Party Vendors

Schedule: Quarterly, New Vendor

Requirements: 3rd Party Vendor Review - required per schedule

  • Risk Assessment - required

  • Service Agreements - required

  • Data Protection Assessment - required if they access PII

Templates: Core 12 IM - 3rd Party Vendor Review

BCP Tabletop Exercises

Schedule: Annually

Requirements: BCP Tabletop Exercise Completed for all systems with a BCP DR Plan

Templates: Core 12 IM - BCP Tabletop Exercise

IT Disposal

Schedule: As Needed

Requirements: IT Disposal Log completed

Templates: Core 12 IM - IT Disposal

Security Reviews

Schedule: Weekly IT Touchbase Quarterly IT Review

Quarterly Facility Access

Annual Cyber Security Training

Annual Workplace Safety Training

Quarterly Phishing Campaign

Requirements: IT Touchbase - Complete meeting minutes

IT Review - Complete meeting minutes and Employee Policy Review Form as needed.

Facility Access - Review Facility Access Log and note changes.

Cyber Security Training - Complete IT Security Training Review and log certifications

Workplace Safety Training - Complete IT Security Training Review Phishing Campaign - Complete IT Security Training Review

Templates: Core 12 IM - IT Touchbase

Core 12 IM - IT Review

Core 12 IM - Facility Access

Core 12 IM - IT Security Training

Security Incidents

Schedule: As Reported

Requirements: Complete the Security Incident Form for any reported security incidents.

**(**Use the Core 12 Security Incident Checklist to ensure a complete investigation)

Templates: Core 12 IM - Security Incident Form