We are committed to ensuring that our deliverables create added value for our customers' operations, to meet the requirements imposed on us, and to ensure that our services and products are safe and of high quality. We deliver this by ensuring a good work environment and, within the scope of our impact, caring for the environment.
As proof of our systematic approach and our commitment to ourselves and our stakeholders, we have chosen to certify our management system, i.e., our way of living and working within the operations, against three internationally established standards for quality (ISO 9001:2015), environment (ISO 14001:2015), and information security (ISO/IEC 27001:2022).
We have chosen to certify our management system, partly to ensure recurring reviews by an external party, but most importantly so that our customers can be confident that what we communicate and state is actually evaluated by both us and representatives of the certification body.
The advantage for us internally is that we must continuously conduct our self-inspection activities and internal audits. In this way, we ensure that our security, quality, environmental, and occupational health and safety work remains relevant and effective.
By building on internationally recognized standards, it becomes easier for our customers to understand how we conduct our systematic improvement work and what frameworks we are audited against.
Our way of working meets the requirements of ISO 9001. This means that we systematically work to ensure and improve the quality of our products and services, and that we actively work to understand and meet customer needs.
Our method for achieving this systematization is based on a thorough mapping of our own operations, understanding of customers' and the market's expectations, documented processes and working methods, and systematic procedures for identifying, assessing, and managing our risks and opportunities.
When we identify opportunities for improvement or deficiencies, we clarify what went wrong and develop measures to address both the shortfall and the root cause.
Our efforts to reduce our environmental impact meet the requirements of ISO 14001. Within the scope of our operations and our aspiration to meet the market's and customers' expectations, we want to ensure that our environmental impact is as low as possible and that we do what we can to account for the effects of future climate change.
By identifying our environmental impact and other sustainability aspects, we clarify what we can and should work on. In this way, we ensure that our products and services are delivered within a targeted improvement effort based on our established environmental goals.
We are, and have always been, very aware of the great trust our customers place in us regarding both knowledge and responsibility for how we can and should handle their information. By certifying our information security work against the requirements of ISO 27001, our customers can be confident that what we state is also followed up through independent audits.
We have conducted a thorough inventory of our information management, the systems and services we use, and the suppliers we depend on. Subsequently, we have been able to apply a systematic risk management process and through this have selected security measures to ensure information security for both us and our customers.
By subjecting our information security work to external audit annually, we are tested in our decisions and it is ensured that what we clarify in our Statement of Applicability actually matches reality.
Although we have not certified our management system based on ISO 45001, we base ourselves on the standard to ensure systematization in work environment efforts.
By basing ourselves on our processes and the activities and work tasks performed within the operations, we have identified hazards in the work environment and applied our process for identifying, assessing, and managing risks based on these.
Furthermore, we keep ourselves updated on work environment legislation and identify which parts of it affect our type of operations and how we can advise our customers.
Servers are kept locked in server halls at our operations provider and access is controlled by physical keys and codes which are limited to authorized personnel with operations and maintenance responsibilities.
Access to our systems is regulated through access control and through login credentials which include multifactor authentication. In systems where our customers are responsible for user management, the customer themselves are responsible for access rights regarding Administrators and Users.
We do not have access to customer data beyond what is required for operations, maintenance, and possible support for the products and services we provide. Administrator rights are kept limited to individuals who have work tasks that require these rights.
Our managed services are provided through a cloud operations service where the service is continuously available, therefore stored data is not encrypted. Backups stored outside the operations provider's services are stored on fully disk-encrypted storage media.
We ensure that communication to and from our services is encrypted. Otherwise, we strive to ensure that both we and our customers communicate through encrypted channels.
We ensure that personnel with access to our services and operations environment are authenticated and controlled. Our customers are responsible for authenticating and identifying Administrators and Users.
Destruction of storage media is handled by our operations provider. For storage media we are responsible for, mechanical destruction is applied.
Each customer receives their own instance. Therefore, data is regularly logically separated in a virtualized operations environment.
Logging of activities in our services is handled by us at the application level and regarding traffic calls to the customer-specific instance. Logging at the infrastructure level is handled by the operations provider and by us through our logging tools.
We are responsible for identifying and remedying technical vulnerabilities at the application level, both through third-party tools and through our own scanning. As support for this work and to ensure visibility for our customers, we have published an SBOM which clarifies our third-party dependencies. The operations provider is responsible for identifying and remedying technical vulnerabilities at the infrastructure level.
We are responsible for allocating required capacity to the service and have continuous logging of consumed capacity in relation to available capacity. Redundancy at the infrastructure level is ensured by the operations provider.
We take daily full backups using two independent tools to ensure we can restore operations in the event of a major incident or disruption. For our services, we also refer to the operations provider's continuity and capacity planning regarding ongoing operations of contracted services.
Personal data is not transferred to external parties unless explicitly agreed with the customer. Personal data is not transferred to third countries.
Because the service's personal data handling typically extends to handling information about Administrators and Users, this is something that is maintained through normal system administration. The system is not designed to handle special categories of personal data. No automatic deletion occurs.
The service uses a few necessary cookies that are used to track the session and status of table views (number of items per page, for example) and menu status. The service contains no third-party cookies and information is not sent to third parties about how the system is used. This is also the reason no consent for cookie use is collected.
Here you will find general system requirements for using Managementsystem.se in your own operations environment.
Managementsystem.se is designed to run on a simple and robust platform, regardless of whether Ledningssystemet Sverige AB is responsible for operations through its operations provider, the customer wants to manage operations in their own server environment or with an IT partner, or if the customer wants to place operations with a cloud service provider such as Microsoft Azure, Amazon Web Services, or Google.
Ubuntu, latest LTS, hardened (We recommend 2 vCPU, 8 GB RAM, and 128-512 GB Disk)
MariaDB (Latest stable version)
Docker engine and Docker compose (Latest stable version)
NGinx and associated SSL certificate for chosen domain name
For the actual installation of the application, we are happy to help but will need to access the server via SSH. Otherwise, we will send installation instructions to the person at your organization who will set up the instance.
Below are questions that occur relatively frequently and that we see our existing and new customers need answers to when evaluating us as a supplier
Yes, we are certified against ISO 9001:2015, ISO 14001:2015, and ISO/IEC 27001:2022. More information can be found here.
That's true. Therefore, we ensure that we do not lock our customers into using the service through long contract periods, that it is easy to export all data, and that we promise to make our product available as open and free source code the day we can no longer maintain the service in an acceptable manner. We have also chosen to build the software on a very standardized platform (Laravel) that is easy to further develop.
Yes, our only policy is our Business Policy and it is available here.
We manage our source code on Github and use the Dependabot functionality. Furthermore, critical third-party libraries are updated automatically when we release a new version of Management System (which we do often, sometimes daily). Our operations environments are scanned daily to identify vulnerabilities. We currently use OPENVAS by Greenbone.
We do not apply a formalized framework for secure software development (e.g., Microsoft SDL or similar). We rely heavily on expertise during development, but also build our architecture so that any potential vulnerabilities do not pose unnecessary risks. Software developers receive training in secure software development.
No. We recommend all our customers to integrate the software with their own identity management (e.g., Microsoft Entra) and not to use password authentication.
In cases where we manage operations, we use the provider Oderland and a parallel structure for backups. We take full backups of our operations environment every day and take database backups every hour.
During transmission, data is encrypted between user and web server. Stored data in the production environment is not encrypted (except for authentication credentials). If you have requirements for encryption of stored data, we recommend that you set up your own operations environment. Backups we take outside the operations provider's services are stored on fully disk-encrypted storage media.
We only offer one level of operations at the moment, but the system is built to be able to run in other environments. We have customers who use, for example, AWS or run the system in their own data centers. This works perfectly fine, as the system does not need to be accessible by any of our support systems or by us (unless a major problem arises, and in those cases we work together to solve them).
Yes, all installations normally communicate with our monitoring platform where we receive information about errors that occur in the installations, if hard disk space is running out, login problems, and similar operations-related information. We are happy to show what we collect, and furthermore, you can configure in your customer environment whether and what is communicated to our monitoring platform. When you connect a customer installation with a coordination portal, information is exchanged between these.
No. The system uses a few necessary cookies that are used to track the session and status of table views (number of items per page, for example) and menu status. The system contains no third-party cookies and information is not sent to third parties about how the system is used. This is also the reason no consent for cookie use is collected.
Each customer has a completely separate installation of the software and also its own database instance. We do this for several reasons: partly to minimize the consequences in the event of a security problem, and partly to enable a completely distributed platform where it does not matter where the instances are installed. When we provide operations through our provider Oderland, each customer has their own container so we can minimize the risks of so-called "lateral-movement attacks".
If you manage the operations of the system yourself, employees at Management System Sweden do not have access unless you configure this. If Management System Sweden AB manages operations, employees have technical access to the database since it is administered by the company.
We do not like lock-in effects, so it should be easy to stop using us if Management System.se does not help your operations or for other reasons is not suitable. If you want to leave Management System.se, certain exports to Excel can be done directly from the user interface. All data (not encrypted passwords) can be retrieved via API. If you want your data in the form of a SQL export, feel free to contact us and we will help you with that (of course at no cost).
We do not guarantee any availability level at all and consider the system to be a non-critical system from an availability perspective. However, it is regulated in the contract that you have the ability to terminate the agreement with us (which you have anyway) if the system is not available.
We strive to make the system accessible and there is, for example, some support for screen readers. We currently do not fully comply with all accessibility requirements in WCAG 2.2, but have determined that the system is not of such a nature that it is covered by the directive (e.g., regarding contrast).
No, because the system's personal data handling typically extends to handling information about the system's users, this is something that is maintained through normal system administration. The system is not designed to handle special categories of personal data. No automatic deletion occurs, but it is possible to implement if there is a request for it.
