LogoLogo
Current Version
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
Current Version
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
  • Welcome to FundApps' Policy Portal
  • FundApps Policies
    • Technical & Platform Overview
    • Software Development
    • Risk Management
      • Risk Management Framework
      • Information Asset Register
      • Information Systems Register
      • Data Classification and Protection Standard
    • Information Security Management System
      • Information Security Management Policy
      • Scope
      • Statement of Applicability
      • Objective Plan
      • Roles, Responsibilities and Organisation
      • Performance Evaluation
      • Internal Audit Policy
      • Internal Audit Plan for a 3 year cycle
      • Continual Improvement Process
      • Internal and External Communication Plan
      • Document Control Policy
    • Information Security Policies
      • Client Services Access to Client Environments
      • Employee Guide
      • Security Awareness Program
      • Social Media
      • Access Control
      • Physical Security
      • Network Security
      • Logging, Monitoring and Alerting
      • Incident Response
      • Data Backups
      • Privacy Policy
      • Vulnerability Management Policy
      • Security Exception Management Policy
      • Information Security Risk Register
      • Data Retention Policy
      • Patch Management Policy
      • Cryptographic Policy
      • Information Security in Project Management
      • Information Transfer Policy
      • Third Party Risk Management
    • Business Continuity
      • Business Continuity Management System
      • Business Continuity Policy
      • Business Continuity Risk Register
      • Technical Resilience
      • Business Continuity Documents
    • Personnel & Safety
      • Overview
      • Code of Conduct
      • Health and Safety
      • Third party vendors
      • The FundApps Code for Third Parties
  • Legal Information
    • 📖General Terms
      • Fair Usage Policy
      • Third Party Data Provider Terms
    • DORA
      • Operational Resilience Statement
      • Statement on Contractual Compliance
      • Subcontractors and Service Location
      • Threat-Led Penetration Tests (TLPT) Policy
    • Insurance
    • 🌍Carbon Neutral
  • Policy Change Log
    • March 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • August 2024
    • July 2024
    • June 2024
    • April 2024
    • February 2024
    • January 2024
    • November 2023
    • October 2023
    • September 2023
    • August 2023
    • June 2023
    • February 2023
    • December 2022
    • October 2022
    • September 2022
    • June 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • August 2021
    • July 2021
    • January 2021
    • August 2020
    • May 2020
    • March 2020
    • November 2019
    • September 2019
Powered by GitBook
On this page
  • Objective
  • Scope
  • Frequency and Coverage
  • Internal Auditor
  • Internal Audit Process
  • Audit Planning
  • Audit Preparation
  • Conduct Audit
  • Audit Reporting
  • Audit Remediation
  • Appendix
  • Internal Audit Template

Was this helpful?

Export as PDF
  1. FundApps Policies
  2. Information Security Management System

Internal Audit Policy

Objective

This policy defines the internal audit process of FundApps' Information Security Management System (ISMS).

Scope

The scope of the internal audit is FundApps' Information Security Management System (ISMS), which is described in ISMS Scope.

Frequency and Coverage

Internal audits shall be performed against FundApps' ISMS at planned intervals at least once per year.

Over a three year period there will be three internal audits:

  • one audit will cover the entire scope of the ISMS

  • two audits will cover at least one third of the ISMS.

Internal Auditor

The internal auditor shall be appointed by the ISMS Manager. The auditor and may be a member of FundApps or an external trusted third party auditor. Auditor selection shall be done to ensure objectivity and the impartiality of the audit process.

Internal Audit Process

Audit Planning

Audits shall be planned in advance and the ISMS Manager shall be notified no less than 5 business days ahead of time.

The internal auditor shall prepare the audit plan which shall define the scope of the ISMS, including the scope of the controls, which shall be audited.

Amongst others, the audit plan must take as an input the following items:

  • Security related incidents that have occurred since last audit;

  • Changes made to the Information Security Policy;

  • Changes made to Information Security controls;

  • Improvements made to the ISMS.

The resulting audit plan must be validated by the ISMS Manager.

Upon validation the ISMS auditor must communicate the plan to the interested parties.

Audit Preparation

The internal auditor shall collect and study the previous audit findings and outstanding issues. They shall also prepare relevant documents required for the audit (e.g. ISMS Audit checklist).

Conduct Audit

During the audit, the internal auditor shall find relevant evidence to ascertain that:

  • The information security policy reflects the current business requirements;

  • An appropriate risk assessment methodology is being used;

  • Documented procedures (within the scope of the ISMS) are being followed and are meeting their objectives;

  • Controls are in place and working as intended;

  • Residual risks have been assessed correctly and are within FundApps' risk appetite and risk tolerance levels;

  • The agreed actions from the previous audits have been implemented;

  • The ISMS is compliant with ISO 27001.

Audit Reporting

The internal auditor shall prepare an audit report based on the audit findings. Findings shall be labelled according to their severity and priority level:

  • Major Non-Conformity - This pertains to a major deficiency in the ISMS and exists if one or more elements of the ISO/IEC 27001: 2022 Information Security standard is not implemented and this finding shall have a direct effect on information security, specifically on the preservation of confidentiality, integrity and availability of information assets.

  • Minor Non-Conformity - A minor deficiency. One or more elements of the ISMS is/are only partially complied with. Minor non-conformities have an indirect effect on information security.

  • Observations/Potential Improvements – An audit recommendation for improvement for consideration by FundApps.

The internal auditor shall send the audit report to the ISMS Manager and the ISMS Implementer.

Audit Remediation

According to the audit findings and the non-conformity levels, an action plan and potential follow-up audit shall be defined by the ISMS Implementer and validated by the ISMS Manager. The scope of a follow-up audit is limited to the non conformity and the same mechanisms that produced the finding are used.

Appendix

Internal Audit Template

Finding No.
Major Non-Conformity | Minor Non-Conformity | Observations/Potential Improvements
Description
ISO 27001 Clause No.
Remediation Action
Remediation Deadline
Status
Evidence of remediation

PreviousPerformance EvaluationNextInternal Audit Plan for a 3 year cycle

Last updated 1 year ago

Was this helpful?