# Performance Evaluation

<table><thead><tr><th width="128">What will be monitored &#x26; measured</th><th>Methods for monitoring &#x26; measurement</th><th>Metrics used to measure</th><th align="center">Target</th><th>When will it be done</th><th>Who shall monitor &#x26; measure</th></tr></thead><tbody><tr><td>Consolidation to a unified control set for the merged entity</td><td>Gap assessment, audit readiness</td><td># of components of ISMS not aligned with the merged entity</td><td align="center">0</td><td>Ad-hoc</td><td>Security team</td></tr><tr><td>Protection of sensitive data managed by FundApps' Information Systems</td><td>Risk assessments and reviews</td><td># of risks above the risk tolerance level</td><td align="center">0</td><td>Annually</td><td>Security team</td></tr><tr><td>Security of FundApps' platform</td><td>Bug bounty program, penetration test</td><td># and severity of findings in penetration test and bug bounty program</td><td align="center">0 Critical and High vulnerabilities</td><td>Annually</td><td>Security Team</td></tr><tr><td>Protection of information systems against external security threats and vulnerabilities</td><td>Incident register</td><td># of C1 or C2 security incidents in the last 12 months</td><td align="center">0</td><td>Annually and after incident occurred</td><td>Security Team</td></tr><tr><td>Compliance with security standards.</td><td>ISO certification audit</td><td>ISO 27001 certification maintained</td><td align="center">Yes</td><td>Security Team</td><td>Security Team</td></tr><tr><td>Compliance with security standards.</td><td>ISO certification audit</td><td>ISO 42001 certification achieved</td><td align="center">Yes</td><td>Security Team</td><td>Security Team</td></tr><tr><td>Compliance with security standards.</td><td>SOC 2 Type II Report</td><td>SOC 2 Type II Report maintained in last 12 months</td><td align="center">Yes</td><td>Annually</td><td>Security Team</td></tr><tr><td>Audit Findings</td><td>Internal or external audit</td><td># and severity of findings identified during last internal audit</td><td align="center">0 major non-conformities</td><td>Following internal or external audit</td><td>Security Team</td></tr><tr><td>A culture of security awareness within FundApps</td><td>Incident register</td><td># of C1, C2, C3 or Internal security incidents resulting from lack of security awareness (e.g. phishing) in last 12 months</td><td align="center">0 C1<br>0 C2<br>0 C3<br>&#x3C;10 internals</td><td>Annually and after incident occurred</td><td>Security Team</td></tr><tr><td>Information Systems misused, damaged or abused.</td><td>Incident register</td><td># of C1, C2 or C3 security incidents in the last 12 months linked to a third-party supplier.</td><td align="center">0</td><td>Annually and after incident occurred</td><td>Security Team</td></tr><tr><td>Information Systems misused, damaged or abused.</td><td>Incident register</td><td># of C1, C2 or C3 security incidents in the last 12 months linked to a lack of web protection or resilience.</td><td align="center">0</td><td>Annually and after incident occurred</td><td>Security Team</td></tr></tbody></table>

### Analysis of performance

Based on these indicators, FundApps will assess whether its ISMS is performing efficiently and whether root causes of underperformance are being identified and managed appropriately.

## Management Review

At least once per calendar year, a review of the ISMS will be done to ensure its continuing suitability, adequacy and effectiveness.

### Attendees

The annual management review meeting will have the following attendees:

* the ISMS Implementer,
* the ISMS Manager, and
* at least one member from the Leadership Team, which can be the ISMS Manager.

### Agenda

The agenda will include the following topics:

1. Status of actions from previous management reviews
2. Relevant changes in external and internal issues
3. Performance of the ISMS
   1. Audit results, non-conformities and corrective actions
   2. Monitoring and measurement results
   3. Information Security Objectives
4. Feedback from interested parties
5. Results of risk assessment and status of the risk treatment plan
6. Opportunities for continual improvement


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://policies.fundapps.co/client-portal/-LubIC9uIsME-_T0mNXu/fundapps-policies/information-security-management-system/isms-performance-evaluation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.