# Roles, Responsibilities and Organisation

## Roles and Responsibilities

### ISMS Manager

The CTO shall ensure FundApps allocates the appropriate resources to ensure the ISMS' conformity with the ISO 27001 standard and shall report the performance of the ISMS to the Leadership team.\
The ISMS Manager holds final approval authority for ISMS policies and is responsible for accepting High and Critical risks and approving exceptions to ISMS controls.

### ISMS Implementer

The Head of Information Security shall maintain the ISMS, assess its conformity with the ISO 27001 standard, define appropriate corrective actions and report its performance to the CTO. The ISMS Implementer holds approval authority for ISMS policies, accepts Low and Medium risks, and is the first point of contact for any requested exceptions to ISMS controls. The ISMS Implementer presents ISMS performance to the CTO and CFO at the regular ISMS Performance Review.

### ISMS Co-Implementers

The Security Team supports the ISMS Implementer in the day-to-day operation of the ISMS. The Security Team is authorised to accept Low and Medium risks, take ownership of incidents and corrective actions through to closure, and conduct risk reviews. Members of the Security Team may present ISMS performance at the ISMS Performance Review on behalf of the ISMS Implementer.

### ISMS Internal Auditor

The internal auditor, who can be a staff member or a consultant, shall perform an impartial internal audit against the requirements of the ISO 27001 standard, and follow up on the internal audit results to achieve continual improvement. The audit programme and findings are approved by the Head of Information Security or CTO.

### Leadership Team

The leadership team will ensure the performance of the ISMS aligns with FundApps' business objectives. Senior leadership are responsible for accepting High and Critical risks, and for approving exceptions to ISMS controls where required.

### FundApps staff

All FundApps staff members contribute to the ISMS and are expected to uphold FundApps' security policies and procedures. This includes following all information security policies, protecting information assets in line with FundApps' data classification and handling rules, using only approved systems and tools, completing assigned security training, reporting suspected security incidents without delay, and raising any policy exceptions through the Security Exception Management Policy.

## Organisation

The following diagram details the organisation between the staff who have a role in the ISMS.

```mermaid
%%{init: {
    'theme': 'dark'
}}%%
graph TD
    SLTOther --> Other["Other FundApps Staff members"]
    CTO --> Other
    CTO --> InfoSec["Head of Information Security <br>(ISMS Implementer)"]
    CEO --> Audit["Internal Auditor"]

    subgraph LT["Leadership Team"]
			CEO["Chief Executive Officer"] --> SLTOther["Chief Financial Officer, <br> Chief Revenue Officer, etc."]
		  CEO --> CTO["Chief Technology Officer <br> (ISMS Manager)"]
	end
```

## Competence

FundApps assesses the competencies of those who play a role in the ISMS based on the table below:

<table><thead><tr><th width="128">Role</th><th>Competencies</th><th>How competencies are assessed</th><th>Criteria to assess competencies</th><th>Action Plan to address shortcomings</th><th>Desired level of competency</th></tr></thead><tbody><tr><td>ISMS Manager</td><td><p>Technical Leadership experience.</p><p>Technical and architectural expertise.</p><p>Experience in an environment with high security requirements.</p></td><td>Competencies are assessed during recruitment process and during annual review.</td><td>Assess experience against match those set out in competencies column.</td><td>External Information Security Training</td><td>>1 year experience leading a Technology team.<br><br>Degree in Computer Science<br><br>>1 year experience working in a company with high security requirements (e.g. Financial Institution).</td></tr><tr><td>ISMS Implementer</td><td><p>Information Security Leadership experience.</p><p>Information Security expertise.</p><p>Information Security Certifications.</p></td><td>Competencies are assessed during recruitment process and during annual review.</td><td>Assess experience, expertise and certifications against match those set out in competencies column.</td><td>External Information Security Training</td><td>>1 year experience leading an Information Security team<br><br>Degree in Information Security Management Systems<br><br>Information Security Certification</td></tr><tr><td>ISMS Co-Implementer</td><td>Information Security experience. Information Security Certification.</td><td>Competencies are assessed during recruitment process and during annual review.</td><td>Assess experience, expertise and certifications against match those set out in competencies column.</td><td>External Information Security Training</td><td>>1 year experience in an Information Security team<br><br>Information Security Certification</td></tr><tr><td>ISMS Internal Auditor</td><td><p>Auditor experience.</p><p>ISO 27001 expertise.</p></td><td>Competencies are assessed during recruitment/purchasing process for Internal auditor and/or during annual review.</td><td>Assess experience and expertise.</td><td>External Information Security Training</td><td>>1 year experience as auditor<br><br>ISO 27001 Lead Auditor certification</td></tr><tr><td><p>Leadership Team,</p><p>FundApps Staff</p></td><td><p>Knowledge of FundApps' Information Security Policies</p><p>Knowledge on how to react to most common security threats (e.g. react to phishing emails)</p></td><td>Competencies are assessed during annual Information Security Test.</td><td>Assess compliance with Information Security Test.</td><td>FundApps InfoSec Training</td><td>Pass annual Information Security Test</td></tr></tbody></table>

If gaps are identified with the required competencies, FundApps will define a set of actions to remediate it. These actions may include training, mentoring or hiring or contracting competent persons.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://policies.fundapps.co/client-portal/-LubIC9uIsME-_T0mNXu/fundapps-policies/information-security-management-system/isms-roles-responsibilities-and-organisation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.