| 1) Consolidate to a unified control set and audit cycle for the merged entity. | Align governance, policies, and assurance activities across the merged group, and reduce duplication in ways of working. | Security team | Security team time | - Gap assessment completed by 30 Jun 2026, and leadership-approved roadmap in place.
- End-of-year evidence of consolidated governance and a defined joint audit plan for 2027.
- Residual risk statement for client data leakage harmonised across FundApps and Surveillance, with one documented risk acceptance process.
| End of December 2026 |
| 2) Ensure the protection of sensitive data managed by FundApps’ information systems | Run structured risk reviews across in-scope teams and ensure prioritised mitigations are planned and delivered. | Security team | Security team time | - Threat modelling completed for all in-scope teams by 1 Oct 2026.
- Risk registers maintained with owners and target dates.
- Target of at least 80% of agreed mitigations implemented by 31 Dec 2026, excluding formally accepted risks.
| End of December 2026 |
| 3) Protect information systems against external security threats and vulnerabilities. | Maintain layered assurance through a combination of continuous external testing and periodic structured assessments, supported by clear remediation ownership and timelines. | Security team | Security team time, Engineering time | - Continuous bug bounty operational by 30 Apr 2026.
- Annual penetration test completed in 2026.
| End of December 2026 |
| 4) Maintain compliance with security standards | Complete scheduled assurance activities against recognised security and responsible AI management standards, and track any follow-up actions to completion. | Security team | Security team time | - ISO 27001:2022 and ISO 42001 surveillance audits completed in 2026.
- SOC 2 Type II audit completed in 2026.
- Final reports received and any nonconformities or exceptions logged with owners and due dates.
| End of December 2026 |
| 5) Maintain a cycle of continuous improvement. | Remediate findings identified by audits. | Security team | Ad-hoc | - ISO 27001:2022 certification maintained in 2026 with 0 nonconformities.
- SOC 2 audit with 0 exceptions in the final report.
- ISO 42001 certification achieved in 2026.
| End of December 2026 |
| 6) Foster a culture of security awareness within FundApps. | Maintain a robust security awareness programme covering onboarding and refresher training, with emphasis on practical reporting behaviours. | Security team | Security team time | - All staff complete required security awareness training.
- 0 C1, C2, or C3 incidents attributable to lack of awareness.
- Annual survey confirming confidence in reporting, with actions tracked.
| End of December 2026 |
| 8) Strengthen infrastructure security and resilience | Reduce exposure to common web threats and improve resilience to high-volume attack patterns. | Security team | Security team time, Engineering time | - AWS WAF and DDoS protection deployed to production for in-scope workloads by 31 Dec 2026.
| 30 Jun 2026 |
| 9) Reduce operational and third-party security risks | Improve privileged access governance and remove the last remaining legacy component. | Security team | Security team time | - Privileged access solution implemented by 30 Mar 2026 with 0 incidents attributable to misconfiguration or service failure.
- Legacy notification component decommissioned by 30 Jun 2026.
| End of December 2026 |