Objective Plan

1) Consolidate to a unified control set and audit cycle for the merged entity.

Align governance, policies, and assurance activities across the merged group, and reduce duplication in ways of working.

Security team

Security team time

• Gap assessment completed by 30 Jun 2026, and leadership-approved roadmap in place.

• End-of-year evidence of consolidated governance and a defined joint audit plan for 2027.

• Residual risk statement for client data leakage harmonised across FundApps and Surveillance, with one documented risk acceptance process.

End of December 2026

2) Ensure the protection of sensitive data managed by FundApps’ information systems

Run structured risk reviews across in-scope teams and ensure prioritised mitigations are planned and delivered.

Security team

Security team time

• Threat modelling completed for all in-scope teams by 1 Oct 2026.

• Risk registers maintained with owners and target dates.

• Target of at least 80% of agreed mitigations implemented by 31 Dec 2026, excluding formally accepted risks.

End of December 2026

3) Protect information systems against external security threats and vulnerabilities.

Maintain layered assurance through a combination of continuous external testing and periodic structured assessments, supported by clear remediation ownership and timelines.

Security team

Security team time, Engineering time

• Continuous bug bounty operational by 30 Apr 2026.

• Annual penetration test completed in 2026.

End of December 2026

4) Maintain compliance with security standards

Complete scheduled assurance activities against recognised security and responsible AI management standards, and track any follow-up actions to completion.

Security team

Security team time

• ISO 27001:2022 and ISO 42001 surveillance audits completed in 2026.

• SOC 2 Type II audit completed in 2026.

• Final reports received and any nonconformities or exceptions logged with owners and due dates.

End of December 2026

5) Maintain a cycle of continuous improvement.

Remediate findings identified by audits.

Security team

Ad-hoc

• ISO 27001:2022 certification maintained in 2026 with 0 nonconformities.

• SOC 2 audit with 0 exceptions in the final report.

• ISO 42001 certification achieved in 2026.

End of December 2026

6) Foster a culture of security awareness within FundApps.

Maintain a robust security awareness programme covering onboarding and refresher training, with emphasis on practical reporting behaviours.

Security team

Security team time

• All staff complete required security awareness training.

• 0 C1, C2, or C3 incidents attributable to lack of awareness.

• Annual survey confirming confidence in reporting, with actions tracked.

End of December 2026

8) Strengthen infrastructure security and resilience

Reduce exposure to common web threats and improve resilience to high-volume attack patterns.

Security team

Security team time, Engineering time

• AWS WAF and DDoS protection deployed to production for in-scope workloads by 31 Dec 2026.

30 Jun 2026

9) Reduce operational and third-party security risks

Improve privileged access governance and remove the last remaining legacy component.

Security team

Security team time

• Privileged access solution implemented by 30 Mar 2026 with 0 incidents attributable to misconfiguration or service failure.

• Legacy notification component decommissioned by 30 Jun 2026.

End of December 2026