1 of 12

Information Security Management System

Information Security Management Policy

FundApps is committed to a robust implementation of Information Security Management. All our hosting environments are certified to ISO 27001. As an organisation we are endeavour to align our processes to ISO 27001 and the NIST Cyber Security Framework.

We are specifically committed to preserving the confidentiality, integrity and availability of data and documentation supplied by, generated by and held on behalf of our clients. The principles defined in this policy will be applied to all of the physical and electronic information assets for which the FundApps is responsible.

Our senior management team are directly responsible for ensuring that all FundApps staff have been made aware of these procedures and their contents.

All employees have access to this information, are required to abide by them, and are encouraged to regularly review and update these in their relevant areas.

Definitions

Information security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It focuses primarily on the confidentiality, integrity and availability of data.

FundApps Data, for the purposes of this policy, is data owned, processed or held by FundApps, whether primary or secondary, irrespective of storage location. It is used interchangeably with the term ‘information’.

Context of the organisation

FundApps, headquartered in London, United Kingdom, helps investment managers to harness the power of community and technology to automate regulatory compliance.

There are a number of internal and external factors that create uncertainty that gives rise to risk. These include:

Internal Issues

Information

FundApps processes the following types of information which require adequate protection:
- sensitive client information,
- personal data,
- Sensitive FundApps Intellectual property.

People

Staff turnover,
Induction of new joiners,
Staff role changes,
High rate of recruitment due to rapid growth.

Organisation

Use of contractors,
Staff working in different time zones.

Products/Services

Alignment of products with evolving regulations,
FundApps services’ competitive advantage relies partly on its intellectual property.

Systems and Processes

Security or resilience issues with FundApps' information systems,
Lack of process documentation.

External Issues

Political Factors

War in Eastern Europe,
Divergence of regulations between the UK and EU following Brexit,
Changes made to regulations.
Commercial war between the USA and China

Economic Factors

Economic recession,
Market conditions affect our client's ability to subscribe to FundApps’ services,
Higher staff costs due to increasing demand for software engineers or regulatory experts in a constrained market.

Social Factors

Increase in working from home and bring your own devices practices.
Public services industrial action in the UK.

Technological Factors

Fast-evolving threat landscape (e.g. ransomware campaigns),
Increased expectations from clients to manage their own security (e.g. Bring Your Own Key, feed export logs to client SIEM).
Rise of Artificial Intelligence.

Environmental Factors

Pandemic affects how people work.

Legal Factors

More lenient financial regulations makes our products less appealing.
Regulations on personal data such as GDPR
Regulations on access to MNPI and insider trading.
Technology related legislation, such as the Computer Misuse Act 1990 or Freedom of Information Act 2000
Intellectual property concerns related to the use of open source software.

Objectives

The objectives of the ISMS are:

Objective

Measurement

1) Ensure the protection of sensitive data managed by FundApps' Information Systems.

Zero data breaches.

2) Ensure the protection of all FundApps Information Systems against the risks of unauthorised access, misuse, damage and abuse.

Zero FundApps Information Systems compromised, misused, damaged or abused.

3) Demonstrate a high level of competence and expertise in Information Security

Zero clients lost due to Information Security issues.

4) Maintain compliance with security standards.

Maintain ISO 27001 certification and SOC 2 Type II Reports.

5) Foster a culture of security awareness within FundApps.

Zero security incident resulting from lack of security awareness (e.g. phishing).

6) Protect FundApps from liability or damage due to an Information Security Incident.

Zero law suits, fines or losses due to a security incident.

7) Maintain a cycle of continuous improvement.

All non-conformities with ISO 27001 standard are prioritised for remediation.

The plan to achieve these objectives is described in the Objective Plan.

Scope

cf. ISMS Scope

Information security principles

The following eight information security principles provide overarching governance for the security and management of information at FundApps.

Information should be recorded in our information asset register, with the Information Systems which make use of it, classified in accordance with our data classification policy and in accordance with relevant legislative, regulatory and contractual requirements.
Risks to information security should be assessed and assigned an owner in accordance with our risk management framework
Staff with particular responsibilities for information are responsible for ensuring the classification of that information; for handling that information in accordance with its classification level; and for any policies, procedures or systems for meeting those responsibilities.
All users covered by the scope of this policy must handle information appropriately and in accordance with its classification level.
As far as is reasonably possible, endeavours must be made to ensure data is complete, relevant, accurate, timely and consistent.
Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.
Information will be protected against unauthorized access and processing in accordance with its classification level.
Information will be protected against loss or corruption.
Breaches of this policy must be reported

Legal & Regulatory Obligations

FundApps has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory and contractual requirements. Relevant legislation includes: • The Computer Misuse Act 1990 • General Data Protection Regulation 2018 • Data Protection Act 2018 • The Freedom of Information Act 2000 • Regulation of Investigatory Powers Act 2000 • Copyright, Designs and Patents Act 1988 • Defamation Act 1996 • Obscene Publications Act 1959 • Protection of Children Act 1978 • Criminal Justice Act 1988 • Digital Economy Act 2010

A non-exhaustive summary of the legislation and regulatory and contractual obligations that contribute to the form and content of this policy is provided below. Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarised below.

Key Legislation Summary

The Computer Misuse Act 1990 defines offences in relation to the misuse of computers as:

Unauthorised access to computer material.
Unauthorised access with intent to commit or facilitate commission of further offences.
Unauthorised modification of computer material. 3ZA: Unauthorised acts causing, or creating risk of, serious damage 3A: Making, supplying or obtaining articles for use in offence under section 1, 3 or 3ZA

The General Data Protection Regulation 2018 (GDPR) defines obligations for businesses and organisations that collect, process and stored individuals' personal data. GDPR outlines seven data protection principles which relate to:

Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability

Data Protection Act 2018

GDPR and DPA 2018 are based on the same principles. The main differences between the two are around:

Freedom of information,
Compliance reports,
Data subject access request,
Age of consent,
Information Commissioner’s Office codes of practice,
National security and crime.

Supporting Policies, Codes of Practice, Procedures and Guidelines

Compliance, Policy Awareness and Disciplinary Procedures

Any security breach of FundApps information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems. The loss or breach of confidentiality of personal data is an infringement of the Data Protection Act 1998, contravenes FundApps Data Protection Policy, and may result in criminal or civil action against FundApps.

The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against FundApps. Therefore it is crucial that all users of the FundApps information systems adhere to the Information Security Policy and its supporting policies as well as the Information Classification Standards.

All current staff and other authorised users will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines.

Any security breach will be handled in accordance with all relevant FundApps policies, including the Conditions of Use of IT Facilities at FundApps and the appropriate disciplinary policies.

Incident Handling

If a member staff is aware of an information security incident then they must report it to the Head of Information Security, the CEO or the CTO immediately. For more information, please see our Incident Response Policy.

Review and Development

This policy, and its subsidiaries, shall be reviewed by FundApps and updated regularly to ensure that they remain appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations.

FundApps ensures that all changes to the ISMS are carried out in a planned and controlled manner, in alignment with our Continual Improvement Process.

Interested Parties

The list of interested parties in FundApps' ISMS and their requirements are as follows:

Interested Party

Requirements on the ISMS

Which of these requirements will be addressed through the information security management system.

Clients

Provide service in line with contractual Service Level Agreements.

Protect client data from unauthorised access.

All – Managed through security controls, data protection measures, and compliance frameworks.

Staff and contractors

Provide a secure Information System to allow them to perform their jobs.

All – Addressed through access controls, security policies, and infrastructure protections.

Owners and Investors

Provide a cost-effective, safe and secure Information System which allows to FundApps to be profitable, attract new clients and develop new services.

All – Managed through risk management, security governance, and business continuity planning.

Suppliers

Operate a secure Information System which prevents security incidents from impacting the supplier's Information System (e.g. malware propagation).

All – Addressed through vendor security assessments, integration controls, and incident response measures.

Regulators

Operate a secure Information System which complies with applicable laws and regulations.

All – Ensured through ISMS policies, audits, and regulatory compliance programs.

Scope

The ISMS applies to the shareholding disclosure, position limits, sensitive industries, annex IV reporting and Filing Manager services, which FundApps delivers to its clients. It also applies to the information assets, processes, teams and external service providers which FundApps relies on to provide these services.

Services provided

FundApps’ five main services provided are:

Shareholding Disclosure

FundApps’ Shareholding Disclosure service monitors disclosure requirements for major shareholding, short selling and takeover panels. Position data is uploaded daily and users are alerted to new disclosures. Disclosures are made on time without mistakes.

Position Limits

FundApps' Position Limits service simplifies the process of monitoring position limits on derivative contracts which are imposed by exchanges across the globe as well as regulators (e.g. CFTC, ESMA via MiFID II). Our service informs our clients on where their positions are versus applicable limits and acts as an early warning system.

Sensitive Industries

FundApps simplifies the process of monitoring sensitive industries investment and foreign ownership. Position data is uploaded daily and users are alerted to pre-approval warnings, notifications for disclosure obligations and hard stop breaches.

Filing Manager

Filing Manager automates the disclosure process for short selling reporting. It uses the client-provided data and provides a fully audited service to file for the client. It identifies disclosures for short positions once the position file runs and prepares them to be submitted to the relevant regulator.

Annex IV reporting

AIFMD Annex IV reporting requires detailed disclosures on investor data, risk exposures, liquidity, and financing to enhance transparency in the alternative investment space. We automate data aggregation, centralise workflows, and provide full calculation visibility at every stage.

People

The FundApps departments within the scope of the ISMS are:

Client Services – On-board clients and assist them throughout their experience with our software.
Regulatory team– Help to ensure rules correctly mirror current regulation.
Finance – Manage FundApps’ budget, cash flow, tax planning and record keeping.
People Operations – Team responsible for employer brand, recruitment and on-boarding through to development, reward and recognition.
Product – Design and develop products to achieve the company’s objectives.
Engineering – Manage and maintain system architecture and design for all hosted clients.

At a high level, the following executives and teams support FundApps’ processes and services:

CEO – Assigns authority and responsibility for operating activities and reporting relationships. FundApps’ CEO defines and communicates the company’s objectives.
Global Head of Client Services – Takes the lead in owning FundApps client portfolio and drive cross-team collaboration to support FundApps’ objectives.
Chief Product Officer – Accountable for all product management and content team activities globally.
Chief Technology Officer – Provides direction and decision making on what technologies to use, the architecture of the platforms and best technical practices to follow.
Chief Revenue Officer– Accountable for all sales activities within the region and as the People Leader for the Regional Sales team.
Head of People – Reporting directly to the CEO, the head of People Operations smooths the next phase in growth as FundApps scales.
Head of Information Security – Responsible for managing Information Security, Cyber Security and Business Continuity risks potentially impacting FundApps.

Offices

FundApps operates out of three offices:

18th Floor, HYLO, 105 Bunhill Row, London, EC1Y 8LZ, United Kingdom
276 5th Ave, Suite 808, New York, NY 10001
#13-135, 71 Robinson Road, 068895, Singapore

Infrastructure

FundApps services make use of a resilient infrastructure, which is hosted within multiple data centres (availability zones) and regions operated by Amazon Web Services. There are two environments with a primary environment made up of three data centres within a single geographic region, from which the service is provided in normal operation. There is also a secondary environment in an alternate geographic region, which is used in case the primary environment is unavailable. Each of the three data centres within the primary environment have discrete power and Internet connectivity. FundApps’ primary environment is designed to continue to provide its service should two of the three centres suffer concomitant failures. Should the whole primary environment fail, FundApps has procedures to recover its service in the secondary environment. The critical components of this highly available infrastructure include:

Proxy servers, which filter inbound traffic and route them to the correct service;
Serverless computing elements and containers which perform apply rule sets analysis of FundApps clients’ financial positions and provide clients with a web user interface and an application programming interface (API); and
Databases, which store the results of this analysis, as well as objects and events related to client environments.

Software and Tools

FundApps relies on various applications, tools, and infrastructure components to support its information security management system.

FundApps' platform consists of software that supports its applications, including software for our build pipeline, deployment tools used to deploy to AWS environments, and automation software for managing cloud infrastructure changes.

In addition, FundApps utilises systems for:

Identity and Access Management to control authentication and authorisation.
Development and Change Management to track and manage software changes securely.
Security Monitoring and Threat Detection to protect against, detect, and respond to security threats.
Communication and Collaboration to facilitate internal and external information sharing.
Customer Support and Relationship Management to manage client interactions and service requests.

FundApps ensures that all business-critical applications and tools within the ISMS scope are assessed for security risks, aligned with industry best practices, and regularly reviewed to maintain compliance with ISO 27001. A current list of subprocessors is maintained in our Privacy Policy.

Statement of Applicability

Statement of Applicability version 2025-02. The following table summarises the controls that are relevant and applicable to FundApps' Information Security Management System in accordance with the requirements of ISO 27001:2022.

ISO Control

Description

Applicable

Business Requirement

Contractual Requirement

Legal Requirement

Implemented

5.1

Policies for information security Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and

acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

Yes

5.2

Information security roles and responsibilities Information security roles and responsibilities shall be defined and allocated according to the FundApps' needs.

Yes

5.3

Segregation of duties Conflicting duties and conflicting areas of responsibility shall be segregated.

Yes

5.4

Management responsibilities Management shall require all personnel to apply information security

in accordance with the established information security policy, topic-specific policies and procedures of the organization.

Yes

5.5

Contact with authorities FundApps shall establish and maintain contact with relevant authorities.

Yes

5.6

Contact with special interest groups FundApps shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.

Yes

5.7

Threat Intelligence Information relating to information security threats shall be collected and analysed to produce threat intelligence.

Yes

5.8

Information security in project management Information security shall be integrated into project management.

Yes

5.9

Inventory of information and other associated assets An inventory of information and other associated assets, including owners, shall be developed and maintained.

Yes

5.10

Acceptable use of information and other associated assets Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.

Yes

5.11

Return of assets Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.

Yes

5.12

Classification of information Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.

Yes

5.13

Labelling of information An appropriate set of procedures for information labelling shall be

developed and implemented in accordance with the information classification scheme adopted by the organization.

Yes

5.14

Information transfer Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.

Yes

5.15

Access control Rules to control physical and logical access to information and other

associated assets shall be established and implemented based on business and information security requirements.

Yes

5.16

Identity management The full life cycle of identities shall be managed.

Yes

5.17

Authentication information Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.

Yes

5.18

Access rights Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.

Yes

5.19

Information security in supplier relationships Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.

Yes

5.20

Addressing information security within supplier agreements Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.

Yes

5.21

Managing information security

in the information and communication technology (ICT) supply

chain Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

Yes

5.22

Monitoring, review and change management of supplier services The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.

Yes

5.23

Information security for use of cloud services Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.

Yes

5.24

Information security incident

management planning and preparation The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.

Yes

5.25

Assessment and decision on information security events The organization shall assess information security events and decide if they are to be categorized as information security incidents.

Yes

5.26

Response to information security incidents Information security incidents shall be responded to in accordance with the documented procedures.

Yes

5.27

Learning from information security incidents Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.

Yes

5.28

Collection of evidence The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related

to information security events.

Yes

5.29

Information security during disruption The organization shall plan how to maintain information security at an appropriate level during disruption.

Yes

5.30

ICT readiness for business continuity ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

Yes

5.31

Legal, statutory, regulatory and contractual requirements Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.

Yes

5.32

Intellectual property rights The organization shall implement appropriate procedures to protect intellectual property rights.

Yes

5.33

Protection of records Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.

Yes

5.34

Privacy and protection of personal identifiable information (PII) The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.

Yes

5.35

Independent review of information security The organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.

Yes

5.36

Compliance with policies, rules and standards for information security Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.

Yes

5.37

Documented operating procedures Operating procedures for information processing facilities shall be documented and made available to personnel who need them.

Yes

6.1

Screening

Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.

Yes

6.2

Terms and conditions of employment

The employment contractual agreements shall state the personnel’s

Yes

6.3

Information security awareness, education and training

Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function.

Yes

6.4

Disciplinary process A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.

Yes

6.5

Responsibilities after termination or change of employment

Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.

Yes

6.6

Confidentiality or non-disclosure agreements Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified,

documented, regularly reviewed and signed by personnel and other relevant interested parties.

Yes

6.7

Remote working Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

Yes

6.8

Information security event reporting The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.

Yes

7.1

Physical security perimeters

Security perimeters shall be defined and used to protect areas that contain information and other associated assets.

Yes

7.2

Physical entry

Secure areas shall be protected by appropriate entry controls and access points.

Yes

7.3

Securing offices, rooms and facilities

Physical security for offices, rooms and facilities shall be designed and implemented.

Yes

7.4

Physical security monitoring

Premises shall be continuously monitored for unauthorized physical access.

Yes

7.5

Protecting against physical and environmental threats

Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.

Yes

7.6

Working in secure areas

Security measures for working in secure areas shall be designed and implemented.

Yes

7.7

Clear desk and clear screen

Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.

Yes

7.8

Equipment siting and protection

Equipment shall be sited securely and protected.

N/A - managed by a third-party

7.9

Security of assets off premises

Off-site assets shall be protected.

N/A - managed by a third-party

7.10

Storage media

Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.

Yes

N/A - managed by a third-party

7.11

Supporting utilities

Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.

N/A - managed by a third-party

7.12

Cabling security

Cables carrying power, data or supporting information services shall be protected from interception, interference or damage.

N/A - managed by a third-party

7.13

Equipment maintenance

Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.

N/A - managed by a third-party

7.14

Secure disposal or reuse of equipment

Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software have been removed

or securely overwritten prior to disposal or reuse.

N/A - managed by a third-party

8.1

User end point devices

Information stored on, processed by or accessible via user end point devices shall be protected.

Yes

8.2

Privileged access rights

The allocation and use of privileged access rights shall be restricted and managed.

Yes

8.3

Information access restriction

Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.

Yes

8.4

Access to source code

Read and write access to source code, development tools and software libraries shall be appropriately managed.

Yes

8.5

Secure authentication

Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.

Yes

8.6

Capacity management

The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.

Yes

8.7

Protection against malware

Protection against malware shall be implemented and supported by appropriate user awareness.

Yes

8.8

Management of technical vulnerabilities

Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.

Yes

8.9

Configuration management

Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.

Yes

8.10

Information deletion

Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.

Yes

8.11

Data masking

Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.

Yes

8.12

Data leakage prevention

Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive

information.

Yes

8.13

Information backup

Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

Yes

8.14

Redundancy of information processing facilities

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

Yes

8.15

Logging Control

Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.

Yes

8.16

Monitoring activities

Networks, systems and applications shall be monitored for anomalous

behaviour and appropriate actions taken to evaluate potential infor- mation security incidents.

Yes

8.17

Clock synchronization

The clocks of information processing systems used by the organization shall be synchronized to approved time sources.

Yes

8.18

Use of privileged utility programs

The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.

Yes

Only on production infrastructure

8.19

Installation of software on operational systems

Procedures and measures shall be implemented to securely manage software installation on operational systems.

Yes

8.20

Networks security

Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.

Yes

8.21

Security of network services

Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.

Yes

8.22

Segregation of networks

Groups of information services, users and information systems shall be segregated in the organization’s networks.

Yes

8.23

Web filtering

Access to external websites shall be managed to reduce exposure to malicious content.

Yes

Only on systems used to access client data.

8.24

Use of cryptography

Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.

Yes

8.25

Secure development life cycle

Rules for the secure development of software and systems shall be established and applied.

Yes

8.26

Application security requirements

Information security requirements shall be identified, specified and approved when developing or acquiring applications.

Yes

8.27

Secure system architecture and engineering principles

Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development

activities.

Yes

8.28

Secure coding

Secure coding principles shall be applied to software development.

Yes

8.29

Security testing in development and acceptance

Security testing processes shall be defined and implemented in the development life cycle.

Yes

8.30

Outsourced development

The organization shall direct, monitor and review the activities related to outsourced system development.

Yes

N/A - development is not outsourced

8.31

Separation of development, test and production environments Development, testing and production environments shall be separated and secured.

Yes

8.32

Change management

Changes to information processing facilities and information systems shall be subject to change management procedures.

Yes

8.33

Test information

Test information shall be appropriately selected, protected and managed.

Yes

8.34

Protection of information systems during audit testing

Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and

appropriate management.

Yes

Objective Plan

The following table describes the plan for 2025 to achieve FundApps' objectives.

Objective

What will be done

Responsible

Resources required

Evaluation

Est. completion date

1) Ensure the protection of non-public data managed by FundApps' Information Systems.

Reduce the need to access client environments for Client Success staff

Security team

Security team, Engineering time, CS team

CS can manage the health of a client without the need to log into a client environment.

End of December 2025

2) Ensure the protection of all FundApps Information Systems against the risks of unauthorised access, misuse, damage and abuse.

Implement new security practices (i.e., threat modeling & bug bounty).

Security team

Budget for Bug bounty program, Engineering time, Security team

Bug bounty program implemented for a trial period. Teams conducted threat modeling on all new systems.

End of December 2025

3) Maintain compliance with security standards.

Maintain a SOC 2 Type II Report and ISO 27001 attestations.

Security team

Internal and External auditors

Results of an ISO 27001:2022 and SOC 2 audits

End of December 2025

4) Maintain a cycle of continuous improvement.

Remediate findings identified by audits.

Security team

Ad-hoc

All non-conformities have been remediated

End of December 2025

5) Foster a culture of security awareness within FundApps.

Provide team specific Information Security training.

Security team

Security team time

Provided targeted training for staff with higher rates of security incidents. Results of an advanced phishing exercise

End of December 2025

6) Demonstrate a high level of competence and expertise in Information Security

Ensure that our platform upholds top-tier security features.

Security team

Security team, Engineering time

Implemented an audit trail streaming feature to integrate with the client’s SIEM tools

End of December 2025

7) Protect FundApps from liability or damage due to an Information Security Incident.

Reduce the security impact of third party agents

Security team

Security team, Engineering time

Reduced number of third-party agents on endpoints and production infrastructure. Evaluated residual risk of all remaining agents.

End of December 2025

(8) Comply with new and upcoming regulations.

Comply with DORA regulation

Security team

Security team, Legal team

Implemented policies and guidelines that will ensure our compliance with DORA

January 17, 2025

(9) Strengthen Platform Resilience and Disaster Recovery

Broaden scenario coverage, automate DR plan execution, and integrate DR plans into incident management procedures.

Security team

Security team, Engineering time

Reduced time to run Disaster recovery tests. DR plans are integrated into incident management procedures.

End of December 2025

Roles, Responsibilities and Organisation

Roles and Responsibilities

ISMS Manager

The CTO shall ensure FundApps allocates the appropriate resources to ensure the ISMS' conformity with the ISO 27001 standard and shall report the performance of the ISMS to the Leadership team.

ISMS Implementer

The Head of Information Security shall maintain the ISMS, assess its conformity with the ISO 27001 standard, define appropriate corrective actions and report its performance to the CTO.

ISMS Internal Auditor

The internal auditor, who can be a staff member or a consultant, shall perform an impartial internal audit against the requirements of the ISO 27001 standard, and follow-up on the internal audit results to achieve continual improvement.

Leadership Team

The leadership team will ensure the performance of the ISMS aligns with FundApps' business objectives.

FundApps staff

Finally all FundApps staff members contribute to the ISMS, FundApps' security policies and procedures.

Organisation

The following diagram details the organisation between the staff who have a role in the ISMS.

Competence

FundApps assesses the competencies of those who play a role in the ISMS based on the table below:

Role

Competencies

How competencies are assessed

Criteria to assess competencies

Action Plan to address shortcomings

Desired level of competency

ISMS Manager

Technical Leadership experience.

Technical and architectural expertise.

Experience in an environment with high security requirements.

Competencies are assessed during recruitment process and during annual review.

Assess experience against match those set out in competencies column.

External Information Security Training

>1 year experience leading a Technology team. Degree in Computer Science >1 year experience working in a company with high security requirements (e.g. Financial Institution).

ISMS Implementer

Information Security Leadership experience.

Information Security expertise.

Information Security Certifications.

Competencies are assessed during recruitment process and during annual review.

Assess experience, expertise and certifications against match those set out in competencies column.

External Information Security Training

>1 year experience leading an Information Security team Degree in Information Security Management Systems Information Security Certification

ISMS Internal Auditor

Auditor experience.

ISO 27001 expertise.

Competencies are assessed during recruitment/purchasing process for Internal auditor and/or during annual review.

Assess experience and expertise.

External Information Security Training

>1 year experience as auditor ISO 27001 Lead Auditor certification

Leadership Team,

FundApps Staff

Knowledge of FundApps' Information Security Policies

Knowledge on how to react to most common security threats (e.g. react to phishing emails)

Competencies are assessed during annual Information Security Test.

Assess compliance with Information Security Test.

FundApps InfoSec Training

Pass annual Information Security Test

If gaps are identified with the required competencies, FundApps will define a set of actions to remediate it. These actions may include training, mentoring or hiring or contracting competent persons.

Performance Evaluation

What will be monitored & measured

Methods for monitoring & measurement

Metrics used to measure

Target

When will it be done

Who shall monitor & measure

Protection of sensitive data managed by FundApps' Information Systems

Incident register

# of data breaches in last 12 months

Annually and after incident occurred

Security Team

Information Systems misused, damaged or abused.

Incident register

# of C1 or C2 security incidents in the last 12 months

Annually and after incident occurred

Security Team

Information Systems misused, damaged or abused.

Incident register

# of C1, C2 or C3 security incidents in the last 12 months linked to a third-party supplier.

Annually and after incident occurred

Security Team

Demonstrate a high level of competence and expertise in Information Security

Client dissatisfaction of security practices

# of clients lost due to Information Security issues in last 12 months

Annually

Security Team

Demonstrate a high level of competence and expertise in Information Security

Prospect dissatisfaction of security practices

# of deals with prospects lost due to Information Security issues in last 12 months

<5% closed lost deals

Annually

Security Team

Compliance with security standards.

ISO certification audit

ISO 27001 certification maintained

Yes

Annually

Security Team

Compliance with security standards.

SOC 2 Type II Report

SOC 2 Type II Report maintained in last 12 months

Yes

Annually

Security Team

Foster a culture of security awareness within FundApps

Incident register

# of C1, C2, C3 or Internal security incidents resulting from lack of security awareness (e.g. phishing) in last 12 months

0 C1 0 C2 0 C3 <10 internals

Annually and after incident occurred

Security Team

Foster a culture of security awareness within FundApps

Phishing test

% of users who click on test phishing emails

<5%

After each phishing test

Security Team

Foster a culture of security awareness within FundApps

Phishing test

% of users who report a test phishing email

>20%

After each phishing test

Security Team

Information Security and Business Continuity Risks

Risk assessments and reviews

# of risks above the risk tolerance level

Annually and following risk is identified

Security Team

Audit Findings

Internal or external audit

# and severity of findings identified during last internal audit

0 major non-conformities

Following internal or external audit

Security Team

Liability due to an Information Security Incident.

Law suits

# of law suits, fines or losses due to a security incident in last 12 months

Annually and following law suit

Security Team

Business Continuity Plan Effectiveness

BCP test report

Impact the last activation of BCP had on business activity and clients

No impact

Annually

Security Team

Disaster Recovery Plan Effectiveness

DR test report

Service return time during last DR Test

All components RTOs met All components RPOs met

Annually

Security Team

Security of FundApps' platform

Penetration test report

# and severity of findings in last penetration test

0 Critical and High vulnerabilities

Annually

Security Team

Analysis of performance

Based on these indicators, FundApps will assess whether its ISMS is performing efficiently and whether root causes of underperformance are being identified and managed appropriately.

Management Review

At least once per calendar year, a review of the ISMS will be done to ensure its continuing suitability, adequacy and effectiveness.

Attendees

The annual management review meeting will have the following attendees:

the ISMS Implementer,
the ISMS Manager, and
at least one member from the Leadership Team, which can be the ISMS Manager.

Agenda

The agenda will include the following topics:

Status of actions from previous management reviews
Relevant changes in external and internal issues
Performance of the ISMS
1. Audit results, non-conformities and corrective actions
2. Monitoring and measurement results
3. Information Security Objectives
Feedback from interested parties
Results of risk assessment and status of the risk treatment plan
Opportunities for continual improvement

Internal Audit Policy

Objective

This policy defines the internal audit process of FundApps' Information Security Management System (ISMS).

Scope

The scope of the internal audit is FundApps' Information Security Management System (ISMS), which is described in ISMS Scope.

Frequency and Coverage

Internal audits shall be performed against FundApps' ISMS at planned intervals at least once per year.

Over a three year period there will be three internal audits:

one audit will cover the entire scope of the ISMS
two audits will cover at least one third of the ISMS.

Internal Auditor

The internal auditor shall be appointed by the ISMS Manager. The auditor and may be a member of FundApps or an external trusted third party auditor. Auditor selection shall be done to ensure objectivity and the impartiality of the audit process.

Internal Audit Process

Audit Planning

Audits shall be planned in advance and the ISMS Manager shall be notified no less than 5 business days ahead of time.

The internal auditor shall prepare the audit plan which shall define the scope of the ISMS, including the scope of the controls, which shall be audited.

Amongst others, the audit plan must take as an input the following items:

Security related incidents that have occurred since last audit;
Changes made to the Information Security Policy;
Changes made to Information Security controls;
Improvements made to the ISMS.

The resulting audit plan must be validated by the ISMS Manager.

Upon validation the ISMS auditor must communicate the plan to the interested parties.

Audit Preparation

The internal auditor shall collect and study the previous audit findings and outstanding issues. They shall also prepare relevant documents required for the audit (e.g. ISMS Audit checklist).

Conduct Audit

During the audit, the internal auditor shall find relevant evidence to ascertain that:

The information security policy reflects the current business requirements;
An appropriate risk assessment methodology is being used;
Documented procedures (within the scope of the ISMS) are being followed and are meeting their objectives;
Controls are in place and working as intended;
Residual risks have been assessed correctly and are within FundApps' risk appetite and risk tolerance levels;
The agreed actions from the previous audits have been implemented;
The ISMS is compliant with ISO 27001.

Audit Reporting

The internal auditor shall prepare an audit report based on the audit findings. Findings shall be labelled according to their severity and priority level:

Major Non-Conformity - This pertains to a major deficiency in the ISMS and exists if one or more elements of the ISO/IEC 27001: 2022 Information Security standard is not implemented and this finding shall have a direct effect on information security, specifically on the preservation of confidentiality, integrity and availability of information assets.
Minor Non-Conformity - A minor deficiency. One or more elements of the ISMS is/are only partially complied with. Minor non-conformities have an indirect effect on information security.
Observations/Potential Improvements – An audit recommendation for improvement for consideration by FundApps.

The internal auditor shall send the audit report to the ISMS Manager and the ISMS Implementer.

Audit Remediation

According to the audit findings and the non-conformity levels, an action plan and potential follow-up audit shall be defined by the ISMS Implementer and validated by the ISMS Manager. The scope of a follow-up audit is limited to the non conformity and the same mechanisms that produced the finding are used.

Appendix

Internal Audit Template

Finding No.

Major Non-Conformity | Minor Non-Conformity | Observations/Potential Improvements

Description

ISO 27001 Clause No.

Remediation Action

Remediation Deadline

Status

Evidence of remediation

Internal Audit Plan for a 3 year cycle

This plan describes how the Internal Audit will be split over 3 years, so that every 3 year cycle the entirety of FundApps' Information Security Management System has been audited.

Once a cycle of 3 years is completed, a new 3 year cycle will begin.

Year 1

This internal audit shall cover the following elements:

Clauses 4 to 10;
All Annex A controls in scope as per the statement of applicability.

The audit will be performed before the end of June of year 1.

Year 2

This internal audit shall cover the following elements:

Clauses 4 to 10;
Annex A controls in scope as per the statement of applicability from A.5.1. to A.6.8 included.

The audit will be performed before the end of June of year 2.

Year 3

This internal audit shall cover the following elements:

Clauses 4 to 10;
Annex A controls in scope as per the statement of applicability from A.7.1 to A.8.34 included.

The audit will be performed before the end of June of year 3.

Continual Improvement Process

Objective

This process aims to allow FundApps to continually improve the suitability, adequacy and effectiveness of the information security management system.

Scope

ISMS Change Management Process

Nonconformities of FundApps' Information Security Management System with ISO 27001:2022.

Policy

ISMS Change Management Process

FundApps ensures that all changes to the Information Security Management System are carried out in a planned manner and controlled in accordance with ISO 27001 Clause 6.3.

To ensure a structured approach to ISMS changes, FundApps follows these key steps:

Identifying & Assessing Changes

Changes may be identified through internal reviews, ISMS performance reviews, audits, risk assessments, regulatory updates, or feedback from stakeholders.
Each change is assessed for potential impacts on security objectives, risk posture, and existing controls.

Planning & Approval

Changes are reviewed and approved by relevant stakeholders before implementation to ensure alignment with security and business objectives.

Implementation & Documentation

Approved changes are implemented following a structured approach to minimise security risks and operational disruptions.
All changes are documented in accordance with FundApps' record-keeping requirements.

Monitoring & Review

The effectiveness of implemented changes is monitored to ensure security objectives are met.
Any unintended consequences are reviewed, and corrective actions are taken as necessary.

Control of External Processes

Any externally provided processes, products, or services that impact the ISMS are reviewed and controlled to maintain compliance and security integrity.

Management of nonconformities

FundApps shall implement the following process when nonconformities arise:

React to the nonconformity

FundApps shall react to the nonconformity as applicable by taking action to control and correct it and deal with its consequences.

Non-confirmities can be identified daily through the use of FundApps' compliance monitoring tool, during annual internal audits, during the ISMS performance review and during the annual risk assessment.

Evaluate the root cause

FundApps shall evaluate the need for action to eliminate the causes of the nonconformity to ensure it does not occur again.

To do so FundApps shall:

review the nonconformity;
determine the cause of the nonconformity; and
determine if similar nonconformities exist or could potentially occur.

Remediate root cause

FundApps shall implement actions required to address the root cause of the nonconformity.

Determine effectiveness of the remediation

FundApps shall review the effectiveness of the remediation actions which have been taken and make further changes to the ISMS if necessary.

Retain evidence

FundApps shall retain evidence of:

the nature of the nonconformities and any subsequent action taken, and
the result of any remediation actions.

Internal and External Communication Plan

Internal communication regarding this ISMS will be conducted as described below:

Document Control Policy

Objective

Define the version control, change approval and review cycle of FundApps policies.

Scope

FundApps Information Security , Risk management and business continuity policies.

Policy

Version control

Policies in scope shall be versioned through the use of git. Any change to a policy will be tied to a commit number and an author. This information will be stored in the policies git log.

Change approval

Policies in scope shall be approved by a member of the leadership team. These approvals will be stored in the policies git log.

Review Cycle

Policies in scope shall be reviewed annually by the Head of Information Security and at least one member of the Leadership Team.

Statement of Applicability

ISO Control

Description

Applicable

Business Requirement

Contractual Requirement

Legal Requirement

Implemented

5.1

Policies for information security Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and

acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.

Yes

5.2

Information security roles and responsibilities Information security roles and responsibilities shall be defined and allocated according to the FundApps' needs.

Yes

5.3

Segregation of duties Conflicting duties and conflicting areas of responsibility shall be segregated.

Yes

5.4

Management responsibilities Management shall require all personnel to apply information security

in accordance with the established information security policy, topic-specific policies and procedures of the organization.

Yes

5.5

Contact with authorities FundApps shall establish and maintain contact with relevant authorities.

Yes

5.6

Contact with special interest groups FundApps shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.

Yes

5.7

Threat Intelligence Information relating to information security threats shall be collected and analysed to produce threat intelligence.

Yes

5.8

Information security in project management Information security shall be integrated into project management.

Yes

5.9

Inventory of information and other associated assets An inventory of information and other associated assets, including owners, shall be developed and maintained.

Yes

5.10

Yes

5.11

Yes

5.12

Yes

5.13

Labelling of information An appropriate set of procedures for information labelling shall be

developed and implemented in accordance with the information classification scheme adopted by the organization.

Yes

5.14

Yes

5.15

Access control Rules to control physical and logical access to information and other

associated assets shall be established and implemented based on business and information security requirements.

Yes

5.16

Identity management The full life cycle of identities shall be managed.

Yes

5.17

Yes

5.18

Yes

5.19

Yes

5.20

Addressing information security within supplier agreements Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.

Yes

5.21

Managing information security

in the information and communication technology (ICT) supply

chain Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.

Yes

5.22

Yes

5.23

Yes

5.24

Information security incident

Yes

5.25

Assessment and decision on information security events The organization shall assess information security events and decide if they are to be categorized as information security incidents.

Yes

5.26

Response to information security incidents Information security incidents shall be responded to in accordance with the documented procedures.

Yes

5.27

Learning from information security incidents Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.

Yes

5.28

Collection of evidence The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related

to information security events.

Yes

5.29

Information security during disruption The organization shall plan how to maintain information security at an appropriate level during disruption.

Yes

5.30

ICT readiness for business continuity ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.

Yes

5.31

Yes

5.32

Intellectual property rights The organization shall implement appropriate procedures to protect intellectual property rights.

Yes

5.33

Protection of records Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.

Yes

5.34

Yes

5.35

Yes

5.36

Yes

5.37

Documented operating procedures Operating procedures for information processing facilities shall be documented and made available to personnel who need them.

Yes

6.1

Screening

Yes

6.2

Terms and conditions of employment

The employment contractual agreements shall state the personnel’s

Yes

6.3

Information security awareness, education and training

Yes

6.4

Yes

6.5

Responsibilities after termination or change of employment

Yes

6.6

Confidentiality or non-disclosure agreements Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified,

documented, regularly reviewed and signed by personnel and other relevant interested parties.

Yes

6.7

Remote working Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.

Yes

6.8

Yes

7.1

Physical security perimeters

Security perimeters shall be defined and used to protect areas that contain information and other associated assets.

Yes

7.2

Physical entry

Secure areas shall be protected by appropriate entry controls and access points.

Yes

7.3

Securing offices, rooms and facilities

Physical security for offices, rooms and facilities shall be designed and implemented.

Yes

7.4

Physical security monitoring

Premises shall be continuously monitored for unauthorized physical access.

Yes

7.5

Protecting against physical and environmental threats

Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.

Yes

7.6

Working in secure areas

Security measures for working in secure areas shall be designed and implemented.

Yes

7.7

Clear desk and clear screen

Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.

Yes

7.8

Equipment siting and protection

Equipment shall be sited securely and protected.

N/A - managed by a third-party

7.9

Security of assets off premises

Off-site assets shall be protected.

N/A - managed by a third-party

7.10

Storage media

Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.

Yes

N/A - managed by a third-party

7.11

Supporting utilities

Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.

N/A - managed by a third-party

7.12

Cabling security

Cables carrying power, data or supporting information services shall be protected from interception, interference or damage.

N/A - managed by a third-party

7.13

Equipment maintenance

Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.

N/A - managed by a third-party

7.14

Secure disposal or reuse of equipment

Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software have been removed

or securely overwritten prior to disposal or reuse.

N/A - managed by a third-party

8.1

User end point devices

Information stored on, processed by or accessible via user end point devices shall be protected.

Yes

8.2

Privileged access rights

The allocation and use of privileged access rights shall be restricted and managed.

Yes

8.3

Information access restriction

Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.

Yes

8.4

Access to source code

Read and write access to source code, development tools and software libraries shall be appropriately managed.

Yes

8.5

Secure authentication

Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.

Yes

8.6

Capacity management

The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.

Yes

8.7

Protection against malware

Protection against malware shall be implemented and supported by appropriate user awareness.

Yes

8.8

Management of technical vulnerabilities

Yes

8.9

Configuration management

Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.

Yes

8.10

Information deletion

Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.

Yes

8.11

Data masking

Yes

8.12

Data leakage prevention

Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive

information.

Yes

8.13

Information backup

Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

Yes

8.14

Redundancy of information processing facilities

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

Yes

8.15

Logging Control

Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.

Yes

8.16

Monitoring activities

Networks, systems and applications shall be monitored for anomalous

behaviour and appropriate actions taken to evaluate potential infor- mation security incidents.

Yes

8.17

Clock synchronization

The clocks of information processing systems used by the organization shall be synchronized to approved time sources.

Yes

8.18

Use of privileged utility programs

The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.

Yes

Only on production infrastructure

8.19

Installation of software on operational systems

Procedures and measures shall be implemented to securely manage software installation on operational systems.

Yes

8.20

Networks security

Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.

Yes

8.21

Security of network services

Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.

Yes

8.22

Segregation of networks

Groups of information services, users and information systems shall be segregated in the organization’s networks.

Yes

8.23

Web filtering

Access to external websites shall be managed to reduce exposure to malicious content.

Yes

Only on systems used to access client data.

8.24

Use of cryptography

Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.

Yes

8.25

Secure development life cycle

Rules for the secure development of software and systems shall be established and applied.

Yes

8.26

Application security requirements

Information security requirements shall be identified, specified and approved when developing or acquiring applications.

Yes

8.27

Secure system architecture and engineering principles

Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development

activities.

Yes

8.28

Secure coding

Secure coding principles shall be applied to software development.

Yes

8.29

Security testing in development and acceptance

Security testing processes shall be defined and implemented in the development life cycle.

Yes

8.30

Outsourced development

The organization shall direct, monitor and review the activities related to outsourced system development.

Yes

N/A - development is not outsourced

8.31

Separation of development, test and production environments Development, testing and production environments shall be separated and secured.

Yes

8.32

Change management

Changes to information processing facilities and information systems shall be subject to change management procedures.

Yes

8.33

Test information

Test information shall be appropriately selected, protected and managed.

Yes

8.34

Protection of information systems during audit testing

Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and

appropriate management.

Yes