Continual Improvement Process

Objective

This process aims to allow FundApps to continually improve the suitability, adequacy and effectiveness of the information security management system.

Scope

ISMS Change Management Process

Nonconformities of FundApps' Information Security Management System with ISO 27001:2022.

Policy

ISMS Change Management Process

FundApps ensures that all changes to the Information Security Management System are carried out in a planned manner and controlled in accordance with ISO 27001 Clause 6.3.

To ensure a structured approach to ISMS changes, FundApps follows these key steps:

1. Identifying & Assessing Changes

• Changes may be identified through internal reviews, ISMS performance reviews, audits, risk assessments, regulatory updates, or feedback from stakeholders.

• Each change is assessed for potential impacts on security objectives, risk posture, and existing controls.

1. Planning & Approval

• Changes are reviewed and approved by relevant stakeholders before implementation to ensure alignment with security and business objectives.

1. Implementation & Documentation

• Approved changes are implemented following a structured approach to minimise security risks and operational disruptions.

• All changes are documented in accordance with FundApps' record-keeping requirements.

1. Monitoring & Review

• The effectiveness of implemented changes is monitored to ensure security objectives are met.

• Any unintended consequences are reviewed, and corrective actions are taken as necessary.

1. Control of External Processes

• Any externally provided processes, products, or services that impact the ISMS are reviewed and controlled to maintain compliance and security integrity.

Management of nonconformities

FundApps shall implement the following process when nonconformities arise:

React to the nonconformity

FundApps shall react to the nonconformity as applicable by taking action to control and correct it and deal with its consequences.

Non-conformities will be logged in Shortcut, a ticketing system.

Non-confirmities can be identified daily through the use of FundApps' compliance monitoring tool, during annual internal audits, during the ISMS performance review and during the annual risk assessment.

Evaluate the root cause

FundApps shall evaluate the need for action to eliminate the causes of the nonconformity to ensure it does not occur again.

To do so FundApps shall:

• review the nonconformity;

• determine the cause of the nonconformity; and

• determine if similar nonconformities exist or could potentially occur.

The remediation action and a deadline will be logged in Shortcut for each non-conformity.

Remediate root cause

FundApps shall implement actions required to address the root cause of the nonconformity.

Once the action has been implemented, the corresponding Shortcut story will be marked as done.

Determine effectiveness of the remediation

FundApps shall review the effectiveness of the remediation actions which have been taken and make further changes to the ISMS if necessary.

Retain evidence

FundApps shall retain evidence of:

• the nature of the nonconformities and any subsequent action taken, and

• the result of any remediation actions.