search

Performance Evaluation

What will be monitored & measured
Methods for monitoring & measurement
Metrics used to measure
Target
When will it be done
Who shall monitor & measure

Consolidation to a unified control set for the merged entity

Gap assessment, audit readiness

# of components of ISMS not aligned with the merged entity

0

Ad-hoc

Security team

Protection of sensitive data managed by FundApps' Information Systems

Risk assessments and reviews

# of risks above the risk tolerance level

0

Annually

Security team

Security of FundApps' platform

Bug bounty program, penetration test

# and severity of findings in penetration test and bug bounty program

0 Critical and High vulnerabilities

Annually

Security Team

Protection of information systems against external security threats and vulnerabilities

Incident register

# of C1 or C2 security incidents in the last 12 months

0

Annually and after incident occurred

Security Team

Compliance with security standards.

ISO certification audit

ISO 27001 certification maintained

Yes

Security Team

Security Team

Compliance with security standards.

ISO certification audit

ISO 42001 certification achieved

Yes

Security Team

Security Team

Compliance with security standards.

SOC 2 Type II Report

SOC 2 Type II Report maintained in last 12 months

Yes

Annually

Security Team

Audit Findings

Internal or external audit

# and severity of findings identified during last internal audit

0 major non-conformities

Following internal or external audit

Security Team

A culture of security awareness within FundApps

Incident register

# of C1, C2, C3 or Internal security incidents resulting from lack of security awareness (e.g. phishing) in last 12 months

0 C1 0 C2 0 C3 <10 internals

Annually and after incident occurred

Security Team

Information Systems misused, damaged or abused.

Incident register

# of C1, C2 or C3 security incidents in the last 12 months linked to a third-party supplier.

0

Annually and after incident occurred

Security Team

Information Systems misused, damaged or abused.

Incident register

# of C1, C2 or C3 security incidents in the last 12 months linked to a lack of web protection or resilience.

0

Annually and after incident occurred

Security Team

hashtag
Analysis of performance

Based on these indicators, FundApps will assess whether its ISMS is performing efficiently and whether root causes of underperformance are being identified and managed appropriately.

hashtag
Management Review

At least once per calendar year, a review of the ISMS will be done to ensure its continuing suitability, adequacy and effectiveness.

hashtag
Attendees

The annual management review meeting will have the following attendees:

  • the ISMS Implementer,

  • the ISMS Manager, and

  • at least one member from the Leadership Team, which can be the ISMS Manager.

hashtag
Agenda

The agenda will include the following topics:

  1. Status of actions from previous management reviews

  2. Relevant changes in external and internal issues

  3. Performance of the ISMS

    1. Audit results, non-conformities and corrective actions

    2. Monitoring and measurement results

    3. Information Security Objectives

  4. Feedback from interested parties

  5. Results of risk assessment and status of the risk treatment plan

  6. Opportunities for continual improvement

PreviousRoles, Responsibilities and OrganisationNextInternal Audit Policy

Last updated