Objective Plan
The following table describes the plan for 2026 to achieve FundApps' objectives.
1) Consolidate to a unified control set and audit cycle for the merged entity.
Align governance, policies, and assurance activities across the merged group, and reduce duplication in ways of working.
Security team
Security team time
Gap assessment completed by 30 Jun 2026, and leadership-approved roadmap in place.
End-of-year evidence of consolidated governance and a defined joint audit plan for 2027.
Residual risk statement for client data leakage harmonised across FundApps and Surveillance, with one documented risk acceptance process.
End of December 2026
2) Ensure the protection of sensitive data managed by FundApps’ information systems
Run structured risk reviews across in-scope teams and ensure prioritised mitigations are planned and delivered.
Security team
Security team time
Threat modelling completed for all in-scope teams by 1 Oct 2026.
Risk registers maintained with owners and target dates.
Target of at least 80% of agreed mitigations implemented by 31 Dec 2026, excluding formally accepted risks.
End of December 2026
3) Protect information systems against external security threats and vulnerabilities.
Maintain layered assurance through a combination of continuous external testing and periodic structured assessments, supported by clear remediation ownership and timelines.
Security team
Security team time, Engineering time
Continuous bug bounty operational by 30 Apr 2026.
Annual penetration test completed in 2026.
End of December 2026
4) Maintain compliance with security standards
Complete scheduled assurance activities against recognised security and responsible AI management standards, and track any follow-up actions to completion.
Security team
Security team time
ISO 27001:2022 and ISO 42001 surveillance audits completed in 2026.
SOC 2 Type II audit completed in 2026.
Final reports received and any nonconformities or exceptions logged with owners and due dates.
End of December 2026
5) Maintain a cycle of continuous improvement.
Remediate findings identified by audits.
Security team
Ad-hoc
ISO 27001:2022 certification maintained in 2026 with 0 nonconformities.
SOC 2 audit with 0 exceptions in the final report.
ISO 42001 certification achieved in 2026.
End of December 2026
6) Foster a culture of security awareness within FundApps.
Maintain a robust security awareness programme covering onboarding and refresher training, with emphasis on practical reporting behaviours.
Security team
Security team time
All staff complete required security awareness training.
0 C1, C2, or C3 incidents attributable to lack of awareness.
Annual survey confirming confidence in reporting, with actions tracked.
End of December 2026
8) Strengthen infrastructure security and resilience
Reduce exposure to common web threats and improve resilience to high-volume attack patterns.
Security team
Security team time, Engineering time
AWS WAF and DDoS protection deployed to production for in-scope workloads by 31 Dec 2026.
30 Jun 2026
9) Reduce operational and third-party security risks
Improve privileged access governance and remove the last remaining legacy component.
Security team
Security team time
Privileged access solution implemented by 30 Mar 2026 with 0 incidents attributable to misconfiguration or service failure.
Legacy notification component decommissioned by 30 Jun 2026.
End of December 2026
Last updated