Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
The ISMS applies to the shareholding disclosure, position limits, sensitive industries, annex IV reporting and Filing Manager services, which FundApps delivers to its clients. It also applies to the information assets, processes, teams and external service providers which FundApps relies on to provide these services.
FundApps’ five main services provided are:
Shareholding Disclosure
FundApps’ Shareholding Disclosure service monitors disclosure requirements for major shareholding, short selling and takeover panels. Position data is uploaded daily and users are alerted to new disclosures. Disclosures are made on time without mistakes.
Position Limits
FundApps' Position Limits service simplifies the process of monitoring position limits on derivative contracts which are imposed by exchanges across the globe as well as regulators (e.g. CFTC, ESMA via MiFID II). Our service informs our clients on where their positions are versus applicable limits and acts as an early warning system.
Sensitive Industries
FundApps simplifies the process of monitoring sensitive industries investment and foreign ownership. Position data is uploaded daily and users are alerted to pre-approval warnings, notifications for disclosure obligations and hard stop breaches.
Filing Manager
Filing Manager automates the disclosure process for short selling reporting. It uses the client-provided data and provides a fully audited service to file for the client. It identifies disclosures for short positions once the position file runs and prepares them to be submitted to the relevant regulator.
Annex IV reporting
AIFMD Annex IV reporting requires detailed disclosures on investor data, risk exposures, liquidity, and financing to enhance transparency in the alternative investment space. We automate data aggregation, centralise workflows, and provide full calculation visibility at every stage.
The FundApps departments within the scope of the ISMS are:
Client Services – On-board clients and assist them throughout their experience with our software.
Regulatory team– Help to ensure rules correctly mirror current regulation.
Finance – Manage FundApps’ budget, cash flow, tax planning and record keeping.
People Operations – Team responsible for employer brand, recruitment and on-boarding through to development, reward and recognition.
Product – Design and develop products to achieve the company’s objectives.
Engineering – Manage and maintain system architecture and design for all hosted clients.
At a high level, the following executives and teams support FundApps’ processes and services:
CEO – Assigns authority and responsibility for operating activities and reporting relationships. FundApps’ CEO defines and communicates the company’s objectives.
Global Head of Client Services – Takes the lead in owning FundApps client portfolio and drive cross-team collaboration to support FundApps’ objectives.
Chief Product Officer – Accountable for all product management and content team activities globally.
Chief Technology Officer – Provides direction and decision making on what technologies to use, the architecture of the platforms and best technical practices to follow.
Chief Revenue Officer– Accountable for all sales activities within the region and as the People Leader for the Regional Sales team.
Head of People – Reporting directly to the CEO, the head of People Operations smooths the next phase in growth as FundApps scales.
Head of Information Security – Responsible for managing Information Security, Cyber Security and Business Continuity risks potentially impacting FundApps.
FundApps operates out of three offices:
18th Floor, HYLO, 105 Bunhill Row, London, EC1Y 8LZ, United Kingdom
276 5th Ave, Suite 808, New York, NY 10001
#13-135, 71 Robinson Road, 068895, Singapore
FundApps services make use of a resilient infrastructure, which is hosted within multiple data centres (availability zones) and regions operated by Amazon Web Services. There are two environments with a primary environment made up of three data centres within a single geographic region, from which the service is provided in normal operation. There is also a secondary environment in an alternate geographic region, which is used in case the primary environment is unavailable. Each of the three data centres within the primary environment have discrete power and Internet connectivity. FundApps’ primary environment is designed to continue to provide its service should two of the three centres suffer concomitant failures. Should the whole primary environment fail, FundApps has procedures to recover its service in the secondary environment. The critical components of this highly available infrastructure include:
Proxy servers, which filter inbound traffic and route them to the correct service;
Serverless computing elements and containers which perform apply rule sets analysis of FundApps clients’ financial positions and provide clients with a web user interface and an application programming interface (API); and
Databases, which store the results of this analysis, as well as objects and events related to client environments.
FundApps relies on various applications, tools, and infrastructure components to support its information security management system.
FundApps' platform consists of software that supports its applications, including software for our build pipeline, deployment tools used to deploy to AWS environments, and automation software for managing cloud infrastructure changes.
In addition, FundApps utilises systems for:
Identity and Access Management to control authentication and authorisation.
Development and Change Management to track and manage software changes securely.
Security Monitoring and Threat Detection to protect against, detect, and respond to security threats.
Communication and Collaboration to facilitate internal and external information sharing.
Customer Support and Relationship Management to manage client interactions and service requests.
FundApps ensures that all business-critical applications and tools within the ISMS scope are assessed for security risks, aligned with industry best practices, and regularly reviewed to maintain compliance with ISO 27001. A current list of subprocessors is maintained in our .
The CTO shall ensure FundApps allocates the appropriate resources to ensure the ISMS' conformity with the ISO 27001 standard and shall report the performance of the ISMS to the Leadership team.
The Head of Information Security shall maintain the ISMS, assess its conformity with the ISO 27001 standard, define appropriate corrective actions and report its performance to the CTO.
The internal auditor, who can be a staff member or a consultant, shall perform an impartial internal audit against the requirements of the ISO 27001 standard, and follow-up on the internal audit results to achieve continual improvement.
The leadership team will ensure the performance of the ISMS aligns with FundApps' business objectives.
Finally all FundApps staff members contribute to the ISMS, FundApps' security policies and procedures.
The following diagram details the organisation between the staff who have a role in the ISMS.
FundApps assesses the competencies of those who play a role in the ISMS based on the table below:
ISMS Manager
Technical Leadership experience.
Technical and architectural expertise.
Experience in an environment with high security requirements.
Competencies are assessed during recruitment process and during annual review.
Assess experience against match those set out in competencies column.
External Information Security Training
>1 year experience leading a Technology team. Degree in Computer Science >1 year experience working in a company with high security requirements (e.g. Financial Institution).
ISMS Implementer
Information Security Leadership experience.
Information Security expertise.
Information Security Certifications.
Competencies are assessed during recruitment process and during annual review.
Assess experience, expertise and certifications against match those set out in competencies column.
External Information Security Training
>1 year experience leading an Information Security team Degree in Information Security Management Systems Information Security Certification
ISMS Internal Auditor
Auditor experience.
ISO 27001 expertise.
Competencies are assessed during recruitment/purchasing process for Internal auditor and/or during annual review.
Assess experience and expertise.
External Information Security Training
>1 year experience as auditor ISO 27001 Lead Auditor certification
Leadership Team,
FundApps Staff
Knowledge of FundApps' Information Security Policies
Knowledge on how to react to most common security threats (e.g. react to phishing emails)
Competencies are assessed during annual Information Security Test.
Assess compliance with Information Security Test.
FundApps InfoSec Training
Pass annual Information Security Test
If gaps are identified with the required competencies, FundApps will define a set of actions to remediate it. These actions may include training, mentoring or hiring or contracting competent persons.
Protection of sensitive data managed by FundApps' Information Systems
Incident register
# of data breaches in last 12 months
0
Annually and after incident occurred
Security Team
Information Systems misused, damaged or abused.
Incident register
# of C1 or C2 security incidents in the last 12 months
0
Annually and after incident occurred
Security Team
Information Systems misused, damaged or abused.
Incident register
# of C1, C2 or C3 security incidents in the last 12 months linked to a third-party supplier.
0
Annually and after incident occurred
Security Team
Demonstrate a high level of competence and expertise in Information Security
Client dissatisfaction of security practices
# of clients lost due to Information Security issues in last 12 months
0
Annually
Security Team
Demonstrate a high level of competence and expertise in Information Security
Prospect dissatisfaction of security practices
# of deals with prospects lost due to Information Security issues in last 12 months
<5% closed lost deals
Annually
Security Team
Compliance with security standards.
ISO certification audit
ISO 27001 certification maintained
Yes
Annually
Security Team
Compliance with security standards.
SOC 2 Type II Report
SOC 2 Type II Report maintained in last 12 months
Yes
Annually
Security Team
Foster a culture of security awareness within FundApps
Incident register
# of C1, C2, C3 or Internal security incidents resulting from lack of security awareness (e.g. phishing) in last 12 months
0 C1 0 C2 0 C3 <10 internals
Annually and after incident occurred
Security Team
Foster a culture of security awareness within FundApps
Phishing test
% of users who click on test phishing emails
<5%
After each phishing test
Security Team
Foster a culture of security awareness within FundApps
Phishing test
% of users who report a test phishing email
>20%
After each phishing test
Security Team
Information Security and Business Continuity Risks
Risk assessments and reviews
# of risks above the risk tolerance level
0
Annually and following risk is identified
Security Team
Audit Findings
Internal or external audit
# and severity of findings identified during last internal audit
0 major non-conformities
Following internal or external audit
Security Team
Liability due to an Information Security Incident.
Law suits
# of law suits, fines or losses due to a security incident in last 12 months
0
Annually and following law suit
Security Team
Business Continuity Plan Effectiveness
BCP test report
Impact the last activation of BCP had on business activity and clients
No impact
Annually
Security Team
Disaster Recovery Plan Effectiveness
DR test report
Service return time during last DR Test
All components RTOs met All components RPOs met
Annually
Security Team
Security of FundApps' platform
Penetration test report
# and severity of findings in last penetration test
0 Critical and High vulnerabilities
Annually
Security Team
Based on these indicators, FundApps will assess whether its ISMS is performing efficiently and whether root causes of underperformance are being identified and managed appropriately.
At least once per calendar year, a review of the ISMS will be done to ensure its continuing suitability, adequacy and effectiveness.
The annual management review meeting will have the following attendees:
the ISMS Implementer,
the ISMS Manager, and
at least one member from the Leadership Team, which can be the ISMS Manager.
The agenda will include the following topics:
Status of actions from previous management reviews
Relevant changes in external and internal issues
Performance of the ISMS
Audit results, non-conformities and corrective actions
Monitoring and measurement results
Information Security Objectives
Feedback from interested parties
Results of risk assessment and status of the risk treatment plan
Opportunities for continual improvement
FundApps is committed to a robust implementation of Information Security Management. All our hosting environments are certified to ISO 27001. As an organisation we are endeavour to align our processes to ISO 27001 and the NIST Cyber Security Framework.
We are specifically committed to preserving the confidentiality, integrity and availability of data and documentation supplied by, generated by and held on behalf of our clients. The principles defined in this policy will be applied to all of the physical and electronic information assets for which the FundApps is responsible.
Our senior management team are directly responsible for ensuring that all FundApps staff have been made aware of these procedures and their contents.
All employees have access to this information, are required to abide by them, and are encouraged to regularly review and update these in their relevant areas.
Information security is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It focuses primarily on the confidentiality, integrity and availability of data.
FundApps Data, for the purposes of this policy, is data owned, processed or held by FundApps, whether primary or secondary, irrespective of storage location. It is used interchangeably with the term ‘information’.
FundApps, headquartered in London, United Kingdom, helps investment managers to harness the power of community and technology to automate regulatory compliance.
There are a number of internal and external factors that create uncertainty that gives rise to risk. These include:
Information
FundApps processes the following types of information which require adequate protection:
sensitive client information,
personal data,
Sensitive FundApps Intellectual property.
People
Staff turnover,
Induction of new joiners,
Staff role changes,
High rate of recruitment due to rapid growth.
Organisation
Use of contractors,
Staff working in different time zones.
Products/Services
Alignment of products with evolving regulations,
FundApps services’ competitive advantage relies partly on its intellectual property.
Systems and Processes
Security or resilience issues with FundApps' information systems,
Lack of process documentation.
Political Factors
War in Eastern Europe,
Divergence of regulations between the UK and EU following Brexit,
Changes made to regulations.
Commercial war between the USA and China
Economic Factors
Economic recession,
Market conditions affect our client's ability to subscribe to FundApps’ services,
Higher staff costs due to increasing demand for software engineers or regulatory experts in a constrained market.
Social Factors
Increase in working from home and bring your own devices practices.
Public services industrial action in the UK.
Technological Factors
Fast-evolving threat landscape (e.g. ransomware campaigns),
Increased expectations from clients to manage their own security (e.g. Bring Your Own Key, feed export logs to client SIEM).
Rise of Artificial Intelligence.
Environmental Factors
Pandemic affects how people work.
Legal Factors
More lenient financial regulations makes our products less appealing.
Regulations on personal data such as GDPR
Regulations on access to MNPI and insider trading.
Technology related legislation, such as the Computer Misuse Act 1990 or Freedom of Information Act 2000
Intellectual property concerns related to the use of open source software.
The objectives of the ISMS are:
1) Ensure the protection of sensitive data managed by FundApps' Information Systems.
Zero data breaches.
2) Ensure the protection of all FundApps Information Systems against the risks of unauthorised access, misuse, damage and abuse.
Zero FundApps Information Systems compromised, misused, damaged or abused.
3) Demonstrate a high level of competence and expertise in Information Security
Zero clients lost due to Information Security issues.
4) Maintain compliance with security standards.
Maintain ISO 27001 certification and SOC 2 Type II Reports.
5) Foster a culture of security awareness within FundApps.
Zero security incident resulting from lack of security awareness (e.g. phishing).
6) Protect FundApps from liability or damage due to an Information Security Incident.
Zero law suits, fines or losses due to a security incident.
7) Maintain a cycle of continuous improvement.
All non-conformities with ISO 27001 standard are prioritised for remediation.
The following eight information security principles provide overarching governance for the security and management of information at FundApps.
Staff with particular responsibilities for information are responsible for ensuring the classification of that information; for handling that information in accordance with its classification level; and for any policies, procedures or systems for meeting those responsibilities.
All users covered by the scope of this policy must handle information appropriately and in accordance with its classification level.
As far as is reasonably possible, endeavours must be made to ensure data is complete, relevant, accurate, timely and consistent.
Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.
Information will be protected against unauthorized access and processing in accordance with its classification level.
Information will be protected against loss or corruption.
Breaches of this policy must be reported
FundApps has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory and contractual requirements. Relevant legislation includes: • The Computer Misuse Act 1990 • General Data Protection Regulation 2018 • Data Protection Act 2018 • The Freedom of Information Act 2000 • Regulation of Investigatory Powers Act 2000 • Copyright, Designs and Patents Act 1988 • Defamation Act 1996 • Obscene Publications Act 1959 • Protection of Children Act 1978 • Criminal Justice Act 1988 • Digital Economy Act 2010
A non-exhaustive summary of the legislation and regulatory and contractual obligations that contribute to the form and content of this policy is provided below. Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarised below.
The Computer Misuse Act 1990 defines offences in relation to the misuse of computers as:
Unauthorised access to computer material.
Unauthorised access with intent to commit or facilitate commission of further offences.
Unauthorised modification of computer material. 3ZA: Unauthorised acts causing, or creating risk of, serious damage 3A: Making, supplying or obtaining articles for use in offence under section 1, 3 or 3ZA
The General Data Protection Regulation 2018 (GDPR) defines obligations for businesses and organisations that collect, process and stored individuals' personal data. GDPR outlines seven data protection principles which relate to:
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability
Data Protection Act 2018
GDPR and DPA 2018 are based on the same principles. The main differences between the two are around:
Freedom of information,
Compliance reports,
Data subject access request,
Age of consent,
Information Commissioner’s Office codes of practice,
National security and crime.
Any security breach of FundApps information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems. The loss or breach of confidentiality of personal data is an infringement of the Data Protection Act 1998, contravenes FundApps Data Protection Policy, and may result in criminal or civil action against FundApps.
The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against FundApps. Therefore it is crucial that all users of the FundApps information systems adhere to the Information Security Policy and its supporting policies as well as the Information Classification Standards.
All current staff and other authorised users will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines.
Any security breach will be handled in accordance with all relevant FundApps policies, including the Conditions of Use of IT Facilities at FundApps and the appropriate disciplinary policies.
This policy, and its subsidiaries, shall be reviewed by FundApps and updated regularly to ensure that they remain appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations.
FundApps ensures that all changes to the ISMS are carried out in a planned and controlled manner, in alignment with our Continual Improvement Process.
The list of interested parties in FundApps' ISMS and their requirements are as follows:
Clients
Provide service in line with contractual Service Level Agreements.
Protect client data from unauthorised access.
All – Managed through security controls, data protection measures, and compliance frameworks.
Staff and contractors
Provide a secure Information System to allow them to perform their jobs.
All – Addressed through access controls, security policies, and infrastructure protections.
Owners and Investors
Provide a cost-effective, safe and secure Information System which allows to FundApps to be profitable, attract new clients and develop new services.
All – Managed through risk management, security governance, and business continuity planning.
Suppliers
Operate a secure Information System which prevents security incidents from impacting the supplier's Information System (e.g. malware propagation).
All – Addressed through vendor security assessments, integration controls, and incident response measures.
Regulators
Operate a secure Information System which complies with applicable laws and regulations.
All – Ensured through ISMS policies, audits, and regulatory compliance programs.
The following table describes the plan for 2025 to achieve FundApps' objectives.
Statement of Applicability version 2025-02. The following table summarises the controls that are relevant and applicable to FundApps' Information Security Management System in accordance with the requirements of ISO 27001:2022.
This policy defines the internal audit process of FundApps' Information Security Management System (ISMS).
Internal audits shall be performed against FundApps' ISMS at planned intervals at least once per year.
Over a three year period there will be three internal audits:
one audit will cover the entire scope of the ISMS
two audits will cover at least one third of the ISMS.
The internal auditor shall be appointed by the ISMS Manager. The auditor and may be a member of FundApps or an external trusted third party auditor. Auditor selection shall be done to ensure objectivity and the impartiality of the audit process.
Audits shall be planned in advance and the ISMS Manager shall be notified no less than 5 business days ahead of time.
The internal auditor shall prepare the audit plan which shall define the scope of the ISMS, including the scope of the controls, which shall be audited.
Amongst others, the audit plan must take as an input the following items:
Security related incidents that have occurred since last audit;
Changes made to the Information Security Policy;
Changes made to Information Security controls;
Improvements made to the ISMS.
The resulting audit plan must be validated by the ISMS Manager.
Upon validation the ISMS auditor must communicate the plan to the interested parties.
The internal auditor shall collect and study the previous audit findings and outstanding issues. They shall also prepare relevant documents required for the audit (e.g. ISMS Audit checklist).
During the audit, the internal auditor shall find relevant evidence to ascertain that:
The information security policy reflects the current business requirements;
An appropriate risk assessment methodology is being used;
Documented procedures (within the scope of the ISMS) are being followed and are meeting their objectives;
Controls are in place and working as intended;
Residual risks have been assessed correctly and are within FundApps' risk appetite and risk tolerance levels;
The agreed actions from the previous audits have been implemented;
The ISMS is compliant with ISO 27001.
The internal auditor shall prepare an audit report based on the audit findings. Findings shall be labelled according to their severity and priority level:
Major Non-Conformity - This pertains to a major deficiency in the ISMS and exists if one or more elements of the ISO/IEC 27001: 2022 Information Security standard is not implemented and this finding shall have a direct effect on information security, specifically on the preservation of confidentiality, integrity and availability of information assets.
Minor Non-Conformity - A minor deficiency. One or more elements of the ISMS is/are only partially complied with. Minor non-conformities have an indirect effect on information security.
Observations/Potential Improvements – An audit recommendation for improvement for consideration by FundApps.
The internal auditor shall send the audit report to the ISMS Manager and the ISMS Implementer.
According to the audit findings and the non-conformity levels, an action plan and potential follow-up audit shall be defined by the ISMS Implementer and validated by the ISMS Manager. The scope of a follow-up audit is limited to the non conformity and the same mechanisms that produced the finding are used.
Internal communication regarding this ISMS will be conducted as described below:
The plan to achieve these objectives is described in the .
cf.
Information should be recorded in our information asset register, with the Information Systems which make use of it, classified in accordance with our and in accordance with relevant legislative, regulatory and contractual requirements.
Risks to information security should be assessed and assigned an owner in accordance with our
If a member staff is aware of an information security incident then they must report it to the Head of Information Security, the CEO or the CTO immediately. For more information, please see our .
The scope of the internal audit is FundApps' Information Security Management System (ISMS), which is described in .
1) Ensure the protection of non-public data managed by FundApps' Information Systems.
Reduce the need to access client environments for Client Success staff
Security team
Security team, Engineering time, CS team
CS can manage the health of a client without the need to log into a client environment.
End of December 2025
2) Ensure the protection of all FundApps Information Systems against the risks of unauthorised access, misuse, damage and abuse.
Implement new security practices (i.e., threat modeling & bug bounty).
Security team
Budget for Bug bounty program, Engineering time, Security team
Bug bounty program implemented for a trial period. Teams conducted threat modeling on all new systems.
End of December 2025
3) Maintain compliance with security standards.
Maintain a SOC 2 Type II Report and ISO 27001 attestations.
Security team
Internal and External auditors
Results of an ISO 27001:2022 and SOC 2 audits
End of December 2025
4) Maintain a cycle of continuous improvement.
Remediate findings identified by audits.
Security team
Ad-hoc
All non-conformities have been remediated
End of December 2025
5) Foster a culture of security awareness within FundApps.
Provide team specific Information Security training.
Security team
Security team time
Provided targeted training for staff with higher rates of security incidents. Results of an advanced phishing exercise
End of December 2025
6) Demonstrate a high level of competence and expertise in Information Security
Ensure that our platform upholds top-tier security features.
Security team
Security team, Engineering time
Implemented an audit trail streaming feature to integrate with the client’s SIEM tools
End of December 2025
7) Protect FundApps from liability or damage due to an Information Security Incident.
Reduce the security impact of third party agents
Security team
Security team, Engineering time
Reduced number of third-party agents on endpoints and production infrastructure. Evaluated residual risk of all remaining agents.
End of December 2025
(8) Comply with new and upcoming regulations.
Comply with DORA regulation
Security team
Security team, Legal team
Implemented policies and guidelines that will ensure our compliance with DORA
January 17, 2025
(9) Strengthen Platform Resilience and Disaster Recovery
Broaden scenario coverage, automate DR plan execution, and integrate DR plans into incident management procedures.
Security team
Security team, Engineering time
Reduced time to run Disaster recovery tests. DR plans are integrated into incident management procedures.
End of December 2025
5.1
Policies for information security Information security policy and topic-specific policies shall be defined, approved by management, published, communicated to and
acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur.
Yes
X
X
Yes
5.2
Information security roles and responsibilities Information security roles and responsibilities shall be defined and allocated according to the FundApps' needs.
Yes
X
X
Yes
5.3
Segregation of duties Conflicting duties and conflicting areas of responsibility shall be segregated.
Yes
X
X
Yes
5.4
Management responsibilities Management shall require all personnel to apply information security
in accordance with the established information security policy, topic-specific policies and procedures of the organization.
Yes
X
X
Yes
5.5
Contact with authorities FundApps shall establish and maintain contact with relevant authorities.
Yes
X
X
Yes
5.6
Contact with special interest groups FundApps shall establish and maintain contact with special interest groups or other specialist security forums and professional associations.
Yes
X
Yes
5.7
Threat Intelligence Information relating to information security threats shall be collected and analysed to produce threat intelligence.
Yes
X
Yes
5.8
Information security in project management Information security shall be integrated into project management.
Yes
X
X
Yes
5.9
Inventory of information and other associated assets An inventory of information and other associated assets, including owners, shall be developed and maintained.
Yes
X
X
Yes
5.10
Acceptable use of information and other associated assets Rules for the acceptable use and procedures for handling information and other associated assets shall be identified, documented and implemented.
Yes
X
Yes
5.11
Return of assets Personnel and other interested parties as appropriate shall return all the organization’s assets in their possession upon change or termination of their employment, contract or agreement.
Yes
X
Yes
5.12
Classification of information Information shall be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements.
Yes
X
X
Yes
5.13
Labelling of information An appropriate set of procedures for information labelling shall be
developed and implemented in accordance with the information classification scheme adopted by the organization.
Yes
X
Yes
5.14
Information transfer Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.
Yes
X
X
Yes
5.15
Access control Rules to control physical and logical access to information and other
associated assets shall be established and implemented based on business and information security requirements.
Yes
X
X
Yes
5.16
Identity management The full life cycle of identities shall be managed.
Yes
X
X
Yes
5.17
Authentication information Allocation and management of authentication information shall be controlled by a management process, including advising personnel on appropriate handling of authentication information.
Yes
X
X
Yes
5.18
Access rights Access rights to information and other associated assets shall be provisioned, reviewed, modified and removed in accordance with the organization’s topic-specific policy on and rules for access control.
Yes
X
X
Yes
5.19
Information security in supplier relationships Processes and procedures shall be defined and implemented to manage the information security risks associated with the use of supplier’s products or services.
Yes
X
X
Yes
5.20
Addressing information security within supplier agreements Relevant information security requirements shall be established and agreed with each supplier based on the type of supplier relationship.
Yes
X
X
Yes
5.21
Managing information security
in the information and communication technology (ICT) supply
chain Processes and procedures shall be defined and implemented to manage the information security risks associated with the ICT products and services supply chain.
Yes
X
X
Yes
5.22
Monitoring, review and change management of supplier services The organization shall regularly monitor, review, evaluate and manage change in supplier information security practices and service delivery.
Yes
X
X
Yes
5.23
Information security for use of cloud services Processes for acquisition, use, management and exit from cloud services shall be established in accordance with the organization’s information security requirements.
Yes
X
Yes
5.24
Information security incident
management planning and preparation The organization shall plan and prepare for managing information security incidents by defining, establishing and communicating information security incident management processes, roles and responsibilities.
Yes
X
X
Yes
5.25
Assessment and decision on information security events The organization shall assess information security events and decide if they are to be categorized as information security incidents.
Yes
X
X
Yes
5.26
Response to information security incidents Information security incidents shall be responded to in accordance with the documented procedures.
Yes
X
X
Yes
5.27
Learning from information security incidents Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.
Yes
X
Yes
5.28
Collection of evidence The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related
to information security events.
Yes
X
Yes
5.29
Information security during disruption The organization shall plan how to maintain information security at an appropriate level during disruption.
Yes
X
X
Yes
5.30
ICT readiness for business continuity ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
Yes
X
Yes
5.31
Legal, statutory, regulatory and contractual requirements Legal, statutory, regulatory and contractual requirements relevant to information security and the organization’s approach to meet these requirements shall be identified, documented and kept up to date.
Yes
X
X
X
Yes
5.32
Intellectual property rights The organization shall implement appropriate procedures to protect intellectual property rights.
Yes
X
Yes
5.33
Protection of records Records shall be protected from loss, destruction, falsification, unauthorized access and unauthorized release.
Yes
X
Yes
5.34
Privacy and protection of personal identifiable information (PII) The organization shall identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
Yes
X
X
X
Yes
5.35
Independent review of information security The organization’s approach to managing information security and its implementation including people, processes and technologies shall be reviewed independently at planned intervals, or when significant changes occur.
Yes
X
Yes
5.36
Compliance with policies, rules and standards for information security Compliance with the organization’s information security policy, topic-specific policies, rules and standards shall be regularly reviewed.
Yes
X
X
Yes
5.37
Documented operating procedures Operating procedures for information processing facilities shall be documented and made available to personnel who need them.
Yes
X
X
Yes
6.1
Screening
Background verification checks on all candidates to become personnel shall be carried out prior to joining the organization and on an ongoing basis taking into consideration applicable laws, regulations and ethics and be proportional to the business requirements, the classification of the information to be accessed and the perceived risks.
Yes
X
X
Yes
6.2
Terms and conditions of employment
The employment contractual agreements shall state the personnel’s
Yes
X
X
X
Yes
6.3
Information security awareness, education and training
Personnel of the organization and relevant interested parties shall receive appropriate information security awareness, education and training and regular updates of the organization's information security policy, topic-specific policies and procedures, as relevant for their job function.
Yes
X
X
Yes
6.4
Disciplinary process A disciplinary process shall be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.
Yes
X
X
Yes
6.5
Responsibilities after termination or change of employment
Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, enforced and communicated to relevant personnel and other interested parties.
Yes
X
X
Yes
6.6
Confidentiality or non-disclosure agreements Confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified,
documented, regularly reviewed and signed by personnel and other relevant interested parties.
Yes
X
X
X
Yes
6.7
Remote working Security measures shall be implemented when personnel are working remotely to protect information accessed, processed or stored outside the organization’s premises.
Yes
X
Yes
6.8
Information security event reporting The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.
Yes
X
X
Yes
7.1
Physical security perimeters
Security perimeters shall be defined and used to protect areas that contain information and other associated assets.
Yes
X
X
Yes
7.2
Physical entry
Secure areas shall be protected by appropriate entry controls and access points.
Yes
X
X
Yes
7.3
Securing offices, rooms and facilities
Physical security for offices, rooms and facilities shall be designed and implemented.
Yes
X
X
Yes
7.4
Physical security monitoring
Premises shall be continuously monitored for unauthorized physical access.
Yes
X
X
Yes
7.5
Protecting against physical and environmental threats
Protection against physical and environmental threats, such as natural disasters and other intentional or unintentional physical threats to infrastructure shall be designed and implemented.
Yes
X
X
X
Yes
7.6
Working in secure areas
Security measures for working in secure areas shall be designed and implemented.
Yes
X
X
Yes
7.7
Clear desk and clear screen
Clear desk rules for papers and removable storage media and clear screen rules for information processing facilities shall be defined and appropriately enforced.
Yes
X
X
Yes
7.8
Equipment siting and protection
Equipment shall be sited securely and protected.
No
N/A - managed by a third-party
7.9
Security of assets off premises
Off-site assets shall be protected.
No
N/A - managed by a third-party
7.10
Storage media
Storage media shall be managed through their life cycle of acquisition, use, transportation and disposal in accordance with the organization’s classification scheme and handling requirements.
Yes
X
N/A - managed by a third-party
7.11
Supporting utilities
Information processing facilities shall be protected from power failures and other disruptions caused by failures in supporting utilities.
No
N/A - managed by a third-party
7.12
Cabling security
Cables carrying power, data or supporting information services shall be protected from interception, interference or damage.
No
N/A - managed by a third-party
7.13
Equipment maintenance
Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.
No
N/A - managed by a third-party
7.14
Secure disposal or reuse of equipment
Items of equipment containing storage media shall be verified to ensure that any sensitive data and licensed software have been removed
or securely overwritten prior to disposal or reuse.
No
N/A - managed by a third-party
8.1
User end point devices
Information stored on, processed by or accessible via user end point devices shall be protected.
Yes
X
X
Yes
8.2
Privileged access rights
The allocation and use of privileged access rights shall be restricted and managed.
Yes
X
X
Yes
8.3
Information access restriction
Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.
Yes
X
X
Yes
8.4
Access to source code
Read and write access to source code, development tools and software libraries shall be appropriately managed.
Yes
X
X
Yes
8.5
Secure authentication
Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.
Yes
X
X
Yes
8.6
Capacity management
The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.
Yes
X
X
Yes
8.7
Protection against malware
Protection against malware shall be implemented and supported by appropriate user awareness.
Yes
X
X
Yes
8.8
Management of technical vulnerabilities
Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.
Yes
X
X
Yes
8.9
Configuration management
Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.
Yes
X
X
Yes
8.10
Information deletion
Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.
Yes
X
X
Yes
8.11
Data masking
Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.
Yes
X
X
Yes
8.12
Data leakage prevention
Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive
information.
Yes
X
X
Yes
8.13
Information backup
Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
Yes
X
X
Yes
8.14
Redundancy of information processing facilities
Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.
Yes
X
X
Yes
8.15
Logging Control
Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.
Yes
X
X
Yes
8.16
Monitoring activities
Networks, systems and applications shall be monitored for anomalous
behaviour and appropriate actions taken to evaluate potential infor- mation security incidents.
Yes
X
X
Yes
8.17
Clock synchronization
The clocks of information processing systems used by the organization shall be synchronized to approved time sources.
Yes
X
Yes
8.18
Use of privileged utility programs
The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.
Yes
X
X
Only on production infrastructure
8.19
Installation of software on operational systems
Procedures and measures shall be implemented to securely manage software installation on operational systems.
Yes
X
X
Yes
8.20
Networks security
Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.
Yes
X
X
Yes
8.21
Security of network services
Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.
Yes
X
X
Yes
8.22
Segregation of networks
Groups of information services, users and information systems shall be segregated in the organization’s networks.
Yes
X
X
Yes
8.23
Web filtering
Access to external websites shall be managed to reduce exposure to malicious content.
Yes
X
X
Only on systems used to access client data.
8.24
Use of cryptography
Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.
Yes
X
X
Yes
8.25
Secure development life cycle
Rules for the secure development of software and systems shall be established and applied.
Yes
X
X
Yes
8.26
Application security requirements
Information security requirements shall be identified, specified and approved when developing or acquiring applications.
Yes
X
X
Yes
8.27
Secure system architecture and engineering principles
Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development
activities.
Yes
X
X
Yes
8.28
Secure coding
Secure coding principles shall be applied to software development.
Yes
X
X
Yes
8.29
Security testing in development and acceptance
Security testing processes shall be defined and implemented in the development life cycle.
Yes
X
X
Yes
8.30
Outsourced development
The organization shall direct, monitor and review the activities related to outsourced system development.
Yes
X
X
N/A - development is not outsourced
8.31
Separation of development, test and production environments Development, testing and production environments shall be separated and secured.
Yes
X
X
Yes
8.32
Change management
Changes to information processing facilities and information systems shall be subject to change management procedures.
Yes
X
X
Yes
8.33
Test information
Test information shall be appropriately selected, protected and managed.
Yes
X
Yes
8.34
Protection of information systems during audit testing
Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and
appropriate management.
Yes
X
Yes
Define the version control, change approval and review cycle of FundApps policies.
FundApps Information Security , Risk management and business continuity policies.
Policies in scope shall be versioned through the use of git. Any change to a policy will be tied to a commit number and an author. This information will be stored in the policies git log.
Policies in scope shall be approved by a member of the leadership team. These approvals will be stored in the policies git log.
Policies in scope shall be reviewed annually by the Head of Information Security and at least one member of the Leadership Team.
This plan describes how the Internal Audit will be split over 3 years, so that every 3 year cycle the entirety of FundApps' Information Security Management System has been audited.
Once a cycle of 3 years is completed, a new 3 year cycle will begin.
This internal audit shall cover the following elements:
Clauses 4 to 10;
The audit will be performed before the end of June of year 1.
This internal audit shall cover the following elements:
Clauses 4 to 10;
The audit will be performed before the end of June of year 2.
This internal audit shall cover the following elements:
Clauses 4 to 10;
The audit will be performed before the end of June of year 3.
Changes to Information Security Management Policy Changes to Risk Management, Information Security, and Business Continuity Policies
Changes to Software Development Policy
Changes to Personnel and Safety Policies
Information Security Lead or CTO
Employees
Contractors
Leadership team
Clients
Prospects
Ad-hoc
Via FundApps policy portal
Risks above risk tolerance
Information Security Lead or CTO
Leadership team
Risk owner
Ad-hoc
Via Risk Register
Findings from internal or external audits
Information Security Lead or CTO
Employees
Leadership team
Ad-hoc
ShortCut and/or Notion
Availability of FundApps' platform
Information Security Lead or CTO
Employees
Contractors
Leadership team
Clients
Prospects
Daily
Via
Changes in security and privacy related contractual requirements
Information Security Lead or CTO
Contractors
Providers
Ad-hoc
Via email
All Annex A controls in scope as per the .
Annex A controls in scope as per the from A.5.1. to A.6.8 included.
Annex A controls in scope as per the from A.7.1 to A.8.34 included.
This process aims to allow FundApps to continually improve the suitability, adequacy and effectiveness of the information security management system.
ISMS Change Management Process
Nonconformities of FundApps' Information Security Management System with ISO 27001:2022.
FundApps ensures that all changes to the Information Security Management System are carried out in a planned manner and controlled in accordance with ISO 27001 Clause 6.3.
Identifying & Assessing Changes
Changes may be identified through internal reviews, ISMS performance reviews, audits, risk assessments, regulatory updates, or feedback from stakeholders.
Each change is assessed for potential impacts on security objectives, risk posture, and existing controls.
Planning & Approval
Changes are reviewed and approved by relevant stakeholders before implementation to ensure alignment with security and business objectives.
Implementation & Documentation
Approved changes are implemented following a structured approach to minimise security risks and operational disruptions.
All changes are documented in accordance with FundApps' record-keeping requirements.
Monitoring & Review
The effectiveness of implemented changes is monitored to ensure security objectives are met.
Any unintended consequences are reviewed, and corrective actions are taken as necessary.
Control of External Processes
Any externally provided processes, products, or services that impact the ISMS are reviewed and controlled to maintain compliance and security integrity.
FundApps shall implement the following process when nonconformities arise:
FundApps shall react to the nonconformity as applicable by taking action to control and correct it and deal with its consequences.
Non-confirmities can be identified daily through the use of FundApps' compliance monitoring tool, during annual internal audits, during the ISMS performance review and during the annual risk assessment.
FundApps shall evaluate the need for action to eliminate the causes of the nonconformity to ensure it does not occur again.
To do so FundApps shall:
review the nonconformity;
determine the cause of the nonconformity; and
determine if similar nonconformities exist or could potentially occur.
FundApps shall implement actions required to address the root cause of the nonconformity.
FundApps shall review the effectiveness of the remediation actions which have been taken and make further changes to the ISMS if necessary.
FundApps shall retain evidence of:
the nature of the nonconformities and any subsequent action taken, and
the result of any remediation actions.
Non-conformities will be logged in , a ticketing system.
The remediation action and a deadline will be logged in for each non-conformity.
Once the action has been implemented, the corresponding story will be marked as done.