Protection of sensitive data managed by FundApps' Information Systems
Incident register
# of data breaches in last 12 months
0
Annually and after incident occurred
Security Team
Information Systems misused, damaged or abused.
Incident register
# of C1 or C2 security incidents in the last 12 months
0
Annually and after incident occurred
Security Team
Information Systems misused, damaged or abused.
Incident register
# of C1, C2 or C3 security incidents in the last 12 months linked to a third-party supplier.
0
Annually and after incident occurred
Security Team
Demonstrate a high level of competence and expertise in Information Security
Client dissatisfaction of security practices
# of clients lost due to Information Security issues in last 12 months
0
Annually
Security Team
Demonstrate a high level of competence and expertise in Information Security
Prospect dissatisfaction of security practices
# of deals with prospects lost due to Information Security issues in last 12 months
<5% closed lost deals
Annually
Security Team
Compliance with security standards.
ISO certification audit
ISO 27001 certification maintained
Yes
Annually
Security Team
Compliance with security standards.
SOC 2 Type II Report
SOC 2 Type II Report maintained in last 12 months
Yes
Annually
Security Team
Foster a culture of security awareness within FundApps
Incident register
# of C1, C2, C3 or Internal security incidents resulting from lack of security awareness (e.g. phishing) in last 12 months
0 C1 0 C2 0 C3 <10 internals
Annually and after incident occurred
Security Team
Foster a culture of security awareness within FundApps
Phishing test
% of users who click on test phishing emails
<5%
After each phishing test
Security Team
Foster a culture of security awareness within FundApps
Phishing test
% of users who report a test phishing email
>20%
After each phishing test
Security Team
Information Security and Business Continuity Risks
Risk assessments and reviews
# of risks above the risk tolerance level
0
Annually and following risk is identified
Security Team
Audit Findings
Internal or external audit
# and severity of findings identified during last internal audit
0 major non-conformities
Following internal or external audit
Security Team
Liability due to an Information Security Incident.
Law suits
# of law suits, fines or losses due to a security incident in last 12 months
0
Annually and following law suit
Security Team
Business Continuity Plan Effectiveness
BCP test report
Impact the last activation of BCP had on business activity and clients
No impact
Annually
Security Team
Disaster Recovery Plan Effectiveness
DR test report
Service return time during last DR Test
All components RTOs met All components RPOs met
Annually
Security Team
Security of FundApps' platform
Penetration test report
# and severity of findings in last penetration test
0 Critical and High vulnerabilities
Annually
Security Team
Based on these indicators, FundApps will assess whether its ISMS is performing efficiently and whether root causes of underperformance are being identified and managed appropriately.
At least once per calendar year, a review of the ISMS will be done to ensure its continuing suitability, adequacy and effectiveness.
The annual management review meeting will have the following attendees:
the ISMS Implementer,
the ISMS Manager, and
at least one member from the Leadership Team, which can be the ISMS Manager.
The agenda will include the following topics:
Status of actions from previous management reviews
Relevant changes in external and internal issues
Performance of the ISMS
Audit results, non-conformities and corrective actions
Monitoring and measurement results
Information Security Objectives
Feedback from interested parties
Results of risk assessment and status of the risk treatment plan
Opportunities for continual improvement