about 1 year ago
This role will report directly to the Head of Risk and Compliance and working closely with the business in identifying and managing the firm's risks around information/cyber security and data protection.
The role will ensure compliance with our accreditations including ISO27001 and Cyber Essentials Plus as well as our clients’ requirements around information/cyber security and data protection.
Key responsibilities include:
- Management of our Information Security Management System (ISMS) including ISMS objectives to ensure compliance with ISO27001, cyber essentials plus, any other accreditations and our client requirements
- Review, implement and embed our information and cyber security policies
- Managing the annual internal audit program and conducting internal audits
- Identify and implement remediation actions required to close internal and external audit findings in a timely and effective manner
- Working with IT to ensure planning and execution of security testing is effective in identifying key security risks
- Responsibility for managing client audits/questionnaires relating to information/cyber security and for understanding the impact of client requirements around information/cyber security, ensuring appropriate escalation for approval.
- Responsibility for managing the due diligence around information/cyber security and data protection in relation to our suppliers and third parties to ensure compliance with ISO27001, other accreditations and our client requirements
- Incident and breach management involving information/cyber security and data protection including escalation, mitigation, reporting and lessons learnt
- Completion and sign off of Data Protection Impact Assessments (DPIAs) ensuring that security and data protection is appropriately considered addressed and escalated, where appropriate.
- Data protection compliance including managing risks with data owners, completion and review of Records of Processing Activities (ROPAs) and Legitimate Interest Assessments (LIAs)
- Responsibility for responding to data subject access requests and other rights of individuals
- Ensuring that effective training on information/cyber security and data protection is delivered in accordance with the R&C training plan and use of all channels to raise awareness to embed our ISMS and security controls
- Responsibility for managing the agenda and actions and chairing our Information Security Group
- Collaborate with other functions within the business owners to provide expert advice on information and cyber security related activities and perform security assessments to ensure that the controls and security requirements are being implemented
- Preparing reports for Information Security Group, Risk and Compliance Committee and the Exec to help ensure that they have a clear understanding of key security risks
- Conceptualise and consideration of proposals for implementation ISO27701
- Proven working knowledge of ISO27001 and GDPR
- Information security and/or Information Technology industry certification (eg CISSP) strongly preferred
- Certified Information Security Manager (CISM) qualification is desirable
- Knowledge of ISO9001 is desirable