Role Profile – Information Security Officer
The ideal candidate will already be an experienced information security practitioner, with the knowledge required to drive forward a compliance orientated and risk-focused security agenda in a complex, fast paced environment.
- Lead on the development of a Group-wide Information Security Management System, aligned with the requirements of ISO27001 and the ISF’s Standard of Good Practice.
- Implement and maintain an information security policy framework (policy, standards and guidelines), reflective of statutory, regulatory and contractual security requirements.
- Operate the policy exemption process and manage local variances in accordance with perceived levels of risk.
- Deliver information security audits to assess the status of information security across the Group.
- Track and maintain compliance reports and actions needed to achieve compliance against policies, applicable regulations and internal / external findings.
- Implement and maintain the information risk management framework including risk assessment methodology and templates.
- Maintain the information risk register consisting of asset, threats and vulnerabilities, including likelihood and impact.
- Support the delivery of information risk assessments across the Group.
- Deliver the information security education and awareness programme aligned to PSL requirements and commercial best practice.
- Create and distribute information security communications, including articles, alert and hot topic information.
- Coordinate the implementation of information security policies and procedures across the Group.
- Liaise with the relevant parts of the administration, including Legal, Finance, Facilities and HR.
Knowledge skills & experience
- Experience of establishing and maintaining an Information Security Management System in a large, complex environment.
- Proven track record of supporting the development of information security policies which are easily understood, effective and economical to implement.
- Thorough understanding of security technologies and associated functionality.
- Demonstrable experience in assessing and managing information security risk in a complex environment.
- Demonstrable experience in delivering information security training and awareness activities to a diverse range of stakeholders.
- Thorough understanding of the principles of end-to-end information security.
- Exhibit excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives.
- High level of personal integrity, as well as the ability to handle confidential matters, and show an appropriate level of judgment and maturity.
- Excellent written and oral communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and non-technical audiences.
- Graduate calibre with appropriate qualifications, such as CISA, CISM, CISSP.
The ideal candidate will be able to demonstrate the following qualities:
- Educated to bachelor’s degree level or holds a relevant professional qualification or has a proven level of experience.
- Aware of the application of automated systems to the support of specific business functions or processes.
- Interacts with people, establishing relationships and maintaining contacts with people from a variety of backgrounds. Effective and sensitive communicator.
- Exhibits knowledge of architectural principles for IT infrastructure (hardware, databases, operating systems, local area networks etc).
- Uses discretion in identifying and resolving complex problems and assignments. Determines when issues should be escalated to a higher level.
- Interacts with and influences department/project team members. Has working level contact with customers and suppliers. Makes decisions which may impact on the work assigned to individuals or phases of projects.
- Performs a broad range of work, sometimes complex and non-routine, in a variety of environments. Applies methodical approach to problem definition and resolution.