Job Description

Main Responsibilities:
The Information Security Manager is responsible for proactively managing and improving our Information Security Management System driving risk reduction and security maturity across the organisation, partnering with IT, Engineering, Legal, Procurement, and senior leadership.

• Own the Statement of Applicability (SoA), mapping controls to Annex A and ensuring evidence of control design and operating effectiveness.

• Plan and execute the internal audit programme; coordinate surveillance and recertification audits; manage corrective and preventive actions

• Maintain the policy framework (classification, access control, cryptography, secure development, change, supplier security, etc.) with robust document control.

• Own the risk management cycle: identification, assessment, treatment plans, residual risk acceptance, and risk register maintenance.

• Manage the communication of the ISMS with all interested parties including training, processes and documentation to employees, effective reporting of measurement against objectives to senior leadership and responding to client information security questionnaires

• Play a key role in the assessment, review and continuous monitoring of supplier organisations and technology partners

• Maintain the Incident Response Plan and runbooks; lead incident handling, forensics coordination, and postincident reviews.

• Align security with Business Continuity and Disaster Recovery e.g., RPO/RTO requirements, backup/restore testing, resilience of critical suppliers.

• Define and report security KPIs to the Information Security committee e.g., patch compliance, incidents, risks, phishing fail rate, incident metrics, control coverage, audit findings.

• Work with IT, Operations, Engineering and wider business units to help identify risks and to scale good practice.

Professional skills/ experience:

• 5+ years in information security with handson ownership of an ISO 27001 ISMS.

• Proven experience delivering Cyber Essentials Plus from scoping through remediation and assessment with an IASMEaccredited assessor.

• Industry certification such as ISO27001 lead implementor or Lead auditor, CISSP, CISM, CCSP, NCSC CCP

• Strong grasp of ISO/IEC 27001:2022 & 27002:2022 controls, risk management, internal audit, and management review.

• Able to translate security risk into business impact and influence stakeholders at all levels

Personal Qualities

• Problem solver.

• Great with people, can build trust and rapport across the entire organisation.

• Good communicator with clients and internally.

• Team Player commitment and flexible.

• Ability to prioritise and quickly resolve issues.

• Attention to detail.

Skills Required