Information Security Officer

**Description**:

- We are seeking a proactive and knowledgeable Information Security Officer to support the business across all aspects of information security. This role is essential in maintaining and strengthening our security posture, ensuring compliance with our regulatory and legal requirements, including maintaining our ISO/IEC 27001 certification.
- Reporting to the Head of Information Security, you will play a key role in advising teams on security best practices, assisting with the implementation and continuous improvement of our Information Security Management System (ISMS), and supporting, audits, risk assessments, and incident response activities. You will collaborate with stakeholders across IT, risk, legal, and operations to ensure security is embedded in business processes and projects from the outset.
- This is a hands-on, business-facing role suited to someone passionate about helping teams operate securely while enabling the business to move with agility and confidence.

**Key Responsibilities**:

- Maintain and continuously improve the ISO/IEC 27001 ISMS across the business.
- Support the planning, coordination, and execution of internal audits related to information security controls and processes.
- Collect, analyse, and report on ISO 27001 objective metrics to monitor compliance and drive continuous improvement initiatives.
- Prepare and present divisional information security updates, risk posture insights, and performance indicators to the Group Head of Information Security.
- Develop, implement, and refine information security procedures, policies, and controls to ensure ongoing compliance with ISO/IEC 27001 and related standards.
- Support the Group Head of Information Security to shape the Information Security strategy.
- Identify, investigate, and remediate information security vulnerabilities, incidents, and control failures, maintaining a focus on root cause analysis and preventative action.
- Drive a culture of security awareness through the development and delivery of tailored education and training programmes in partnership with HR, IT, Data Privacy, and Cybersecurity teams.
- Lead and support information security risk assessments, leveraging a risk-based approach to inform prioritisation and decision-making.
- Provide strategic and tactical guidance on information security matters to business units and project teams, ensuring that security is proactively embedded into systems, products, and processes.
- Monitor emerging threats, vulnerabilities, and industry trends to ensure the business remains resilient and well-prepared.
- Support third-party risk assessments and supplier due diligence activities to ensure the secure handling of data by vendors and partners.
- Contribute to incident response planning and execution, including developing playbooks and participating in simulation exercises.
- Support regulatory compliance efforts (e.g. GDPR, NIS2, DORA) and assist with external audits, certifications, and client security due diligence where required.

**Experience**
At least 3 years of hands-on experience in an information security or risk role.
Solid understanding of:

- ISO 27001 ISMS implementation or audit
- Information security risk management including risk assessments & controls
- Policy, standards, and procedure writing
- Supporting internal and external audits

**Education**
A Bachelor’s degree or higher in Information Security, Computer Science, or related field.

**Skills, Knowledge & Expertise**:
**Knowledge**
- Security governance and compliance (e.g. policies, standards, procedures)
- Information Security principles and frameworks, especially:

- ISO/IEC 27001 (implementation and audit)
- NIST CSF
- CIS Controls
- Risk Management processes (identification, assessment, mitigation)
- Security Incident response procedures
- Regulatory and legal requirements such as:

- GDPR
- Data Protection Act (UK)
- Cyber Essentials / Cyber Essentials Plus

**Skills**
- Strong analytical mindset, with the ability to assess security risks, interpret technical details, and make sound decisions based on available data.
- Clear and confident communicator, capable of translating complex security issues into language appropriate for both technical and non-technical stakeholders.
- Skilled in drafting and maintaining documentation, including policies, standards, procedures, and guidance that align with security frameworks and regulatory requirements.
- Project-focused approach, with the ability to advise and support IT and business initiatives, ensuring security is built-in from the outset.
- Experienced in audit and compliance activities, contributing to the preparation, execution, and follow-up of internal and external audits.
- Able to develop and deliver engaging security awareness training and educational materials to a diverse audience.

**Ability**
- Collaborative team player, comfortable working with IT, Legal, HR, Risk, and operational teams to ensure consistent security i