Information Security Compliance Analyst
12 Month Fixed Term Contract
Salary: Negotiable
Hybrid - Hertfordshire
As an Information Security Compliance Analyst, you will support the development and maintenance of the EMEA wide information security management system in accordance with Global EIT strategy, EMEA business requirements and relevant information security legislation, including NIS 2, AI Act and GDPR.
You will ensure the continued certification of the EIT ISO 27001:2022 management system and adherence by the EMEA EIT department to all relevant legislation and regulations, including but not limited to Health and Safety, Financial and Privacy laws.
Main duties/responsibilities:
* Conduct information security, information system, and compliance-based risk assessments, evaluate responses and recommend risk treatment actions
* Develop and execute risk mitigation plans in conjunction with relevant internal and external stakeholders/groups and to agreed timescales, following through to completion
* Support the creation, implementation and maintenance of information security policies and standards, in accordance with ISO 27001 other relevant frameworks and standards (NIST CSF, IEC 62443, CIS, GDPR etc.)
* Maintain the department’s information security procedures, including but not limited to information security incident response and business continuity management, conducting tabletop exercises to evaluate effectiveness.
* Manage the information security awareness training program to ensure all employees develop and maintain an awareness about and comply with all applicable information security policies, procedures, laws, and regulations.
* Provide information security advice and guidance for EMEA business activities and projects
* Manage information security programs to ensure the company meets its compliance requirements
* Monitor, analyse and report on information security-based management metrics.
* Perform comprehensive third-party information security due diligence assessments in a timely manner, report on results, recommend remediation activities and work with the legal team to ensure contractual obligations include security clauses as relevant
* Support information security and compliance audits conducted in the department
Qualifications and Experience required:
* Degree level qualified or equivalent - highly desirable.
* CISM and / or CRISC or other relevant certification is highly desirable
* ISO 27001:2022 Lead Implementer / Auditor certification is essential.
* Demonstratable experience in an Information Security, IT Governance, Risk and Compliance based role, including maintaining and continually improving an ISO 27001 compliant management system.
* Extensive experience of information security management and/or security awareness.
* In-depth expert knowledge of industry standard frameworks and best practices – ISO 27001: 2022, ISO 27002:2022, ISO 27005, ISO 31000, NIST and their practical application in a corporate environment to ensure all elements of integrity, availability and confidentiality are adhered to.
* Extensive experience conducting information security risk assessments, reporting risks
* Experience of developing, implementing, managing, and maintaining Information Security policies, controls, standards, guidance, processes & procedures, and auditing compliance.
* Experience of developing, implementing, managing, and maintaining risk management framework, policies, processes, and procedures.
* Knowledge & experience of developing and performing information security due diligence and risk assessments of third-party organisations based on IT control frameworks such as ISO 27001 and ISO 31000.
* Practical experience of conducting gap analysis, testing information security processes, procedures, plans and leading audits to achieve compliance with Information Security standards.
* Practical experience of establishing and maintain data classification standards within a corporate environment.
* Experience of project managing Information Security, Data Protection & Compliance initiatives.
* Experience in developing and executing an Information Security awareness training across multi-business units.
* Experience with ensuring corporate compliance with UK/EMEA data protection legislation such as DPA and GDPR.
* Good knowledge of a broad range of IT technology platforms, products, services.
* Stakeholder management experience at both a technical and non-technical to Executive level.
* Excellent Business/customer facing experience
If you are interested please apply or send your CV to luke.sandilands@cpl.com