Information Security Manager

· Policy Development: Develop, review, and take ownership of comprehensive IT and security policies, standards, and procedures, ensuring alignment with organisational objectives and regulatory requirements. Lead the development, implementation, and ongoing maintenance of the Information Security Management System (ISMS) in accordance with ISO 27001 standards

· Data Protection Responsibility: Formulate a robust data protection strategy that aligns with UK GDPR, EU GDPR, and other relevant privacy regulations (e.g., ePrivacy Directive, NIS Directive, DORA, NIS2). Act as the primary point of contact for all data protection matters, ensuring ongoing compliance. Manage and report data breaches in compliance with regulatory requirements.

· Technical Risk Management: Lead the technical risk management process, assisting stakeholders across the group to conduct information security risk assessments (including DPIAs), develop and implement technical mitigation strategies, and manage the organisation’s information security risk register.

· Vulnerability Management & Technical Mitigation: Oversee the vulnerability Management program, penetration testing, and security assessments to identify vulnerabilities and recommend technical remediation strategies. Raise, prioritise, and follow up on vulnerabilities with stakeholders, escalating risks if they are not remediated.

· Security Operations & Incident Response: Oversee the governance of information security incident processes, ensuring correct procedures are followed, leading security incident investigations, and cascading post-incident review results. Support operational resilience activities by acting as Incident Manager to coordinate during the critical incident.

· Compliance & Audit Management: Establish, maintain, and assess compliance with internal security policies and industry standards (e.g., ISO/IEC 27001/2, PCI-DSS v4.0, NIST Cybersecurity Framework 2.0, and Cyber Essentials Plus). Lead and manage internal and external audits, actively assisting in obtaining and maintaining relevant certifications.

· Vendor & Third-Party Security: Assess, manage, and conduct due diligence on information security and data protection risks associated with third-party vendors. Review and negotiate Data Processing Agreements (DPAs) and security clauses, leveraging DPIAs to assess personal data processing posture and provide stakeholder recommendations.

· Security Awareness & Training: Develop and deliver ongoing information security and data protection awareness training, including regular phishing simulations, to foster a security-conscious culture.

· Stakeholder Engagement: Collaborate across departments (Legal, Service Delivery, HR) to embed security principles, translate technical risks into business-friendly advice, and liaise with regulatory bodies (e.g., ICO, DPA equivalents in EU) as required.

Essential experience:

• Proven experience (typically 3+ years) in information security, specialising in Cyber Security Governance, Risk, and Compliance (GRC) for managing risks, controls, and compliance activities.
• Ability to translate complex technical risks into clear business impact for non-technical stakeholders
• Strong understanding of cyber threats, insider risk, security principles and network security and impact assessment to identify and prioritise risks across diverse IT environments.
• Experience with leading vulnerability scanning tools (e.g., Nessus, Qualys, Tenable.io, Rapid7 InsightVM) and interpreting scan results to drive remediation.
• Proven ability to coordinate and manage penetration testing engagements (web, network, mobile, cloud) and security assessments.
• Technical understanding of common vulnerabilities (e.g., OWASP Top 10, CVEs) and attack vectors.
• Understanding enterprise network security technologies: Firewalls (Palo Alto, Cisco ASA, Fortinet), IDS/IPS, VPNs, proxies, DLP, CASB and network segmentation architectures
• In-depth knowledge and practical experience of UK DPA / EU GDPR.
• Demonstrable experience with Information Security Management Systems (ISMS)

Solid understanding of compliance frameworks like ISO 27001/27002, NIST Cybersecurity Framework 2.0, and PCI DSS v4.0

Competensies and skills:

• Knowledge in developing and implementing technical remediation plans, including patch management, secure configuration baselines, and security hardening techniques for operating systems, databases, network devices and applications
• Knowledge of cloud platforms (e.g. AWS, Azure), endpoint protection, IAM, and SIEM/logging tools.
• Experience with Microsoft Azure Security tools (Purview).
• Experience in the Transport industry sector.
• Certification highly preferred, CISSP, CISM, CDPO, and ISO 27001 or other relevant certificates

If the above is relevant for you please apply to this role or call me on 0207 509 8040 for more information. Alternatively please send me your CV to darius.goodarzi@robertwalters.com for more info.