Information Security Risk Officer

Key Responsibilities

• Develop and maintain organisational policies and standards, applying recognised standards (ISO/IEC 27001).
• Support review and tracking of information security risks, assessments, and treatment plans.
• Perform spot checks or sample testing on selected security controls.
• Escalate gaps and provide supporting evidence to senior management.
• Monitor incidents logged by 1LOD to ensure appropriate root cause analysis and lessons learned are completed.
• Track remediation activities through to closure.
• Assist in gathering evidence for ISO 27001 audits, regulatory assessments, and internal assurance reviews.
• Gather and prepare risk, compliance, and incident data for reporting.
• Escalate issues that require senior management judgement or intervention.
• Promote awareness of information security policies, standards, and risk management processes.
• Act as a liaison between 1LOD divisions and the Group Information Security function.
• In addition to the responsibilities listed, this role may be asked to perform other information security or risk-related activities in-line with organizational priorities.

Skills, Knowledge & Expertise

• At least 3 years of hands-on experience in an information security or risk role.
• Understanding of Information security and cyber risk frameworks (ISO 27001, NIST CSF, CIS).
• Practical experience in Information security risk management including risk assessments, control evaluation, and reporting.
• Drafting and maintaining documentation, including policies, standards, procedures, and guidance that align with security frameworks and regulatory requirements.
• Experience in a 2nd Line or audit/risk assurance role within a large or complex organisation is desirable.

• A Bachelor’s degree or higher in Information Security, Computer Science, or related field.

• Understanding of ISO 31000: Risk Management – Guidelines.
• Strong understanding of Information Security standards and frameworks, especially:

1. ISO/IEC 27001 (implementation and audit)
2. NIST CSF
3. CIS Controls

• Security governance and compliance (e.g. policies, standards, procedures)
• Familiar with IT infrastructure, cloud services, applications, and third-party supplier risks.
• Proficient in risk assessment methodology – (identification, assessment, mitigation).
• Security Incident response procedures.
• Regulatory and legal requirements such as:

1. GDPR
2. Data Protection Act (UK)

• Strong analytical, reporting, and communications skills.
• Clear and confident communicator, capable of translating complex security issues into language appropriate for both technical and non-technical stakeholders.
• Audit and compliance activities, contributing to the preparation, execution, and follow-up of internal and external audits.
• Able to contribute to the develop, prepare, and deliver of security awareness training and educational materials to a diverse audience.

1. CRISC – Certified in Risk and Information Systems Control
2. CISA – Certified Information Security Auditor
3. ISO/IEC 27001 Lead Implementer/Auditor

• CISM – Certified Information Security
• CRISC – Certified in Risk and Information Systems Control
• CISA – Certified Information Security Auditor
• ISO/IEC 27001 Lead Implementer/Auditor