Information Security Manager

Overview

We''re looking for an experienced Information Security Manager with a strong background in Governance, Risk, and Compliance (GRC). This pivotal role oversees all GRC requirements, defining and managing the organisation’s information security strategy, policies, and procedures to ensure asset confidentiality, integrity, and availability. A key aspect of this role involves expertise in data protection and regulatory compliance across the UK and EU markets. A firm grasp of IT technical knowledge is vital for adequate risk understanding, assessment, and remediation. You will manage risk, drive compliance, and cultivate a robust security-aware culture.Responsibilities

Policy Development:

Develop, review, and take ownership of comprehensive IT and security policies, standards, and procedures, ensuring alignment with organisational objectives and regulatory requirements. Lead the development, implementation, and ongoing maintenance of the Information Security Management System (ISMS) in accordance with ISO 27001 standardsData Protection Responsibility:

Formulate a robust data protection strategy that aligns with UK GDPR, EU GDPR, and other relevant privacy regulations (e.g., ePrivacy Directive, NIS Directive, DORA, NIS2). Act as the primary point of contact for all data protection matters, ensuring ongoing compliance. Manage and report data breaches in compliance with regulatory requirements.Technical Risk Management:

Lead the technical risk management process, assisting stakeholders across the group to conduct information security risk assessments (including DPIAs), develop and implement technical mitigation strategies, and manage the organisation’s information security risk register.Vulnerability Management and Technical Mitigation:

Oversee the vulnerability Management program, penetration testing, and security assessments to identify vulnerabilities and recommend technical remediation strategies. Raise, prioritise, and follow up on vulnerabilities with stakeholders, escalating risks if they are not remediated.Security Operations and Incident Response:

Oversee the technical implementation and operational effectiveness of security controls and technologies. Oversee the governance of information security incident processes, ensuring correct procedures are followed, leading security incident investigations, and cascading post-incident review results. Support operational resilience activities by acting as Incident Manager during the critical incident.Compliance and Audit Management:

Establish, maintain, and assess compliance with internal security policies and industry standards (e.g., ISO/IEC 27001/27002, PCI-DSS v4.0, NIST Cybersecurity Framework 2.0, and Cyber Essentials Plus). Lead and manage internal and external audits, actively assisting in obtaining and maintaining relevant certifications.Vendor and Third-Party Security:

Assess, manage, and conduct due diligence on information security and data protection risks associated with third-party vendors. Review and negotiate Data Processing Agreements (DPAs) and security clauses, leveraging DPIAs to assess personal data processing posture and provide stakeholder recommendations.Awareness and Training:

Develop and deliver ongoing information security and data protection awareness training, including regular phishing simulations, to foster a security-conscious culture.Stakeholder Engagement:

Collaborate across departments (Legal, Service Delivery, HR) to embed security principles, translate technical risks into business-friendly advice, and liaise with regulatory bodies (e.g., ICO, DPA equivalents in EU) as required.Qualifications

Proven experience (typically 3+ years) in information security, specialising in Cyber Security Governance, Risk, and Compliance (GRC) for managing risks, controls, and compliance activities.Ability to translate complex technical risks into clear business impact for non-technical stakeholdersStrong understanding of cyber threats, insider risk, security principles and network security and impact assessment to identify and prioritise risks across diverse IT environmentsExperience with leading vulnerability scanning tools (e.g., Nessus, Qualys, Tenable.io, Rapid7 InsightVM) and interpreting scan results to drive remediation.Proven ability to coordinate and manage penetration testing engagements (web, network, mobile, cloud) and security assessments.Strong technical understanding of common vulnerabilities (e.g., OWASP Top 10, CVEs) and attack vectors.Understanding enterprise network security technologies: Firewalls (Palo Alto, Cisco ASA, Fortinet), IDS/IPS, VPNs, proxies, DLP, CASB and network segmentation architecturesIn-depth knowledge and practical experience of UK DPA / EU GDPR.Demonstrable experience with Information Security Management Systems (ISMS)Solid understanding of compliance frameworks like ISO 27001/27002, NIST Cybersecurity Framework 2.0, and PCI DSS v4.0Knowledge in developing and implementing technical remediation plans, including patch management, secure configuration baselines, and security hardening techniques for operating systems, databases, network devices and applicationsKnowledge of cloud platforms (e.g. AWS, Azure), endpoint protection, IAM, and SIEM/logging tools.Experience with Microsoft Azure Security tools (Purview).Experience in the Transport industry sector.Certification highly preferred, CISSP, CISM, CDPO, and ISO 27001 or other relevant certificatesHours of work

38 hours per week, Monday to Friday but must be flexible to work over and above these hours if deemed necessary.CompetitiveSeniority level

Mid-Senior levelEmployment type

Full-timeJob function

Information TechnologyIndustries

Transportation, Logistics, Supply Chain and ..... full job details .....