The Role

The Information Security Officer (ISO) will be responsible for policies, standards and procedures that fall within the scope of the ISO27001 accreditation. The ISO will continually develop, implement, and oversee the organization’s information security strategy, policies, and practices. The ISO also oversees security awareness training programs and manages security audits and compliance assessments.

This role requires a deep understanding of information security principles, regulations, and best practices, as well as the ability to communicate and collaborate effectively with stakeholders across the organization.

Accountability

The Information Security Officer (ISO) is accountable for maintaining the company ISMS and onward maintenance of ISO27001 certification. This includes keeping policies current and evidence up to date and involves marshalling other departments to ensure required procedures are followed and evidence provided, as well as organising running and minuting regular periodic meetings as defined and required by the ISMS Policies.

Key Responsibilities

• Develop, improve, and maintain information security policies, standards and procedures to support the ISMS.
• Work with the Technical team members and managers to ensure that they develop, improve, and maintain policies, standards and procedures which support the ISMS.
• Maintain the ISMS framework, scope, and structure.
• Run the periodic ISMS activities
• Arranging, chairing, and minuting all ISMS monthly and quarterly meetings.
• Defining, actioning, and tracking all scheduled activities that support the ISMS in a transparent manner.
• Facilitate and track all security actions not associated with the platforms.
• Develop, maintain, and report on metrics and KPI’s associated with the ISMS.
• Work with the technical Teams to develop, maintain, and report on metrics and KPI’s associated with the operation of the companies platforms.
• Maintain the infosec business risk register and ensure that it is regularly manged and socialised.
• Lead and conduct Business Risk Assessment with the Executive team using formal risk assessment methods, based on threats. Ensure that the Business Risk Assessment are completed and used as the basis for ISMS scope, actions and improvements.
• Review the Statement of Applicability on a regular basis and suggest changes as the business vision and risk posture changes
• Coordinate risk assessment workshops with stakeholders, to uncover emerging risks and opportunities for malicious actors.
• Produce written reports, status updates, actions, minutes to support decision making within the management systems governance programme.
• Conduct annual Business Impact Assessments with relevant teams
• Ensure and track that staff get the infosec training required
• Annual infosec and GDPR training
• Periodic lunch and learns.
• On-boarding training to new starters.
• Maintain an accurate training log of all training performed and ensure that all staff attend as required.
• Compile a library of infosec responses that can be used to produce responses to customer infosec questionnaires.
• Own customer infosec questionnaires to ensure that they are completed in a timely, organised, and accurate fashion, coordinating appropriate technical resources where required.
• Own all Privacy Impact Assessments to ensure that they are completed in a timely, organised, and accurate fashion, coordinating appropriate technical resources where required.
• Flag risks in completing questionnaires and impact assessments and get them addressed in a timely and organised manner.
• Work with our 3rd party IT provider to arrange, prepare, and manage CE+ annual audits and ensure requirements are followed throughout the year.
• Lead the ISO27001 audits by arranging, preparing, and managing the ISO27001 audit process, ISMS content and controls.
• Maintain a central repository of all metrics the company collects to support the ongoing improvement of our ISMS and produce a regular report for management.
• Arrange and perform internal audits on all policies, processes and procedures that are includes under the ISO27001 remit, to ensure that they remain compliant and to identify opportunities for improvement.
• Own manage and track an improvement plan with assistance from the technical teams to ensure that our policies and procedures do not become redundant, stale or fall below industry requirements.
• Arrange, prepare, and manage the annual pen test on all platforms, using the appropriate technical resources as required to obtain the technical input necessary to engage a pen test supplier and conduct the pen tests.
• Ensure that all policies are reviewed as per the document review period. Compile a list of actions to address any lapses and track to conclusion.
• Assist with the monitoring of our platform vulnerability management systems and logging of identified vulnerabilities
• In the event of any security event, be part of the response team, by providing infosec advise on security actions to consider, document all actions, write-up of the security event and ensure a “lessons learned” session occurs.
• Maintain an up-to-date knowledge of ISO standards, threats and countermeasures, best security practises and technologies.

Responsibilities

• In Depth knowledge of ISO 27001 standards and any other relevant standards e.g. ISO31000 & ISO22301.
• Good knowledge of industry best practice such as security maturity models, OWASP and NCSC
• Experience of working within an InfoSec focused role.
• Able to solve problems identified through audit, risk assessment or incidents.
• Proven experience of Risk Management.
• Proven experience in implementing ISO27001 and maintaining the certification.
• Ideally – Knowledge of DevOps and Dev Sec Ops.
• Ideally, good technical knowledge of Cloud and on-premise network, infrastructure, and application security

Benefits

• Holiday: 23 days per annum + Birthday.
• Pension: 3% Employer contribution
• Flexible Benefits: £250-£750 per annum to spend on a range on benefits.
• Location: 3 Days per week @ Farnborough, 2 days per week work from home