Cyber Security & Privacy Manager

Overview

ISP Cyber Security & Privacy Manager — Role Profile

The ISP Cyber Security & Privacy Manager will own and operate ISP’s technology security and data privacy control framework across TDDA platforms, integrations, and data products.

This role ope rationalises security-by-design and privacy-by-design across delivery, ensuring ISP operates with IPO-grade controls, audit-ready evidence, and consistent gating of change.

The role is not advisory only — it has active decision rights to define controls and block non-compliant delivery.

• Enterprise-wide, multi-country environment
• Operates across ERP, HRIS, SIS, CRM, EdTech, Data Platform, Integrations and AI products
• Works with outsourced cyber partners but retains ISP accountability
• Balances strong control with pragmatic delivery enablement

Begin with our children and students. Our children and students are at the heart of what we do. Simply, their success is our success. Wellbeing and safety are both essential for learners and learning. Therefore, we are consistent in identifying potential safeguarding and Health & Safety issues and acting and following up on all concerns appropriately.

Treat everyone with care and respect. We look after one another, embrace similarities and differences and promote the well-being of self and others.

Operate effectively. We focus relentlessly on the things that are most important and will make the most difference. We apply school policies and procedures and embody the shared ideas of our community.

Are financially responsible. We make financial choices carefully based on the needs of the children, students and our schools.

Learn continuously. Getting better is what drives us. We positively engage with personal and professional development and school improvement.

• Design and operate TDDA security and privacy governance framework
• Maintain TDDA technology risk register inputs
• Establish security/privacy decision forums and cadence
• Produce quarterly security & privacy posture report

• Define DPIA thresholds and workflow
• Own DPIA templates and guidance
• Ensure DPIAs are embedded into demand-to-delivery process
• Maintain DPIA register and evidence

• Define mandatory security patterns for:
• Identity & access management
• Encryption (at rest & in transit)
• Logging & monitoring
• Segregation of duties
• Key management

• Ensure initiatives touching data, integrations or AI are security & privacy reviewed
• Gate releases through CAB where controls are not met
• Ensure security and privacy evidence is part of release readiness

• Define minimum security/privacy assurance requirements
• Support vendor due diligence
• Maintain third-party assurance register

• Maintain audit-ready evidence packs:
• Access reviews
• DPIAs
• Change logs
• Third-party assurance
• Support internal and external audits

• Define secure SDLC expectations with Engineering & Architecture
• Provide training and guidance to TDDA teams

• Define mandatory security and privacy controls for TDDA delivery
• Gate or block releases where controls are not met
• Define minimum third-party assurance requirements

• Run DPIA process
• Maintain security standards catalogue
• Review designs through Design Authority
• Participate in CAB
• Track and report risks

• DPIA workflow live and embedded
• TDDA security standards catalogue
• Third-party assurance checklist
• Quarterly security & privacy report
• First full evidence pack

• 100% qualifying initiatives gated through DPIA & security review
• Reduction in unknown integrations / shadow data flows
• Audit evidence completeness and timeliness
• Improved access governance (review completion, least privilege adoption)

• 8–10+ years in cyber security and/or privacy operations
• Experience in regulated, multi-country environments
• Strong DPIA and vendor risk expertise
• Risk-based thinking
• Pragmatic control design
• Clear…