Information Security Manager

My client, a Transportation company, based in London (you will have to be in the office in Cricklewood up to 3 times per week) are looking for an Information Security Manager to join their team. No sponsorship can be offered for this role.

My client is looking for an experienced Information Security Manager with a strong background in Governance, Risk, and Compliance (GRC). This pivotal role oversees all GRC requirements, defining and managing the organisation's information security strategy, policies, and procedures to ensure the confidentiality, integrity, and availability of assets. A key aspect of this role involves expertise in data protection and regulatory compliance across the UK and EU markets.

A firm grasp of IT technical knowledge is vital for adequate risk understanding, assessment, and remediation. You will manage risk, drive compliance, and cultivate a robust security‑aware culture.

• Policy Development: Develop, review, and take ownership of comprehensive IT and security policies, standards, and procedures, ensuring alignment with organisational objectives and regulatory requirements. Lead the development, implementation, and ongoing maintenance of the Information Security Management System (ISMS) in accordance with ISO 27001 standards
• Data Protection Responsibility: Formulate a robust data protection strategy that aligns with UK GDPR, EU GDPR, and other relevant privacy regulations (e.g., ePrivacy Directive, NIS Directive, DORA, NIS2). Act as the primary point of contact for all data protection matters, ensuring ongoing compliance. Manage and report data breaches in compliance with regulatory requirements.
• Technical
  
  Risk Management:
  
  Lead the technical risk management process, assisting stakeholders across the group to conduct information security risk assessments (including DPIAs), develop and implement technical mitigation strategies, and manage the organisation's information security risk register.
• Vulnerability Management & Technical Mitigation: Oversee the vulnerability Management program, penetration testing, and security assessments to identify vulnerabilities and recommend technical remediation strategies. Raise, prioritise, and follow up on vulnerabilities with stakeholders, escalating risks if they are not remediated.
• Security Operations & Incident Response: Oversee the governance of information security incident processes, ensuring correct procedures are followed, leading security incident investigations, and cascading post‑incident review results. Support operational resilience activities by acting as Incident Manager to coordinate during the critical incident.
• Compliance & Audit Management: Establish, maintain, and assess compliance with internal security policies and industry standards (e.g., ISO/IEC 27001/2, PCI‑DSS v4.0, NIST Cybersecurity Framework 2.0, and Cyber Essentials Plus). Lead and manage internal and external audits, actively assisting in obtaining and maintaining relevant certifications.
• Vendor & Third‑Party Security: Assess, manage, and conduct due diligence on information security and data protection risks associated with third‑party vendors. Review and negotiate Data Processing Agreements (DPAs) and security clauses, leveraging DPIAs to assess personal data processing posture and provide stakeholder recommendations.
• Security Awareness & Training: Develop and deliver ongoing information security and data protection awareness training, including regular phishing simulations, to foster a security‑conscious culture.
• Stakeholder Engagement: Collaborate across departments (Legal, Service Delivery, HR) to embed security principles, translate technical risks into business‑friendly advice, and liaise with regulatory bodies (e.g., ICO, DPA equivalents in EU) as required.

• Proven experience (typically 3+ years) in information security, specialising in Cyber Security Governance, Risk, and Compliance (GRC) for managing risks, controls, and compliance activities.
• Ability to translate complex technical risks into clear business impact for non‑technical stakeholders
• Strong understanding of…