Information Security & Compliance Manager
Listed on 2026-07-01
-
IT/Tech
Cybersecurity, Information Security, IT Consultant, Data Security
Blue Matter is a rapidly growing strategic consulting firm serving clients in the life sciences industry. We partner with our clients to help them achieve commercial success across the lifecycle of their products, portfolios and organisations. Our project types include new product planning, launch strategy & planning, brand & life cycle planning and corporate & portfolio strategy, across a variety of specialty therapeutic areas.
We have a unique entrepreneurial culture and invest in building Blue Matter to be one of the best places to work. We have a strong global presence with offices in the US (San Francisco, New York, Boston), Europe (London, Zurich, Netherlands), and India (Mumbai, Gurgaon, Pune).
Why this role existsOur clients are among the most security- and privacy-conscious organizations in the world, and they trust us with highly sensitive commercial and scientific information. At the same time, our internal AI platform,
Blue Cortex
, is becoming central to how we serve them — which raises both the stakes and the opportunity around how we govern data and technology. As we grow, we need a dedicated owner for information security and compliance. This role sits in our Technology & Operations team and is based in the UK — giving us strong coverage of GDPR and UK GDPR obligations, alignment with European clients and subsidiaries, and time‑zone support for our global team.
you’ll do
Security governance and strategy
- Own and run Blue Matter’s information security program end-to-end, including for Blue Cortex.
- Define, maintain, and operationalize security policies, standards, and procedures, and keep them current as the firm scales.
- Maintain the risk register, run regular risk assessments, and drive remediation to closure.
- Report on security and compliance posture to leadership in clear, business-oriented terms.
Compliance and certifications
- Drive certification and attestation efforts (e.g., ISO 27001 and/or SOC
2): design and maintain the control framework, own the documentation and evidence, and lead internal and external audits. - Build a sustainable, “always-audit-ready” approach rather than a once-a-year scramble.
- Track relevant regulatory and framework developments and translate them into practical action.
Data protection and privacy
- Lead data protection under GDPR and UK GDPR; act as, or closely support, our Data Protection function.
- Maintain records of processing (RoPA), conduct Data Protection Impact Assessments (DPIAs), and own data-handling, retention, and minimization policies.
- Manage data subject requests and any personal-data incidents, including regulator and individual notifications where required.
- Oversee data transfer mechanisms and data residency considerations across our global footprint and subsidiaries.
Client security assurance
- Own the response to client security due-diligence: complete security questionnaires and assessments from biopharma and medtech clients accurately and on time.
- Support commercial and contractual discussions on security, privacy, and data processing terms (e.g., DPAs).
- Maintain a library of reusable security documentation, certifications, and answers to accelerate client reviews.
Microsoft 365 security operations
- Secure and govern our Microsoft 365 environment — Entra , Microsoft Defender, Microsoft Purview, and Intune.
- Own identity and access management: conditional access, MFA, privileged access, joiner/mover/leaver processes, and least-privilege enforcement.
- Implement and tune data loss prevention (DLP), information protection/labelling, and device compliance.
- Partner with IT on secure configuration, patching, and endpoint hardening.
Third-party and vendor risk
- Run third-party and vendor risk management across our supply chain, including security review of new tools and AI/SaaS vendors.
- Maintain an inventory of vendors and their data access, and reassess risk on a regular cadence.
Incident response and investigations
- Own the incident response plan; lead detection, triage, investigation, containment, and post-incident review.
- Investigate security events (for example, analysing Entra
-in and audit logs), and produce clear, actionable incident reports. - Run tabletop…
To Search, View & Apply for jobs on this site that accept applications from your location or country, tap here to make a Search: