Information Security Analyst - GRC

Information Security Analyst GRC
Salary: £45,000
Contract: 12-month Fixed Term Contract (FTC)
Location: Central Birmingham (Hybrid 3 days per week on site)

The Role

We have an exciting opportunity for an Information Security Analyst GRC to join a busy and collaborative technology function on a 12-month fixed term contract. This role will play a key part in supporting governance, risk and compliance (GRC) activities, with a strong focus on third-party risk management and data protection assurance across the organisation.

Based in Central Birmingham, the role operates on a hybrid working model, requiring three days per week on site.

Key Responsibilities

Third-Party Risk Management

• Conduct and coordinate information security and privacy risk assessments for new and existing suppliers.
• Assess supplier controls relating to data protection, information security, data hosting and subcontractor usage.
• Maintain accurate records of organisational data shared with third parties, including purpose of use, classification, sensitivity and processing location.
• Ensure supplier data handling arrangements clearly define retention, archiving and deletion requirements in line with internal policies and regulatory obligations.
• Support Procurement, Vendor Management, Legal and Information Security teams to embed supplier assurance throughout onboarding, renewal and contract processes.
• Track remediation actions with suppliers and internal teams, escalating high-risk issues where appropriate.

Data Protection & GDPR Support

• Review how personal data is used across systems, processes and vendor solutions.
• Ensure data classification, sensitivity and lifecycle controls are clearly documented.
• Promote data minimisation by identifying unnecessary collection or retention of personal data and challenging excessive processing.
• Document personal data risks, gaps and recommended actions in line with risk management processes.
• Provide risk-based advice and technical input to business stakeholders on personal data processing.

Governance, Risk & Compliance

• Support the review, development and implementation of information security and data protection policies.
• Contribute to information security risk registers and compliance monitoring activities.
• Produce compliance reports, dashboards and metrics for management and senior stakeholders.
• Assist with internal and external audits, including GDPR, PCI DSS and financial audits.
• Maintain compliance tracking across third-party risks, data lifecycle controls and privacy-related risks.

Security & Privacy Operations

• Track remediation of identified compliance and control issues to ensure timely closure.
• Support incident response activities, particularly those involving third-party access or personal data.
• Document business and supplier processes to support governance, risk and compliance requirements.
• Produce clear, auditable documentation for assessments, risks, decisions and approvals.

About You

You will bring a strong understanding of information security, privacy and risk management, with the confidence to engage and challenge stakeholders constructively.

Essential experience and skills:

• Good understanding of GDPR, the UK Data Protection Act, and information security control requirements.
• Experience conducting supplier assurance, security due diligence or third-party risk assessments.
• Ability to assess technical and organisational security controls.
• Strong analytical skills with excellent attention to detail.
• Clear written and verbal communication skills, able to work with legal, technical and operational teams.
• Experience supporting incident or breach investigations.
• Ability to manage multiple competing priorities and work pragmatically with stakeholders.

Desirable:

• Experience working in large, complex or multi-site environments.
• Relevant certifications such as CIPP/E, CIPM, CompTIA Security+, or BCS Practitioner Certificate in Data Protection