IT Risk & Compliance Manager
The IT Risk & Compliance Manager is responsible for defining, implementing, supervising and improving the process and procedures for the IT department’s Risk Assurance frameworks.
The position will support the business requirements to comply with government DAIS accreditation and industry standards including ISO 9001, ISO 20001, ISO27001 and 27002, SANS20, NIST800 and TickITplus.
This role will lead the IT effort to identify risks to the safe and secure operation of the global IT estate and be accountable for their resolution and mitigation.
• Achievement and maintenance of ISO 27001 certification for the company’s IT function. This will involve the definition, configuration and certification of an ISO27001 ISMS (Information Security Management System), and an ISO27002 Controls. The role also includes responsibility for the on-going management, maintenance and development of these management systems.
• Ensuring that the company’s IT functions security controls and service capabilities are developed and maintained in line with industry standards and regulations, and the company’s corporate policy requirements. This also involves the testing of controls and measurement of their effectiveness, and reporting of the quality of the controls to management.
• Ensuring that the company’s IT function have a comprehensive and workable set of documented operating processes and procedures that are aligned to industry standards and the company’s corporate policy requirements. This involves producing and maintaining the local process, procedure and guidance documentation.
• Owning the IT Business Continuity plan and Undertake regular disaster recovery planned and unplanned testing, documenting outcome and improvements
• Manage risks and risk register through chairing regular risk review meetings and updating documentation where required.
Experience & Qualifications:
• Understanding of IT departmental mission, vision, and of IT operations, ideally gained through 5 or more years IT/IS function management.
• Minimum of 2 years process development and management experience.
• Knowledge and understanding of ISMS and SMS certification processes (ideally, experience of the process of certification to both ISO27001 and ISO20000).
• Able to control own work priorities, work effectively alone and within teams, and communicate effectively at all levels within the business.
• Knowledge of ITIL best practice - at a minimum this should include an ITIL foundation qualification but ideally including a Service Operations Lifecycle qualification as well).
• Experience (minimum 5 years) of information security management in a List X/government supplier environment, and knowledge of government requirements for systems security and accreditation is desirable.
• ISO 27001 Lead Auditor
• TickITplus practitioner.