We support delivery of the business strategy whilst ensuring that our Business Units maintain their legislative, regulatory and contractual obligations and help them to meet and exceed the needs of our customers and employees while operating in a secure and safe manner. The Group Risk & Compliance team, working closely with the First Line teams, play a critical role, and bring expertise to shape, and ultimately ensure, we achieve our purpose and deliver our vision.The Role
Reporting into the Head of Risk, ISMS and Resilience Manager is a key role within the Group Risk and Compliance team. The role is responsible for the ISO27001 certification for our B2B division, and will work closely with the whole Risk and Compliance team, Cyber Security team, IT team, Facilities team, HR team, and other key stakeholders. ISMS and Resilience Manager will also have a `dotted line` into the B2B Operations Director, and will work directly with B2B leadership team as needed. The ISMS and Resilience Manager will simplify, develop and continually improve the Information Security Management System (ISMS), in line with the relevant legal, regulatory & organisational requirements. This is a collaboration role, which will help drive efficiency and effectiveness, and contribute greatly towards the management of one of our most high profile risks - information security. Over time, ISMS remit will grow broader than B2B, with good practice being applied to the rest of the business units.
The ISMS and Resilience Manager will have extensive knowledge of information security assurance, and information resilience, together with sound knowledge of data privacy, risk management, operational and business resilience. They will have the ability to apply, translate and communicate their subject matter expertise across a complex business environment. They will also support the Head of Risk by developing and implementing a robust resilience framework in line with the Group`s strategic objectives and risk management framework. This key role will contribute at both operational and strategic levels.Examples of what you will be doing:
Examples of how you will do your job:
- Leading and managing all the day-to-day activities required to maintain an effective Information Security Management System (ISMS).
- Embedding the risk management framework, bringing risks to the attention of the business, providing expert advice on mitigating actions and monitoring the business`s adherence to the risk management policy. Collaborating to develop, maintain and promote the information risk and resilience components of the risk management framework.
- Holding regular ISMS management review meetings, following the set agenda as per the standard, taking minutes and making sure everyone is aware of their responsibilities for improvement actions.
- Maintaining a comprehensive account of the incidents and their resolutions, escalating these issues to management and relevant teams where necessary.
- Maintaining the versioning and release of ISMS policies and procedures as required by the standard.
- Conducting regular awareness and training activities to ensure ISMS is embedded across the business.
- Conducting 2nd line assurance, e.g. gap analysis, and supporting any internal audits relating to ISMS.
- Working with the Data Protection team to help ensure the confidentially, integrity and availability of our personal data.
- Highlighting risk, issues, non-conformances and improvement opportunities proactively, and applying corrections and continual improvement actions.
- Supporting and hosting surveillance and re-certification audits for ISO27001.
- Performing, where required, business impact analyses on key systems and services.
- Helping to embed disaster recovery process and controls to maintain the availability, integrity and confidentiality of personal data and key services.
- Ensuring that information security and resilience requirements are built into business change projects by design.
You will bring all aspects of our values to life: Personal, Responsible, Straightforward and Passionate:
Examples of how you will know you are doing a great job:
- Responsible - you will lead by example in putting the customer at the heart of all people approaches and services; demonstrating a strong sense of ethics in `doing the right thing`
- Straightforward - your communication uses everyday language that takes the complex and makes it easier and relevant for our people to understand
- Passionate and relentless - you`ll achieve your own, you team`s and the business` ambitions, in a multitude of ways and overcome setbacks along the way. You will inspire your peers and colleagues to do the same, keeping them focussed and enthused, and celebrating successes as they arrive
- Personal and authentic - you will create your own personal brand, being approachable to our people and leaders, with a strong sense of humility and authenticity
- Visible - you`ll set time aside to spend with team members and business teams in all locations and be recognised as a key Subject Matter Expert across Group; the business unit teams will see you as a role model and an expert in information security and resilience matters
- Infectious Energy - the way you go about carrying out your role, with passion, energy, and determination to make a difference, will inspire business unit staff to deliver successful results and to continually challenge the status quo. The little bit of difference that you make to colleagues each day will bring significant change for the whole business
- You will influence, challenge and be a consultant to senior management, working with them to act as a catalyst for change, agreeing appropriate mitigating action plans in relation to key risks identified.
Experience you have that will set you up for success:
- You will simplify complexity and focus on driving value, sustainable change & continual improvement in all that you do
- You will positively engage with and assist other areas of the Group Risk & Compliance team as required
- You will proactively manage risks, and implement actions from external and internal audit reports
- You will receive excellent feedback on the 2nd line contribution you provide from business unit management and leadership teams
- You will align information security and resilience with the organisational strategy
- You will receive positive feedback from wider internal and external stakeholders
- You will be an invaluable member of the wider Countrywide Group Risk & Compliance team.
- Exceptional working knowledge of ISO27001, with experience of leading ISO audits & recertification
- 3-4 years working experience within a compliance team/function
- Experience of working in an operational or business resilience role
- Outstanding relationship building skills, with proven ability to influence, negotiate and impact change
- High level of self-awareness, gained through feedback and personal development plans
- A good working knowledge of 2nd line information assurance/security management and information resilience, including related risks and business continuity best practice, and sound knowledge of Data Protection law and regulation
- Understanding of risk culture, risk management and risk framework application
- Educated to degree level or equivalent with relevant role supporting qualifications
- Demonstrate a track record of working with senior management, internal and external peers to assess, advise on and implement information security and resilience requirements
- Excellent understanding of current and emerging issues in the data protection and information security environment
- Experience of working in complex change scenarios
- Team leadership experience advantageous but not essential
- Working knowledge of ISO22301 advantageous.