Senior Information Risk Advisor – Outside IR35
Venesky-Brown’s client, a public sector organisation in Edinburgh/Glasgow, is currently looking to recruit a Senior Information Risk Advisor for an initial 12 month contract with potential to extend on a rate of £608/day Outside IR35. This role will be a hybrid of working at home and in the office.
Responsibilities:
– Formulate strong relationships between the Information Security and Risk function and business teams
Promote Information Security and Risk Services offered.
– Conduct technical assurance activities of systems, services, and products.
– Provide advice, guidance, and facilitation of information security processes.
– Assist stakeholders in understanding and fulfilling their information security roles and responsibilities.
– Communicate the requirements of Information Security Policies and Standards, to ensure that teams and colleagues are able comply with their requirements and ensure that protective measures for information assets are adequate.
– Deliver sessions and workshops for the scoping, identification, and analysis of security risks to the confidentiality, integrity, and availability of information assets, and propose appropriate controls and actions for risk remediation.
– Discuss potential opportunities for improvement to information security policies, processes or controls with teams and record the proposed improvements in the ISMS Tooling for management analysis.
– Observe instances of Non-Conformance, providing details of findings and the motivation for the issue. Use ISMS Tooling to record and prepare reports for the relative ISMS Domain Sponsor who will determine corrective action.
– Liaise with Teams on required actions to discuss timeframes and delegation of resources.
– Undertake internal audit/assurance activities to observe and evaluate ISMS processes and Security Controls and provide internal stakeholders with reports that outline findings and areas for improvement of compliance.
– Contribute towards the development of Information Security and Risk policies, standards, and processes, including the maintenance of operating procedures and ensure appropriate ISMS document control is applied.
– Deliver education and awareness sessions to technical and non-technical teams to enhance information security and risk knowledge and confidence.
– Support internal stakeholders during independent audits through prior preparation of ISMS artefacts and records to be available upon request by the auditor.
Essential Skills:
– The successful candidate will have a strong understanding and background in technical information security and risk and have the ability to engage with management and technical/non-technical SMEs for the successful implementation and operation of the ISMS and its associated deliverables.
– Identification, assessment, and management of risk
– Security assurance and the measurement of controls
– Creation of ISMS and IT Security documentation (Policies, Standards, Processes, Procedures and Patterns)
– Internal and Third-Party Audits
– Risk and threat modelling
– Compliance and Assurance Activities
– Business process analysis and mapping (to determine alignment against agreed industry practice and recognised control frameworks)
– Certified Information Systems Security Professional (CISSP) or equivalent
– Certified ISO 27001 Lead Implementer/Auditor of Management Systems (including Information Security and Business Continuity) or equivalent
– Approaching problems and issues with regard to information security and risk, whether part of a project engagement of BAU, use techniques to analyse the information within scope and formulate resolve to maintain objective/achieve outcome.
– Is able to facilitate engagement between non-technical, technical, and noninformation security colleagues.
– Must be able to mediate between stakeholders and promote the realisation of common goals.
– Understands how an Information Security organisation operates and is able to support the Information Security Lead in identifying internal and external issues that may create risks.
– Understands the objective of Information Security, Risk Management and is able to mentor engaged teams and colleagues and is able to articulate the distinction and relationships between Information Security Risk, Cyber Security, Security Controls, and Assurance.
– Able to support the Information Security Lead with improvements to the Information Security Management System and ensuring that it meets the requirements of international standards (ISO/IEC27001:2013).
– Has the ability to support teams and Risk Owners with regard to analysing risk through different approaches, measuring impact of risk using the agreed criteria, and determining whether it requires escalation.
– Can demonstrate core Information Security Control attributes/knowledge to assist with control implementation and assurance processes, where specialisms may include Cloud, Technical Vulnerability Management, Access Control, Network Security, Secure Coding and Systems Support.
– Collaborate with Product Managers to promote Secure Systems Engineering and Architecture Principles and ensuring that a risk-based approach is undertaken as part of system acquisition, development, and maintenance.
Desirable Skills:
– Supporting organisations through security certification activities (ex. ISO27001)
– Building security capability, training and awareness or exercising programmes
– Designing information security incident management procedures
– Ex CLAS or SCCP (SIRA)
If you would like to hear more about this opportunity please get in touch.
Responsibilities:
– Formulate strong relationships between the Information Security and Risk function and business teams
Promote Information Security and Risk Services offered.
– Conduct technical assurance activities of systems, services, and products.
– Provide advice, guidance, and facilitation of information security processes.
– Assist stakeholders in understanding and fulfilling their information security roles and responsibilities.
– Communicate the requirements of Information Security Policies and Standards, to ensure that teams and colleagues are able comply with their requirements and ensure that protective measures for information assets are adequate.
– Deliver sessions and workshops for the scoping, identification, and analysis of security risks to the confidentiality, integrity, and availability of information assets, and propose appropriate controls and actions for risk remediation.
– Discuss potential opportunities for improvement to information security policies, processes or controls with teams and record the proposed improvements in the ISMS Tooling for management analysis.
– Observe instances of Non-Conformance, providing details of findings and the motivation for the issue. Use ISMS Tooling to record and prepare reports for the relative ISMS Domain Sponsor who will determine corrective action.
– Liaise with Teams on required actions to discuss timeframes and delegation of resources.
– Undertake internal audit/assurance activities to observe and evaluate ISMS processes and Security Controls and provide internal stakeholders with reports that outline findings and areas for improvement of compliance.
– Contribute towards the development of Information Security and Risk policies, standards, and processes, including the maintenance of operating procedures and ensure appropriate ISMS document control is applied.
– Deliver education and awareness sessions to technical and non-technical teams to enhance information security and risk knowledge and confidence.
– Support internal stakeholders during independent audits through prior preparation of ISMS artefacts and records to be available upon request by the auditor.
Essential Skills:
– The successful candidate will have a strong understanding and background in technical information security and risk and have the ability to engage with management and technical/non-technical SMEs for the successful implementation and operation of the ISMS and its associated deliverables.
– Identification, assessment, and management of risk
– Security assurance and the measurement of controls
– Creation of ISMS and IT Security documentation (Policies, Standards, Processes, Procedures and Patterns)
– Internal and Third-Party Audits
– Risk and threat modelling
– Compliance and Assurance Activities
– Business process analysis and mapping (to determine alignment against agreed industry practice and recognised control frameworks)
– Certified Information Systems Security Professional (CISSP) or equivalent
– Certified ISO 27001 Lead Implementer/Auditor of Management Systems (including Information Security and Business Continuity) or equivalent
– Approaching problems and issues with regard to information security and risk, whether part of a project engagement of BAU, use techniques to analyse the information within scope and formulate resolve to maintain objective/achieve outcome.
– Is able to facilitate engagement between non-technical, technical, and noninformation security colleagues.
– Must be able to mediate between stakeholders and promote the realisation of common goals.
– Understands how an Information Security organisation operates and is able to support the Information Security Lead in identifying internal and external issues that may create risks.
– Understands the objective of Information Security, Risk Management and is able to mentor engaged teams and colleagues and is able to articulate the distinction and relationships between Information Security Risk, Cyber Security, Security Controls, and Assurance.
– Able to support the Information Security Lead with improvements to the Information Security Management System and ensuring that it meets the requirements of international standards (ISO/IEC27001:2013).
– Has the ability to support teams and Risk Owners with regard to analysing risk through different approaches, measuring impact of risk using the agreed criteria, and determining whether it requires escalation.
– Can demonstrate core Information Security Control attributes/knowledge to assist with control implementation and assurance processes, where specialisms may include Cloud, Technical Vulnerability Management, Access Control, Network Security, Secure Coding and Systems Support.
– Collaborate with Product Managers to promote Secure Systems Engineering and Architecture Principles and ensuring that a risk-based approach is undertaken as part of system acquisition, development, and maintenance.
Desirable Skills:
– Supporting organisations through security certification activities (ex. ISO27001)
– Building security capability, training and awareness or exercising programmes
– Designing information security incident management procedures
– Ex CLAS or SCCP (SIRA)
If you would like to hear more about this opportunity please get in touch.
