Information Security Analyst - GRC

Salary: £45,000

Contract: 12-month Fixed Term Contract (FTC)

Location: Central Birmingham (Hybrid – 3 days per week on site)

The Role

We have an exciting opportunity for an Information Security Analyst – GRC to join a busy and collaborative technology function on a 12-month fixed term contract. This role will play a key part in supporting governance, risk and compliance (GRC) activities, with a strong focus on third-party risk management and data protection assurance across the organisation.

Key Responsibilities

• Third-Party Risk Management
  • Conduct and coordinate information security and privacy risk assessments for new and existing suppliers.
  • Assess supplier controls relating to data protection, information security, data hosting and subcontractor usage.
  • Maintain accurate records of organisational data shared with third parties, including purpose of use, classification, sensitivity and processing location.
  • Ensure supplier data handling arrangements clearly define retention, archiving and deletion requirements in line with internal policies and regulatory obligations.
  • Support Procurement, Vendor Management, Legal and Information Security teams to embed supplier assurance throughout onboarding, renewal and contract processes.
  • Track remediation actions with suppliers and internal teams, escalating high-risk issues where appropriate.
• Data Protection & GDPR Support
  • Review how personal data is used across systems, processes and vendor solutions.
  • Ensure data classification, sensitivity and lifecycle controls are clearly documented.
  • Promote data minimisation by identifying unnecessary collection or retention of personal data and challenging excessive processing.
  • Document personal data risks, gaps and recommended actions in line with risk management processes.
  • Provide risk-based advice and technical input to business stakeholders on personal data processing.
• Governance, Risk & Compliance
  • Support the review, development and implementation of information security and data protection policies.
  • Contribute to information security risk registers and compliance monitoring activities.
  • Produce compliance reports, dashboards and metrics for management and senior stakeholders.
  • Assist with internal and external audits, including GDPR, PCI DSS and financial audits.
  • Maintain compliance tracking across third-party risks, data lifecycle controls and privacy-related risks.
• Security & Privacy Operations
  • Track remediation of identified compliance and control issues to ensure timely closure.
  • Support incident response activities, particularly those involving third-party access or personal data.
  • Document business and supplier processes to support governance, risk and compliance requirements.
  • Produce clear, auditable documentation for assessments, risks, decisions and approvals.

About You

You will bring a strong understanding of information security, privacy and risk management, with the confidence to engage and challenge stakeholders constructively.

Essential experience and skills:

• Good understanding of GDPR, the UK Data Protection Act, and information security control requirements.
• Experience conducting supplier assurance, security due diligence or third-party risk assessments.
• Ability to assess technical and organisational security controls.
• Strong analytical skills with excellent attention to detail.
• Clear written and verbal communication skills, able to work with legal, technical and operational teams.
• Experience supporting incident or breach investigations.
• Ability to manage multiple competing priorities and work pragmatically with stakeholders.

Desirable:

• Experience working in large, complex or multi-site environments.
• Relevant certifications such as CIPP/E, CIPM, CompTIA Security+, or BCS Practitioner Certificate in Data Protection.