At a Glance
- Tasks: Lead information security and compliance initiatives in a dynamic life sciences consulting firm.
- Company: Join Blue Matter, a rapidly growing strategic consulting firm in the life sciences sector.
- Benefits: Competitive salary, flexible working options, and opportunities for professional growth.
- Other info: Be part of a collaborative team focused on innovative solutions and client success.
- Why this job: Make a real impact on data protection and security in a fast-paced environment.
- Qualifications: 5+ years in information security with strong knowledge of GDPR and Microsoft security tools.
The predicted salary is between 60000 - 80000 £ per year.
Blue Matter is a rapidly growing strategic consulting firm serving clients in the life sciences industry. We partner with our clients to help them achieve commercial success across the lifecycle of their products, portfolios and organisations.
Responsibilities:
- Act as, or closely support, our Data Protection function.
- Maintain records of processing (RoPA), conduct Data Protection Impact Assessments (DPIAs), and own data-handling, retention, and minimisation policies.
- Manage data subject requests and any personal-data incidents, including regulator and individual notifications where required.
- Oversee data transfer mechanisms and data residency considerations across our global footprint and subsidiaries.
- Own the response to client security due-diligence: complete security questionnaires and assessments from biopharma and medtech clients accurately and on time.
- Support commercial and contractual discussions on security, privacy, and data processing terms (e.g., DPAs).
- Maintain a library of reusable security documentation, certifications, and answers to accelerate client reviews.
- Secure and govern our Microsoft 365 environment — Entra ID, Microsoft Defender, Microsoft Purview, and Intune.
- Own identity and access management: conditional access, MFA, privileged access, joiner/mover/leaver processes, and least-privilege enforcement.
- Implement and tune data loss prevention (DLP), information protection/labelling, and device compliance.
- Partner with IT on secure configuration, patching, and endpoint hardening.
- Run third-party and vendor risk management across our supply chain, including security review of new tools and AI/SaaS vendors.
- Maintain an inventory of vendors and their data access, and reassess risk on a regular cadence.
- Own the incident response plan; lead detection, triage, investigation, containment, and post-incident review.
- Investigate security events (e.g., analysing Entra ID sign-in and audit logs), and produce clear, actionable incident reports.
- Run tabletop exercises so the firm is prepared before an incident happens.
- Build and deliver security awareness training and phishing simulations.
- Make security approachable and practical so the whole firm becomes a partner in protecting client data.
What success looks like:
- First 90 days: You’ve assessed our current posture, identified the highest-priority risks and gaps, and built a clear, prioritised roadmap. You’re already the point person for client security questionnaires.
- First 6 months: Core policies are in place and adopted, the M365 security stack is meaningfully hardened, vendor risk and incident response processes are operating, and certification/attestation work is underway with a credible plan.
- First year: The firm has a mature, sustainable security and compliance program; a defensible data-protection posture under GDPR/UK GDPR; and a smoother, faster client security-review process.
What you’ll bring:
- 5+ years of experience in information security and/or GRC, ideally in an environment that handles sensitive client data (regulated industries, professional services, SaaS, or similar).
- Strong, practical knowledge of GDPR and UK GDPR and day-to-day data protection.
- Hands-on experience with ISO 27001 and/or SOC 2 implementation and audits.
- Working familiarity with the Microsoft security stack (Entra ID, Defender, Purview, Intune).
- Experience responding to client/customer security assessments and questionnaires.
- One or more relevant certifications — for example CISSP, CISM, CISA, CRISC, ISO 27001 Lead Implementer/Auditor, CIPP/E, or CIPM — or equivalent demonstrable experience.
- Based in the UK with the right to work, and comfortable supporting a globally distributed team across time zones.
- Excellent written and verbal communication: you can translate security and risk into plain business language for leadership, clients, and colleagues.
Strongly preferred:
- Experience standing up or maturing a security/compliance program (not only operating an established one).
- Familiarity with EU and UK regulatory developments such as NIS2 and DORA.
- Experience managing third-party/vendor risk for SaaS and AI tooling.
Nice to have:
- Exposure to life sciences or pharma, and awareness of GxP, GDP, or healthcare data considerations (e.g., HIPAA for US-facing work).
- Experience establishing data-protection or data-risk practices.
We think you need these skills to ace Information Security & Compliance Manager
Information Security Management
Compliance Knowledge
GDPR and UK GDPR Expertise
ISO 27001 Implementation
SOC 2 Audits
Microsoft Security Stack (Entra ID, Defender, Purview, Intune)
Data Protection Impact Assessments (DPIAs)