At a Glance
- Tasks: Lead and shape our information security and compliance programme in a fast-paced consultancy.
- Company: Join a rapidly growing strategic consulting firm in the life sciences industry.
- Benefits: Enjoy remote/hybrid work, competitive salary, and opportunities for professional growth.
- Other info: Be part of a dynamic team with direct access to leadership and ownership of your role.
- Why this job: Make a real impact on data security and governance in an AI-forward environment.
- Qualifications: 5+ years in information security, strong GDPR knowledge, and relevant certifications.
The predicted salary is between 70000 - 90000 £ per year.
Overview
Blue Matter is a rapidly growing strategic consulting firm serving clients in the life sciences industry.
We partner with our clients to help them achieve commercial success across the lifecycle of their products, portfolios and organisations.
Our project types include new product planning, launch strategy & planning, brand & life cycle planning and corporate & portfolio strategy, across a variety of specialty therapeutic areas.
We have a unique entrepreneurial culture and invest in building Blue Matter to be one of the best places to work.
We have a strong global presence with offices in the US (San Francisco, New York, Boston), Europe (London, Zurich, Netherlands), and India (Mumbai, Gurgaon, Pune).
Why this role exists
Our clients are among the most security- and privacy-conscious organizations in the world, and they trust us with highly sensitive commercial and scientific information.
- At the same time, our internal AI platform,
- Blue Cortex
, is becoming central to how we serve them — which raises both the stakes and the opportunity around how we govern data and technology.
As we grow, we need a dedicated owner for information security and compliance.
This role sits in our Technology & Operations team and is based in the UK — giving us strong coverage of GDPR and UK GDPR obligations, alignment with European clients and subsidiaries, and time-zone support for our global team.
This is a hands-on, high-ownership role — not a tick-box function.
You’ll build and run the firm’s security and compliance program end-to-end, and you’ll be the trusted point of contact when clients ask how we protect their data.
It’s ideal for someone who wants to shape a program in a fast-moving, AI-forward consultancy rather than maintain one that already exists.
- What you’ll do
- Security governance and strategy
- Own and run Blue Matter’s information security program end-to-end, including for Blue Cortex.
- Define, maintain, and operationalize security policies, standards, and procedures, and keep them current as the firm scales.
- Maintain the risk register, run regular risk assessments, and drive remediation to closure.
- Report on security and compliance posture to leadership in clear, business-oriented terms.
- Compliance and certifications
- Drive certification and attestation efforts (e. g., ISO 27001 and/or SOC 2): design and maintain the control framework, own the documentation and evidence, and lead internal and external audits.
- Build a sustainable, “always-audit-ready” approach rather than a once-a-year scramble.
- Track relevant regulatory and framework developments and translate them into practical action.
- Data protection and privacy
- Lead data protection under GDPR and UK GDPR; act as, or closely support, our Data Protection function.
- Maintain records of processing (Ro PA), conduct Data Protection Impact Assessments (DPIAs), and own data-handling, retention, and minimization policies.
- Manage data subject requests and any personal-data incidents, including regulator and individual notifications where required.
- Oversee data transfer mechanisms and data residency considerations across our global footprint and subsidiaries.
- Client security assurance
- Own the response to client security due-diligence: complete security questionnaires and assessments from biopharma and medtech clients accurately and on time.
- Support commercial and contractual discussions on security, privacy, and data processing terms (e. g., DPAs).
- Maintain a library of reusable security documentation, certifications, and answers to accelerate client reviews.
- Microsoft 365 security operations
- Secure and govern our Microsoft 365 environment — Entra ID, Microsoft Defender, Microsoft Purview, and Intune.
- Own identity and access management: conditional access, MFA, privileged access, joiner/mover/leaver processes, and least-privilege enforcement.
- Implement and tune data loss prevention (DLP), information protection/labelling, and device compliance.
- Partner with IT on secure configuration, patching, and endpoint hardening.
- Third-party and vendor risk
- Run third-party and vendor risk management across our supply chain, including security review of new tools and AI/Saa S vendors.
- Maintain an inventory of vendors and their data access, and reassess risk on a regular cadence.
- Incident response and investigations
- Own the incident response plan; lead detection, triage, investigation, containment, and post-incident review.
- Investigate security events (e. g., analysing Entra ID sign-in and audit logs), and produce clear, actionable incident reports.
- Run tabletop exercises so the firm is prepared before an incident happens.
- Security awareness and culture
- Build and deliver security awareness training and phishing simulations.
- Make security approachable and practical so the whole firm becomes a partner in protecting client data.
- What success looks like
First 90 days
You’ve assessed our current posture, identified the highest-priority risks and gaps, and built a clear, prioritized roadmap.
You’re already the point person for client security questionnaires.
First 6 months
Core policies are in place and adopted, the M365 security stack is meaningfully hardened, vendor risk and incident response processes are operating, and certification/attestation work is underway with a credible plan.
First year
The firm has a mature, sustainable security and compliance program; a defensible data-protection posture under GDPR/UK GDPR; and a smoother, faster client security-review process.
- What you’ll bring
- Required
- 5+ years of experience in information security and/or GRC, ideally in an environment that handles sensitive client data (regulated industries, professional services, Saa S, or similar).
- Strong, practical knowledge of GDPR and UK GDPR and day-to-day data protection.
- Hands-on experience with ISO 27001 and/or SOC 2 implementation and audits.
- Working familiarity with the Microsoft security stack (Entra ID, Defender, Purview, Intune).
- Experience responding to client/customer security assessments and questionnaires.
- One or more relevant certifications — for example CISSP, CISM, CISA, CRISC, ISO 27001 Lead Implementer/Auditor, CIPP/E, or CIPM — or equivalent demonstrable experience.
- Based in the UK with the right to work, and comfortable supporting a globally distributed team across time zones.
- Excellent written and verbal communication: you can translate security and risk into plain business language for leadership, clients, and colleagues.
- Strongly preferred
- Experience standing up or maturing a security/compliance program (not only operating an established one).
- Familiarity with EU and UK regulatory developments such as NIS2 and DORA.
- Experience managing third-party/vendor risk for Saa S and AI tooling.
- Nice to have
- Exposure to life sciences or pharma, and awareness of Gx P, GDP, or healthcare data considerations (e. g., HIPAA for US-facing work).
- Experience establishing data-protection or data-risk practices.
- Experience supporting M&A or subsidiary integration from a security and compliance perspective.
- Who thrives here
- Builders who want to own a program and shape it, not just keep the lights on.
- Pragmatic risk managers who right-size controls to the business instead of defaulting to maximum friction.
- Clear communicators who can earn trust with clients, leadership, and engineers alike.
- People genuinely interested in the security and governance challenges of a modern, AI-forward firm.
- How we work
A small, capable Technology & Operations team with real ownership and direct access to leadership.
You’ll have the autonomy to build the program the right way — and the visibility that comes with being the firm’s security and compliance lead.
This is a remote/hybrid role based in the UK with occasional travel for team collaboration.
#J-18808-Ljbffr
StudySmarter Expert Advice🤫
We think this is how you could land Information Security & Compliance Manager in London
✨Join Compliance Communities
Get involved in compliance and risk communities — both online and offline. Look for forums, LinkedIn groups, or even local meetups where compliance pros hang out. You never know who might drop a job opportunity your way!
✨Attend Industry Conferences
Keep an eye out for compliance and risk management conferences and workshops in your area. These events are a goldmine for networking, and they often have job boards or recruiters on-site looking for new talent. Plus, it’s a chance to learn what's trending in the field.
✨Leverage Your University Career Services
If you’ve recently graduated or are still studying, head over to your university's career services. Many companies, including those in compliance, actively recruit fresh talent through these services, so make sure you tap into that resource.
✨Showcase Your Knowledge Online
Start writing articles or blog posts about compliance topics that interest you. Share them on platforms like LinkedIn to demonstrate your knowledge and passion. This not only builds your presence in the field but can also catch the attention of companies like bluematterconsulting looking for candidates who are engaged and informed.
We think you need these skills to ace Information Security & Compliance Manager in London
Some tips for your application 🫡
Show Your Understanding of Compliance:In the compliance-risk field, it's super important to showcase your understanding of regulations and risk management frameworks. Highlight any relevant coursework, certifications (like ICA or AML), or even projects that demonstrate your knowledge and commitment to this area. We want to see how you can navigate this complex landscape!
Quantify Your Achievements:When detailing your experience, try to quantify your achievements. For example, if you've previously worked on a project that improved compliance metrics or reduced risk exposure, give us the numbers! This data-driven approach really stands out to hiring managers in compliance-risk roles.
Tailor Your CV to Reflect Relevant Skills:Make sure your CV highlights skills that are particularly relevant to compliance, like attention to detail, analytical thinking, and report writing. Ensure these are easy to spot – consider using bullet points to break down your responsibilities and achievements for maximum impact!
Craft a Motivating Cover Letter:In your cover letter, let us know why you’re excited about the compliance-risk role at bluematterconsulting. Share what motivates you about compliance, and how you believe you can contribute to our mission. This is your chance to showcase not only your skills but also your passion for this important field!
How to prepare for a job interview at bluematterconsulting
✨Master the Regulations
Brush up on key compliance regulations relevant to the industry you're applying to. Familiarising yourself with specific laws and frameworks used in your field will give you an edge during technical questions. Show that you’re not just aware of them but can also apply them—think real-life scenarios!
✨Show Your Analytical Skills
Compliance roles really focus on analytical skills, so be prepared for case studies or situational questions during the interview. We've got to demonstrate how we approach risk assessments or compliance audits, possibly drawing on examples from past experiences or university projects. Bring some thoughtful case scenarios to discuss!
✨Know Your Tools
Get comfortable with commonly used compliance software and tools. Familiarity with platforms like RSA or MetricStream can really impress during your interview, as it shows you're ready to hit the ground running. If you’ve had any experience with them, make sure to highlight that!
✨Align with Company Culture
Since it's a full-time position, show your long-term commitment and interest in the company’s mission and values. Dive into how your ethics and professional philosophy align with bluematterconsulting’s stance on compliance. A shared vision can really resonate with interviewers looking for fit as much as skill!