Lead Information Security Analyst, GRC in Edinburgh

For over four decades, Cirrus Logic has been propelled by top engineers in mixed‑signal processing. Our team thrives on solving complex challenges with innovative end‑user solutions for the world's top consumer brands. Cirrus Logic is known for its award‑winning culture, built on inclusion and fairness, meaningful community engagement, and enjoyable employee experiences. We invite you to join us and help make Cirrus Logic an exceptional place to grow your career.

We are seeking a highly motivated, experienced professional to join the Cirrus Logic Information Security team as a Lead Information Security Analyst – Governance, Risk Management & Compliance (GRC). You will be responsible for designing, operating, and continuously improving our ISO 27001‑aligned governance, risk, and compliance program, with a focus on integrated risk management, third‑party risk management, and security control effectiveness. You will also help define, refine, and operationalise the responsible use of AI technologies and services across the enterprise.

Key Responsibilities

• Lead day‑to‑day operation and continuous improvement of our ISO 27001‑aligned ISMS, including policies, standards, and control procedures.
• Develop, maintain, and socialise information security policies, standards, and guidelines; manage exceptions and ensure decisions are risk‑based, documented, and periodically reviewed.
• Lead security risk and control assessments for new systems, services, and business initiatives, partnering with security, IT, and business owners to identify threats, evaluate design and operating effectiveness of controls, and document and track risk treatment plans. This includes evaluating AI/ML use cases for security, data protection, and misuse risks.
• Plan and execute third‑party risk assessments for suppliers and service providers, including review of third‑party security questionnaires, trust documents, and remediation plans to ensure third‑party security meets Cirrus Logic’s requirements.
• Analyze risks across technologies and business processes, prioritise remediation efforts based on business impact and likelihood, and prepare clear risk and control status reports for security leadership and key stakeholders.
• Configure, administer, and optimise GRC tooling such as ServiceNow GRC or OneTrust GRC to support risk registers, control libraries, assessments, exceptions, and third‑party workflows, including integration with IT and security platforms where appropriate.
• Coordinate and provide evidence for internal and external audits, customer security assessments, and certifications such as ISO 27001 and SOC‑related reviews.
• Partner with Legal, HR, and other stakeholders to identify and manage security‑related privacy and regulatory obligations; support privacy risk assessments and data protection controls, and assess privacy implications of AI/ML solutions.
• Define and maintain security and risk guardrails for the use of AI/ML technologies, including acceptable‑use guidelines, control requirements, and review processes for new AI use cases and vendors.
• Act as a trusted advisor to team members, IT, and business teams, translating security and risk requirements into practical, implementable solutions that align with engineering and operational realities. Partner closely with IT, engineering, and business teams to embed security, risk, and governance requirements into AI solution design and operation. Work effectively with a globally dispersed team across various time zones.
• Maintain strong executive presence, outstanding written, verbal, and presentation skills. Communicate complex risk, control, compliance, and program matters clearly to technical teams, business stakeholders, and executive leadership. Develop high‑quality executive‑ready content and support GRC awareness, communications, and training initiatives.

Required Skills and Qualifications

• Proven experience in Information Security with a strong focus on GRC, risk management, and/or security compliance in a global environment.
• Bachelor’s degree in cybersecurity, information systems, or a related field, or demonstrated equivalent experience as a security professional in a globally dispersed enterprise.
• Hands‑on experience with ISO/IEC 27001 (ISMS lifecycle, Annex A controls, risk assessment and treatment) and related security control frameworks such as NIST CSF, ISO 27000, TISAX.
• Demonstrated experience with Integrated Risk Management (project/solution risk assessments) and Third‑Party Risk Management (vendor due diligence, ongoing monitoring, remediation).
• Technical fluency across core IT and security domains such as network, endpoint, identity, cloud/SaaS, logging/monitoring, and experience working with Security Engineering, Security Operations, and IT teams.
• Experience configuring and maintaining an enterprise‑grade GRC platform, preferably ServiceNow GRC, for risk, control, assessment, and exception workflows.
• Strong analytical and problem‑solving skills, balancing security, compliance, and business objectives in a practical way.
• Effective communication and interpersonal skills, conveying risk and technical issues to both technical and non‑technical stakeholders, including senior leaders.
• Proven ability to drive work independently, manage multiple concurrent initiatives, and follow through to completion in a fast‑paced environment.
• Experience working in high‑tech, engineering, or semiconductor environments is beneficial.
• Relevant certifications such as ISO 27001 Lead Implementer/Lead Auditor, CISSP, CISM, CISA, CRISC are preferred but not required.

Location and Work Arrangement

Position is based in the Edinburgh office. The role is hybrid, requiring a minimum of two days onsite with flexibility to work from home, depending on business needs. Candidates must live within a commutable distance or be willing to relocate.

Export control restrictions based on applicable laws prohibit candidates who are nationals of certain embargoed countries from working in this position without Cirrus Logic first obtaining an export license. Candidates for this role must be able to access technical data without a requirement for an export license. Cirrus Logic is unable to sponsor or obtain export licenses for this position.

Commitment to Diversity

Cirrus Logic believes that diversity drives innovation and is committed to an open, collaborative culture where everyone can contribute regardless of race, colour, national origin, religion or belief, gender or gender identity, sexual orientation, age, marital status, pregnancy status, or disability.