Cyber Security & Privacy Manager in London

The ISP Cyber Security & Privacy Manager will own and operate ISP’s technology security and data privacy control framework across TDDA platforms, integrations, and data products. This role operationalises security-by-design and privacy-by-design across delivery, ensuring ISP operates with IPO-grade controls, audit-ready evidence, and consistent gating of change. The role is not advisory only — it has active decision rights to define controls and block non-compliant delivery.

Scope & Complexity

• Enterprise-wide, multi-country environment
• Operates across ERP, HRIS, SIS, CRM, EdTech, Data Platform, Integrations and AI products
• Works with outsourced cyber partners but retains ISP accountability
• Balances strong control with pragmatic delivery enablement

ISP Principles

• Begin with our children and students. Our children and students are at the heart of what we do. Simply, their success is our success. Wellbeing and safety are both essential for learners and learning. Therefore, we are consistent in identifying potential safeguarding and Health & Safety issues and acting and following up on all concerns appropriately.
• Treat everyone with care and respect. We look after one another, embrace similarities and differences and promote the well-being of self and others.
• Operate effectively. We focus relentlessly on the things that are most important and will make the most difference. We apply school policies and procedures and embody the shared ideas of our community.
• Are financially responsible. We make financial choices carefully based on the needs of the children, students and our schools.
• Learn continuously. Getting better is what drives us. We positively engage with personal and professional development and school improvement.

Key Responsibilities

• Security & Privacy Governance Operating Model
  • Design and operate TDDA security and privacy governance framework
  • Maintain TDDA technology risk register inputs
  • Establish security/privacy decision forums and cadence
  • Produce quarterly security & privacy posture report
• Privacy-by-Design & DPIA Operations
  • Define DPIA thresholds and workflow
  • Own DPIA templates and guidance
  • Ensure DPIAs are embedded into demand-to-delivery process
  • Maintain DPIA register and evidence
• Security Architecture Standards
  • Define mandatory security patterns for:
  • Identity & access management
  • Encryption (at rest & in transit)
  • Logging & monitoring
  • Segregation of duties
  • Key management
• Delivery Gating & Controls
  • Ensure initiatives touching data, integrations or AI are security & privacy reviewed
  • Gate releases through CAB where controls are not met
  • Ensure security and privacy evidence is part of release readiness
• Third-Party & Vendor Risk
  • Define minimum security/privacy assurance requirements
  • Support vendor due diligence
  • Maintain third-party assurance register
• Audit & Evidence
  • Maintain audit-ready evidence packs:
  • Access reviews
  • DPIAs
  • Change logs
  • Third-party assurance
  • Support internal and external audits
• Enablement
  • Define secure SDLC expectations with Engineering & Architecture
  • Provide training and guidance to TDDA teams
• Decision Rights
  • Define mandatory security and privacy controls for TDDA delivery
  • Gate or block releases where controls are not met
  • Define minimum third-party assurance requirements

Key Responsibilities (Day-to-Day)

• Run DPIA process
• Maintain security standards catalogue
• Review designs through Design Authority
• Participate in CAB
• Track and report risks

Key Deliverables (First 6 Months)

• DPIA workflow live and embedded
• TDDA security standards catalogue
• Third-party assurance checklist
• Quarterly security & privacy report
• First full evidence pack

Success Measures / KPIs

• 100% qualifying initiatives gated through DPIA & security review
• Reduction in unknown integrations / shadow data flows
• Audit evidence completeness and timeliness
• Improved access governance (review completion, least privilege adoption)

Skills, Qualifications and Experience

• 8–10+ years in cyber security and/or privacy operations
• Experience in regulated, multi-country environments
• Strong DPIA and vendor risk expertise
• Risk-based thinking
• Pragmatic control design
• Clear communicator
• Calm under pressure

ISP Commitment to Safeguarding Principles

ISP is committed to safeguarding and promoting the welfare of children and young people and expects all staff and volunteers to share this commitment. All post holders are subject to appropriate vetting procedures, including an online due diligence search, references and satisfactory Criminal Background Checks or equivalent covering the previous 10 years’ employment history.

ISP Commitment to Diversity, Equity, Inclusion, and Belonging

ISP is committed to strengthening our inclusive culture by identifying, hiring, developing, and retaining high-performing teammates regardless of gender, ethnicity, sexual orientation and gender expression, age, disability status, neurodivergence, socio-economic background or other demographic characteristics. Candidates who share our vision and principles and are interested in contributing to the success of ISP through this role are strongly encouraged to apply.