Information Security Governance, Risk and Assurance Manager

This position is fixed term for 24 months.

LNER is adapting to ensure timely, accurate and focused support to protect against the growing cyber threat the company is facing. The InfoSec team are involved in several flagship projects including those specifically coming through the East Coast Digital Programme and the introduction of the new CAF fleet. This is a truly exciting time for InfoSec at LNER and we’re pleased to be recruiting for an Information Security Governance, Risk and Assurance Manager to join our team based in York.

As our Information Security Governance, Risk and Assurance Manager, you’ll be responsible for developing, enhancing and optimising information security governance, assurance and awareness across the company. You’ll oversee all Information Security Governance, Risk and Assurance activities, supporting the business in maintaining our ISO27001 certification, PCI DSS accreditations and aligning to the NIS Directive in line with the franchise agreement and any future requirements identified by LNER.

A key part of this role involves owning the Information Security Risk register, ensuring risks are appropriately identified, clearly articulated, assigned to risk owners and treatment plans are agreed and signed off. You will confidently influence stakeholders at all levels to prioritise treatment or acceptance of these risks in line with any Information Security Risk matrix adopted.

You’ll also be involved in:

• Implementing a robust vulnerability management platform within the business and developing strong relationships with internal stakeholders to ensure information security management is best in class.
• Managing the information security awareness programme, covering all areas of information security including basic awareness through to modules aimed at GDPR, PCI DSS and understanding phishing attacks.
• Managing all aspects of the LNER Information Security Third Party Assurance Framework which ensures suppliers manage security to the same high levels as within the business.
• PCI DSS compliance, ensuring evidence is collated for all retail processes across the company to support maintaining or obtaining compliance to the PCI DSS.
• Managing GDPR compliance arrangements relating to governance and assurance and relevant to LNER and its 3rd party suppliers, ensuring the business is meeting obligations under the regulation.
• Ensuring that NIS Directive required Policy & Processes are embedded within LNER and will be sustainable throughout the life of the franchise.
• Investigating minor security breaches within a defined area of responsibility to maintain compliance with internal security policies.
• Conducting security assessments through vulnerability testing and risk analysis.
• Performing both internal and external security audits, ensuring they align to ISO27001 and any other relevant Information Security standards adopted by the company.
• Continuously updating the company’s incident response and disaster recovery plans.

This role will involve some travel offsite and occasional overnight stays. This role really does offer the opportunity to be involved in shaping and maturing information security governance within LNER, ensuring resilience, trust, and regulatory confidence across the business.

What do you need? We’re looking to hear from people with the following experience:

• Significant and relevant experience in an IT role that includes information security or information security principles as a key element of the role.
• A recognised industry security certification such as CISMP or equivalent.
• Experience of establishing and managing an information risk management framework, either in an ISO27001 or PCI DSS environment.
• Experience with network security and with system, security and network monitoring tools.
• Experienced with professional and technical knowledge and extensive and in-depth understanding of the application, interpretation, and compliance with the NIS Directive, ISO27001, PCI DSS, GDPR, and other security Standards.
• Proven experience in managing relationships with suppliers and the ability to manage suppliers to ensure information security remains a managed deliverable and is monitored appropriately.
• Proven experience in managing internal and external information security communication channels and an ability to work across all levels of the organisation.

What you’ll get:

• Free travel on LNER + 75% off other companies’ tickets (for you & dependents).
• Discounted international train tickets (after one year’s service).
• 50% discount on LNER tickets for friends & family.
• Generous pension scheme.
• Annual cycle to work schemes.
• Discount, savings and cashback scheme from top retailers.
• Health & wellbeing schemes and discounts.
• Host of training opportunities to help further your career.
• Rewards & awards to recognise when you shine.

What we believe: To be the most loved, progressive and responsible train operating company, we must make a meaningful difference – always doing what’s right for our customers, our people, the communities and destinations we serve, the future of the industry we lead and the environment we cherish. We know that our people are the beating heart of everything we do. We are committed to creating an inclusive, engaged culture that supports everyone at every stage of their journey – and ensures that when you’re at LNER, you can always be you. No wonder most people never want to leave!

Diversity and inclusion: We are passionate about creating a diverse and inclusive workforce, representative of the communities we serve, and are creating ways to inspire diverse talent to join LNER.

Developing our people: We are focused on creating a learning culture, to support our people to be the best they can be at work by providing them with the tools and resources to navigate their development and career journey.

Health & wellbeing: To create a culture where our people can perform at their best, the physical health and mental wellbeing of our people is of paramount importance to us.

Disclosure and Barring Service (DBS) Check: If you are successful in your application and are new to the business, we will undertake a basic DBS check as part of our pre‑employment checks. This only happens once we have conditionally offered you the job. Here we check for any unspent convictions and conditional cautions under the Rehabilitation of Offenders Act (ROA) 1974. If there is evidence of an unspent conviction or conditional caution, the details of these are reviewed internally by a cross-functional panel on a case-by-case basis before a final offer of employment is issued. This however may result in any offer being withdrawn. Further information on how we collect and use this data is available on our privacy notice.

Medical screening: We’re a safety conscious business so for all roles you’ll need to pass a medical screening and a drugs and alcohol test before we send you an unconditional job offer. For our safety critical roles, you’ll also need to have a safety critical medical. Our friendly, in‑house Health and Wellbeing team will arrange a pre‑employment medical for you at a time and place to suit you. The sooner, the better, so please be flexible with your availability. Once your medical gets the thumbs up, we’ll finalise any last details and look forward to you joining our team.

What next? Start your journey here - Apply now!