Senior Information Security Lead — ISMS & Compliance in Birmingham

About the company

At Mace Construct, our purpose is to redefine the boundaries of ambition. We are innovators, trusted partners, construction experts. Founded on a belief that the built environment sector could be more efficient, innovative and responsible. We've built a reputation and track record for delivering projects better than ever before: safer, faster and greener. Transforming industries, supporting communities and leaving legacies.

About the project

Mace Dragados Joint Venture (MDJV) is the construction partner for the new HS2 Euston and Curzon Street Stations, working with HS2 Ltd and design partners to deliver new platforms, concourse structures, and interchange rail links.

About the role

The Information Security Lead is responsible for maintaining and continuously improving the Information Security Management System (ISMS), including supporting processes, across two major UK public infrastructure programmes delivered under a joint venture in Birmingham and London. The role ensures compliance with the client's contractual information and cyber security requirements, as well as parent-company and regulatory obligations. The postholder is also accountable for retaining ISO 27001 and Cyber Essentials Plus certifications, and for meeting the security obligations associated with nationally significant infrastructure projects.

What you'll be doing

• Develop and own our organisation-wide information security strategy, aligning it with client, parent company and regulatory requirements.
• Ensure compliance with the client's contractual information security and cyber security obligations, as detailed in the project's Information Security and Cyber Security Management Plan.
• Maintain the disaster recovery plan and incident management response aligned to parent company and client requirements.
• Lead the ICT Security team in implementing and maintaining secure IT systems.
• Lead on Data Protection Compliance through digital / project systems, maintaining / auditing systems and coordinating breach handling.
• Manage data retention systems across the project.
• Own the ISMS suite of policies, ensuring they remain current and embedded across the project.
• Provide IS performance reporting to Senior Leadership and the client.
• Maintain the ISO 27001, PAS1192-5 and Cyber Essentials Plus certifications through ongoing compliance and surveillance audits.
• Monitor and enforce information security requirements across the supply chain, including compliance checks and delivering supply chain audits for information security.
• Lead incident response efforts-investigating, containing, and remediating security events with precision and speed.
• Oversee security awareness training, empowering every employee to be a first line of defence.
• Collaborate with other discipline and IT teams to embed security into procurement, design, construction delivery and Handover.
• Undertake system access reviews and conduct regular risk assessments to identify and address weaknesses.
• Manage relationships with external auditors, regulators, and security vendors.
• Keep ahead of evolving threats, tools, and compliance frameworks (ISO 27001, NIST, GDPR, etc.).
• Manage Contractor Assessment, onboarding and IT exit Plans.
• Training and developing the project team and contractors around ICSC awareness.

What you'll bring

• Minimum 5 years' experience in an information security management role.
• Strong knowledge of IS principles, frameworks and risk management.
• Ability to develop and enforce IS policies.
• Experience in IT security infrastructure, including access controls, network security, endpoint protection, and secure communications.
• Cyber Essentials auditing.
• Hold a recognised information security qualification such as CISSP, CISM or ISO/IEC 27001 Lead Implementer / Lead Auditor.
• Compliance for BPSS clearance.
• Confident presenting to senior leadership, clients and non-technical audiences.
• Line management experience.

Nice to have

• Strong understanding of UK data protection legislation (UK GDPR, Data Protection Act 2018) and NIS Regulations.
• Competence in leading internal and external information security audits.
• Experience in creating and delivering training.
• Bachelor's degree or equivalent professional experience.

Mace is an inclusive employer and welcomes interest from a diverse range of candidates. Even if you feel you do not fulfil all of the criteria, please apply as you may still be the best candidate for this role or another role within our organisation.