Information Security Manager

As a leading professional services firm, we are seeking a highly skilled Information Security Manager to join our Information Security & Risk department. The successful candidate will be responsible for running our business continuity framework alongside maintaining and enhancing our information security management programme. This pivotal role covers planning, testing and training for business continuity, third party security risk management, business impact assessments, ISO 27001 governance, policy management, and internal auditing in line with global best practices.

Key Responsibilities

• Business Continuity Management
  • Lead the development, update and ongoing management of the firm's Business Continuity Plans (BCP), ensuring it remains current and effective across all jurisdictions.
  • Organise and conduct BCP tests with local business continuity groups, including documentation, reporting and follow-up of test outcomes.
  • Provide business continuity training and run targeted group business continuity sessions for employees.
  • Undertake Business Impact Assessments (BIAs) with various teams to ensure understanding and documentation of Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), system criticality and dependencies, supporting disaster recovery planning.
• Security and Third Party Risk Management
  • Manage and complete information security assessments and Due Diligence Questionnaires (DDQs) received from clients.
  • Support outgoing third party assessments, onboarding and risk reviews, including working directly with third parties to address security requirements.
  • Oversee third party risk management from a security perspective, ensuring risks are documented, reported and mitigated as appropriate.
• ISO 27001 Governance and Internal Audit
  • Support the firm's ongoing ISO 27001 certification and framework, including continuous improvement of the ISMS (Information Security Management System).
  • Develop and maintain the firm's information security policies and procedures in line with industry best practice and regulatory requirements across all jurisdictions.
  • Undertake clause-based auditing, policy reviews and control monitoring as part of the ISO 27001 role.
  • Liaise with internal and external auditors and regulatory bodies during information security audits and reviews.
• Training and Awareness
  • Deliver induction and information security training for all new joiners to the firm.
  • Develop and run targeted information security training and awareness programmes for specific business units.
  • Maintain a high level of information security awareness across the business through communications and engagement initiatives.
• Other Responsibilities
  • Support the firm's response to information security incidents, including investigation, documentation and coordination as required.
  • Keep abreast of latest trends, threats and technologies; provide advisory and guidance as appropriate.
  • Contribute to a culture of continual improvement, integrity, confidentiality and resilience across the firm.

Skills, Knowledge and Expertise

• Proven experience in information security management, business continuity planning and risk management, ideally within a professional services or legal firm environment.
• Experience supporting and/or maintaining ISO 27001 certification and managing an ISMS.
• Strong knowledge of business impact assessments, disaster recovery, RTOs/RPOs, and system criticality mapping.
• Excellent communication and interpersonal skills, with the ability to deliver effective training and collaborate across global teams.
• Analytical and detail-oriented, with a proactive approach to risk identification and mitigation.
• Professional certifications such as CISSP, CISM, ISO 27001 Lead Implementer/Auditor, CBCP, or equivalent are desirable.