Information Security Manager in City of Westminster

The InfoSec Manager owns and drives the SCS’s Information Security Management System (ISMS), ensuring it stays certified, compliant, and continually improving. The role is accountable for maintaining compliance with ISO 27001, Cyber Essentials Plus, and the HS2 information security requirements set out in WI‑835, including BPSS screening and UK‑based data hosting. The purpose is to achieve, maintain, and demonstrate full compliance for the duration of the project while strengthening security governance, reducing risk, and keeping the ISMS audit‑ready.

Key Responsibilities

• Lead the implementation, maintenance, and continual improvement of the ISMS in line with ISO 27001.
• Ensure the ISMS remains audit‑ready, risk‑driven, and aligned with organisational and contractual requirements.
• Own and maintain the full suite of ISMS documentation including policies, processes, procedures, standards, and records.
• Achieve and maintain ISO 27001 certification, ensuring controls, evidence, and processes remain compliant year‑round.
• Achieve and maintain Cyber Essentials Plus certification, leading the implementation of required technical and organisational controls.
• Ensure compliance with HS2 WI‑835 requirements, including BPSS screening and UK‑based data hosting.
• Lead a comprehensive audit programme (internal, external, CE+, penetration testing) to assess control effectiveness and drive corrective actions.
• Maintain and communicate an effective information security risk management framework that enables informed decision‑making at senior levels.
• Drive proactive risk identification, assessment, treatment, and monitoring across the organisation.
• Recommend and deploy organisational and technical controls that are proportional, cost‑effective, and aligned with risk appetite and available resources.
• Champion a strong security culture across SCS JV, ensuring policies and expectations are understood and embedded.
• Lead the design and delivery of security training and awareness, ensuring all staff— from the board to delivery units—maintain good security behaviours.
• Influence and support process owners to improve processes where security weaknesses are identified.
• Work within and improve existing processes to enhance security governance and operational efficiency.
• Ensure security requirements are considered in projects, procurement, supplier onboarding, and change initiatives.
• Lead, mentor, and develop junior InfoSec team members, ensuring the team has the competence and capability to run an effective ISMS.
• Influence senior managers to secure the necessary resources to sustain and improve the security function.
• Drive continual improvement of security controls, behaviours, and processes in line with ISO 27001, Cyber Essentials, and industry best practice.
• Track emerging risks, threats, and compliance changes, ensuring the ISMS evolves to remain effective and relevant.

Essential Qualifications

• Demonstrable experience working with ISO 27001 and/or an ISO 27001 aligned ISMS.
• Demonstrable experience working with Cyber Essentials.
• Certified Information Security Manager (CISM) or equivalent qualification.
• Demonstrable understanding of cloud technology.
• Demonstrable working understanding of security technology and how it’s deployed to create effective technical controls (e.g., firewalls, IDS, IAM, MFA, SSO, DLP, CASB, MDM, EDR).
• Demonstrable risk‑management knowledge and the ability to influence senior management on risk treatment decisions.
• Working knowledge of Microsoft 365 and associated applications (e.g., Windows, Word, Excel, PowerPoint).
• Working knowledge of the UK Data Protection Act (DPA) / GDPR.
• Demonstrable good level of written and spoken English.

Desirable Qualifications

• Commonly identifiable security qualification (e.g., CISA, CRISC, CDPSE, CGEIT, CCOA, CISSP).
• Experience of other InfoSec standards (e.g., NIST, PCI‑DSS, SOC).
• Working knowledge of Microsoft 365 / Azure security.
• Experience leading audit processes (internal, external, pen testing).
• Experience with recent cyber security incidents.
• Expert knowledge of Microsoft 365 and its associated applications.
• Ability to demonstrate that you meet the minimum job criteria and person specification.

Salary Competitive with excellent benefits package. Flexible working: We welcome you to ask about flexibility you need—part‑time, remote or compressed hours. We will explore what’s possible.