Role overview
We are recruiting a Senior Information Security Governance Manager which is part of the Global Information Security team, with a focus on the Governance, Risk and Compliance aspects of Information Security. Reporting directly into the Head of Information Security and with three direct reports, the role holder will be responsible for the firm's global information security policies and standards and delivering compliance with external security accreditations including ISO27001 and the UK's Cyber Essentials standard and managing the firm's information security policies, standards, and risk management framework.
NB: There is a requirement to work flexible hours 2 days per week to overlap with UK operating hours.
Reports to:
Head of Information Security
Career level:
Senior Manager
Status:
Permanent
Duties and responsibilities
· Manage the information security management system in accordance with the requirements of ISO27001
· Delivering compliance with external security accreditations including ISO 27001 and UK's Cyber Essentials plus standard
· Own and develop the firms Information Security Governance framework
· Manage client information security due diligence questionnaires, as well as bid and tender documents to support business development for clients in APAC and the UK.
· Manage internal and external audits, minimising the impact of audit fieldwork and maximising the relevance and benefit of findings and actions
· Manage information security audit actions to ensure actions identified are managed to completion within the required timescales
· Work across the Legal and Business Services team teams to integrate information security practices and initiatives with firm operational practises
· Regularly review and evaluate policies, processes, procedures and standards to ensure they are effective and drive continuous improvement for information security
· Deliver information security education, training and awareness programmes
· Maintain the Information Security Risk & Control Register, risk treatment plans and information security improvement programmes
· Undertake regular risk and control assessments with risk and control owners
· Ensure changes to information security risks are reported and escalated where required
· Provide regular governance, risk and compliance reporting utilising key risk and key performance indicators and metrics
· Own and manage the third-party risk management framework
· Undertake regular identity and access management reviews and recertifications
· Ensure timely third-party security assessments on new and existing suppliers
· Maintain current expertise in information security governance risk and compliance
· Provide Information Security advice to stakeholders
· Line management, mentoring, and coaching of the team
Experience Required
· Extensive experience working in a multinational law firm
· Detailed knowledge of Singapore, Hong Kong and UK information and cyber security regulatory and legislative requirements
· A proven track record delivering information security in accordance with the requirements of information security standards including ISO27001 and the UK's Cyber Essentials plus standard
· Experience developing and implementing practical information security policies, processes procedures, and standards
· Experience in identify and access governance and user access recertifications
· Demonstrable security risk management knowledge and experience
· Experience in operational risk management frameworks
· Experience in conducting security reviews and/or audits
· Excellent written and verbal communication skills with an emphasis on confidentiality, tact and diplomacy
· Previous experience working in regulated/compliance-oriented environments
· Experience delivering designing and implementing control and delivering compliance with ISAE3402 / SOC2.
· Solid experience in information security governance roles
· Solid experience leading, managing, and mentoring people
Attributes
· Knowledge and experience across cyber security, information security and risk management in the following areas: Access control and management, Threat and Vulnerability Management, Data Loss Prevention, Malware Protection, Incident Management, Information Classification, Education and Awareness, Software Development Lifecyle, Cloud Security
· Knowledge of best practice security standards
· Strong presentation skills with proven ability to successfully interface with and influence at all levels
· Holds at least one of the following, Certified Information Security Manager (CISM) or Certified Information Systems Auditor (CISA) or ISO27001 lead auditor
· Excellent stakeholder management skills
· Comfortable having difficult conversations
· Strong analytical, investigative and independent problem-solving skills
· Able to work independently and manage own workload
· Well organised / analytical & logical approach, with attention to detail
· Client focussed – able to focus on the ‘big picture’
· Capable of innovative problem-solving and process improvements
· Strong and resilient character – able to overcome resistance
· Self-motivated, energetic and enthusiastic manner
· Flexible and reliable team player