Information Security Policy and Audit Manager Belfast, Northern Ireland
Job description
To assure our clients that we are committed to ensuring the safe and secure handling of their confidential information, PwC UK holds a number of security-related certifications, and maintains mature and robust frameworks aligned to these certifications.
We have a vacancy within the UK Security Risk & Compliance team for an experienced manager to lead the Policy & Audit team and to oversee the UK firm’s existing ISO 27001 and Cyber Essentials (CE) certifications and support internal audit-related requirements.
Reporting to the UK Head of Security Risk & Compliance, this is a key role with primary accountability for the design, implementation and continual improvement of the UK firm’s Information Security Management System (ISMS) and its underpinning processes.
With one direct report, the main purpose of the Policy & Audit manager is to:
Maintain and continuously improve existing security certifications within the team’s remit, such as (but not limited to) ISO27001; Cyber Essentials (CE); Cyber Essentials Plus (CE+);
Lead audit-related activities, in particular the ISO 27001 audits across the UK and British Channel Islands and the annual Cyber Essentials audits for the UK;
Establish and maintain trusted relationships with relevant control owners and advise them on audit and compliance activities;
Own key documents and communication to users associated with these certifications;
Lead on and contribute towards policy creation and advise on policy related queries;
Manage remediation of gaps and nonconformities identified within the ISMS and Cyber Essentials;
Investigate discrepancies identified and obtain proposed remedial actions;
Ensure leadership are kept informed and consulted on the team’s activities;
Escalate material failures, concerns or themes to leadership;
Provide people management, development and oversight of a small team;
Support / deliver ad hoc, daily, monthly, quarterly reporting obligations;
You will also take an active role in wider team activities, such as supporting delivery of key strategic projects, communications, process improvement, knowledge sharing, social activities etc.
Knowledge and Skills
Strong knowledge of information security controls and ISMS standards such as ISO 27001/2:(2013 & 2022 versions), Cyber Essentials and Cyber Essentials Plus, and Center for Internet Security (CIS);
Experience with the development and management of an ISMS (implementation and auditing process);
Detailed understanding of risk management including Risk Assessment and Treatment methodologies, implementation and operation according to the best market standards (ISO 27005, IRAM2, OCTAVE, etc.);
Be able to manage yours and your team’s time, balancing working effectively and efficiently on your own, and contributing as part of a wider team - prioritising and recognising when to escalate to management;
Strong attention to detail and the ability to question the accuracy of information;
To enjoy helping people with problem solving, customer service outlook - working with business teams to achieve positive outcome; and
Strong communication skills to assist, inform, and build relationships with stakeholders in both the business and support teams, to enable effective information security activities and processes aligned to the firm’s security strategy.
Nice to have:
Audit certification is desirable but not essential e.g. ISO/IEC 27001 Lead Implementer / Lead Auditor, Certified Information Security Auditor (CISA);
Inquisitive nature and intuition regarding what questions to ask, when, and their relative significance - a desire and enjoyment to learn;
An effective communicator, able to write succinctly and present to achieve positive outcomes;
An interest of PwC’s business model, service offerings, and business operating environment as it pertains to the firm’s threat landscape; and
Google Workspace experience.
Manchester / Belfast / London based, with flexible working (60/40 split between office and remote)
