Information Security Risk and Assurance Specialist

Job Description

� Hybrid - Edinburgh or Glasgow Salary - up to £65,000 Role - Information Security Risk and Assurance SpecialistHead Resourcing are delighted to be partnered with a global law firm in their search for an Information Security Risk and Assurance Specialist.Location: Hybrid role, with one day per week required in the office in either Edinburgh or GlasgowThe Role: The successful candidate will be part of the team that focuses on the management of risk and assurance for Information Security and IT.You will work with stakeholders across the global business to develop and maintain the risk management and control frameworks, identify, and measure the levels of associated Information Security and IT risks.Key Responsibilities:

• Ensure an in-depth knowledge and understanding of the Information Security and IT risk management requirements and practices.
• Lead the development and maintenance of the risk management framework for Information Security and IT, in accordance with company policy and in line with the enterprise risk management framework. Periodically review and maintain the Information Securityand IT risk management policies as appropriate.
• Work closely and build relationships with stakeholders in Information Security, IT, the global Risk department and across the wider business, to encourage and develop the processes required for the determination of appropriate risk appetite, identificationand assessment of risk, the implementation of appropriate mitigation strategies and ongoing management, in accordance with the risk management policy.
• Develop and manage the Information Security and IT risk register, ensuring that all identified risks are clearly recorded together with assigned owners, measured inherent and residual risk levels, and details of compensating controls and/or mitigation strategieswith their respective owners. Ensure that the recording and management of risk remains consistent and in accordance with the policy and underlying agreed standards/processes.
• Ensure that all risks are periodically reviewed and re-assessed to determine whether the inherent/residual levels are still appropriate. For risks still not in appetite, determine the most likely scenarios that could lead to crystallization of the risk,and whether current mitigation strategies and/or controls would be optimal/effective.
• Perform risk assessment activities as are appropriate for larger projects or for where there may be significant transformation or change within the business affecting Information Security or IT. Identify and assess on an ongoing basis, risks that couldmaterially impact the ability for IT to deliver its commitments to the business, together with periodic reporting to the Senior Leadership Team, and the tracking of any mitigation actions required.
• Provide education where required to develop the skills within Information Security, IT and other business areas to identify, assess, measure and record risks.
• Stay abreast of developments in the risk management area and cyber and information security trends as they relate to the legal industry, information management, technological standards, emerging and current threats employing appropriate horizon scanning.
• Build and maintain relationship with the global Risk department to share best practice and to ensure that the risk management and control frameworks for Information Security and IT fully aligns with the enterprise risk management framework.

Required Knowledge, Skills, & Abilities:

• Proven experience of working in an Information Security and IT Risk Management role within a fast-paced environment. Experience within the legal industry is ideal, but not essential.
• Operational knowledge of risk management and international information security standards, practices, risk management and control frameworks e.g. ISO31000, IRAM2, NIST 800-53 and cybersecurity framework. ISO27001/2, COBIT, ISF SOGP, CPS-234 etc.
• Strong organisational skills and the ability to handle multiple conflicting priorities.
• Able to work to very tight deadlines under pressure and to assimilate information quickly.
• Strong interpersonal skills including confidence, positivity, diplomacy and the ability to gain credibility quickly.
• Excellent verbal and written communication skills, with the ability to explain risk concepts and technical terms in a way that non-technical people would understand.
• Demonstrates attention to detail with a high level of accuracy.
• Positive and tenacious with the ability to pro-actively drive initiatives forward and motivate resources within and outside their team to perform. within and outside their team to perform.