Information Security Policy and Audit Manager

Job Description

Our purpose focuses on how we contribute to society, and how our business decisions can contribute to greater trust and solving important problems. In order to achieve our purpose and deliver a first-class service to our clients, we need first-class supportinternally. The people who power us - our internal teams - have a vital role to make sure we have all the right resources, services and technology to be the best we can be. Not all of us work directly with external clients.To really stand out and make us fitfor the future in a constantly changing world, each and every one of us at PwC needs to be a purpose-led and values-driven leader at every level. To help us achieve this we have the PwC Professional; our global leadership development framework. It gives usa single set of expectations across our lines, geographies and career paths, and provides transparency on the skills we need as individuals to be successful and progress in our careers, now and in the future. To assure our clients that we are committed to ensuring the safe and secure handling of their confidential information, PwC UK holds a number of security-related certifications, and maintains mature and robust frameworks aligned to these certifications. We have a vacancy within the UK Security Risk & Compliance team for an experienced manager to lead the Policy & Audit team and to oversee the UK firms existing ISO 27001 and Cyber Essentials (CE) certifications and support internal audit-related requirements. Reporting to the UK Head of Security Risk & Compliance, this is a key role with primary accountability for the design, implementation and continual improvement of the UK firms Information Security Management System (ISMS) and its underpinning processes. With one direct report, the main purpose of the Policy & Audit manager is to:

• Maintain and continuously improve existing security certifications within the teams remit, such as (but not limited to) ISO27001; Cyber Essentials (CE); Cyber Essentials Plus (CE+);
• Lead audit-related activities, in particular the ISO 27001 audits across the UK and British Channel Islands and the annual Cyber Essentials audits for the UK;
• Establish and maintain trusted relationships with relevant control owners and advise them on audit and compliance activities;
• Own key documents and communication to users associated with these certifications;
• Lead on and contribute towards policy creation and advise on policy related queries;
• Manage remediation of gaps and nonconformities identified within the ISMS and Cyber Essentials;
• Investigate discrepancies identified and obtain proposed remedial actions;
• Ensure leadership are kept informed and consulted on the teams activities;
• Escalate material failures, concerns or themes to leadership;
• Provide people management, development and oversight of a small team;
• Support / deliver ad hoc, daily, monthly, quarterly reporting obligations;
• You will also take an active role in wider team activities, such as supporting delivery of key strategic projects, communications, process improvement, knowledge sharing, social activities etc.

Knowledge and Skills

• Strong knowledge of information security controls and ISMS standards such as ISO 27001/2:(2013 & 2022 versions), Cyber Essentials and Cyber Essentials Plus, and Center for Internet Security (CIS);
• Experience with the development and management of an ISMS (implementation and auditing process);
• Detailed understanding of risk management including Risk Assessment and Treatment methodologies, implementation and operation according to the best market standards (ISO 27005, IRAM2, OCTAVE, etc.);
• Be able to manage yours and your teams time, balancing working effectively and efficiently on your own, and contributing as part of a wider team - prioritising and recognising when to escalate to management;
• Strong attention to detail and the ability to question the accuracy of information;
• To enjoy helping people with problem solving, customer service outlook - working with business teams to achieve positive outcome; and
• Strong communication skills to assist, inform, and build relationships with stakeholders in both the business and support teams, to enable effective information security activities and processes aligned to the firms security strategy.

Nice to have:

• Audit certification is desirable but not essential e.g. ISO/IEC 27001 Lead Implementer / Lead Auditor, Certified Information Security Auditor (CISA);
• Inquisitive nature and intuition regarding what questions to ask, when, and their relative significance - a desire and enjoyment to learn;
• An effective communicator, able to write succinctly and present to achieve positive outcomes;
• An interest of PwCs business model, service offerings, and business operating environment as it pertains to the firms threat landscape; and
• Google Workspace experience.

Manchester / Belfast / London based, with flexible working (60/40 split between office and remote)