Information Risk Specialist

Qualifications 
•    You'll have 3/5 years of experience in a direct information security role specialising in governance, risk and compliance activities.

•    An MSc in Information Security or a CISSP, CISM, CISA.  Appropriate career experience is just as important though. Be prepared to tell us all about that experience.
•    We believe that we work better as a team, and hope you share that belief. You'll be working in a diverse group of people with a variety of skills and backgrounds, a high level of emotional intelligence will be assumed.
•    You'll need excellent communication skills, both verbal and written.  You should be confident in explaining security terms and principles to an audience who may not be familiar with the underlying concepts.  
•    You will assist in defining the ISMS and controls assurance environment creating the appropriate documentation/evidence to support external assessments
•    Working knowledge of ISO 27000 or NIST Cyber Security Framework would be great, but experience with other recognised standards will be acceptable.
•    You should have worked in an organisation certified to ISO 27001 or gained SOC2 certification.  You will have been part of this journey and understand the controls needed to achieve different certifications. 
•    A firm understanding of the security practices which should be adopted for different legal and regulatory requirements such as PCI-DSS, GDPR, or different regulatory bodies.
•    Have responsibility for conducting security assurance/assessment activities and able to demonstrate process improvements to enhance the maturity of security controls.  
•    Financial services experience would be ideal, but experience in organisations with a mature security environment would be preferable too e.g. large consultancy firms, telecoms, pharmaceuticals or critical infrastructure.
•    You will have a solid appreciation of the variety of technical controls available including endpoint security, identity and access management, network security controls (firewalls, VPN), intrusion detection and security event management/log analysis tools. You won't be expected to be hands-on with these tools, but you'll certainly need to be aware of how they fit within the control environment which you will help to design and operate.