Overview
We are seeking an experienced Information Security Officer to own and further develop the firm’s information security governance, risk and compliance framework. Building on an established ISO 27001‑certified environment, this role offers genuine scope to streamline, refine and enhance existing approaches, allowing you to put your own stamp on how information security operates within a modern law firm. Working closely with the wider IT team and Risk and Compliance, you will act as a trusted adviser to senior stakeholders, embedding practical, risk‑based security into day‑to‑day business activities.
Responsibilities
Governance & Policy
- Own and maintain the firm’s information security governance framework, ensuring it remains current, risk‑based and aligned to business strategy.
- Define, draft and maintain information security policies, standards and procedures, ensuring they are clear, proportionate and practical for a modern law firm.
- Ensure policies and standards are regularly reviewed, approved through appropriate governance, and effectively communicated across the firm.
- Provide authoritative guidance on information security matters, acting as a trusted adviser to senior stakeholders and the wider business.
- Embed security‑by‑design principles into business processes, projects and decision‑making.
Compliance & Assurance
- Own and operate the firm’s Information Security Management System (ISMS) in line with ISO 27001 / ISO 27002.
- Lead preparation for, and ongoing compliance with, ISO 27001 surveillance and re‑certification audits, driving continual improvement.
- Maintain oversight of Cyber Essentials Plus, ensuring readiness for annual assessments and ongoing compliance with requirements.
- Coordinate internal information security reviews and audits, ensuring findings are addressed and actions tracked to completion.
- Provide regular, concise management reporting on information security posture, risks and compliance status.
Client & Regulatory Assurance
- Act as the firm’s primary point of contact for client information security assurance activities, including questionnaires and audits.
- Provide clear, consistent evidence of the firm’s information security controls and governance arrangements.
- Support the business in meeting regulatory and contractual information security obligations, working closely with Risk and Compliance functions.
Risk Management
- Lead the identification, assessment and ongoing management of information security risks across the firm.
- Maintain oversight of the firm’s information security risk register, ensuring risks are clearly articulated, prioritised and owned.
- Work with IT, Risk & Compliance and business stakeholders to agree proportionate risk treatments aligned to the firm’s risk appetite.
Third‑Party & Supplier Assurance
- Define and maintain the firm’s approach to third‑party information security assurance.
- Support due diligence activities for new, existing suppliers and their solutions, assessing information security risk and alignment to firm standards.
- Act as product owner for the supplier management system, accountable for the system roadmap, configuration, and continuous improvement, and supporting the process owner in delivering a compliant and effective supplier management process.
Security Awareness & Culture
- Design and oversee the firm’s information security awareness and training programme, ensuring relevance for different roles and audiences.
- Promote a security‑conscious culture, encouraging shared responsibility for protecting information.
Experience
- Proven experience in an Information Security / GRC role, with responsibility for governance, risk management and compliance.
- Certified ISO Lead Implementer/Auditor with strong working knowledge of ISO 27001 and ISO 27002, including operating and improving an ISMS in a regulated or professional services environment.
- Experience supporting Cyber Essentials Plus or similar assurance frameworks.
- Good understanding of GDPR, data protection principles and the management of confidential, personal and sensitive information.
- Experience working with non‑technical stakeholders, translating security requirements into practical, business‑appropriate controls.
- Experience supporting internal audits, external assessments and client assurance activities.
Skills
- Strong influencing and stakeholder management skills, with the confidence to constructively challenge and drive change.
- Ability to take a risk‑based, pragmatic approach, balancing security, usability and business outcomes.
- Clear written and verbal communication skills, with the ability to produce high‑quality policies, reports and guidance.
- Logical, methodical approach with strong attention to detail.
- Excellent organisational skills and the ability to manage multiple priorities effectively.
Benefits
- Salary up to £57,000 per annum, depending on experience.
- Earn up to 10% of your salary with our annual bonus scheme.
- Minimum of 25 days annual leave plus Bank Holidays per year, increasing to 31 days with length of service, with the opportunity to buy up to 5 days holiday per year.
- Hybrid working with on average 40‑60% of your time spent in the office.
- Auto‑enrolment into the workplace pension scheme, and we’ll contribute a minimum of 6% of your salary.
- Four times your annual salary in the event of a death in service.
Type of Working
Hybrid
#J-18808-Ljbffr