Information Security Analyst

We are now seeking an experienced Information Security Analyst to work with our leading Facilities Management / Public Sector client.

The Information Security Analyst will support the wider IT team with the design, implementation and ongoing operation of systems and services to protect our client and their customers’ data, ensuring compliance with our legal, regulatory and contractual obligations. This will include involvement with appropriate combinations of technical, physical, procedural and stakeholder engagement.

This role spans both ‘Design and Consultancy’ and ‘Operational’ services, and therefore involves working with and influencing at all levels within operational teams, producing a variety of verbal and written outputs, conducting audits internally and against subcontractors and suppliers.

Initially, this role will be an integral part of the new contract mobilisation team, embedding our client's data security framework and delivering on relevant security accreditations, notably ISO27001.

Upon completion of mobilization the role will become Operationally focussed with responsibility for maintenance of all aspects of the ISMS and supporting Security functions deployed across the client's solution.

Key responsibilities:

* Implement the IT Security Strategy and assurance activity. The company is a new business, and during mobilisation this role is integral to creating information security framework by adapting and / or adopting shareholder methodologies, processes and solutions as appropriate by working closely with all shareholders.

* Embed a culture of IT and data security awareness and compliance across the business.

* Provide input into multidisciplinary operational teams, providing IT / data security requirements definition, architectural design work, advice and guidance on security issues, risk assessment, guidance on residual risk and mitigation strategies, contracts review, governance strategies, costing of security operations, written submissions, creation of draft policies, and so on.

* Advise on security factors such as HMG policy and good practice, assurance / evaluation requirements, technical requirements or constraints, selection of security technologies and controls, physical requirements or constraints, supporting personnel and / or procedural requirements.

* Undertake risk assessments using Customer assessment methodologies, and production of supporting remediation and assurance plans.

* Implement the IT and data security management and assurance activities. Work with shareholders across the business to maintaining compliance with legal, regulatory, and contract-specific security standards (including ISO27001, RMADS and DART submissions, CyDR Accreditation and the Data Protection Act and GDPR).

* Implement and continually improve IT and data security management processes across, including: Security Risk Management; Security Incident Management, and; Security Service Delivery activities.

* Adopt a proactive approach to IT and data security management and security assurance coordination, ensuring smooth running of scheduled activities (penetration tests, security documentation review) and gaining the trust of key stakeholders (including customer representatives and accreditors).

* Engage with external audit and assurance providers, including IT Security Health Check suppliers, scoping test plans and helping stakeholders interpret the results of the tests and audits, as well as supporting the implementation of any remedial actions, where required.

* Maintain and update the Information Security Policy and related processes and procedures in line with ISO27001 and Government policies. Develop plans, processes and operational collateral which will gain and develop ISO27001 certification status.

* Undertake gap analyses against the ISO27001 framework, report on areas of deficiency and producing and implementing remedial action plans.

Manage security incident responses and conduct investigations to understand the source of security breaches, assess and contain damage and devise measures to protect against future breaches.

Experience required:

The candidate should have a broad Information Security knowledge, ranging from understanding and reviewing security architectures through to risk assessment and certification. Excellent communications skills (written and oral) are essential, as is knowledge and experience of ISO 27001.

Ideally the candidate will have recognized Information Security certification such as:

* Certified Information Security Manager (CISM)


Certified Information Systems Security Professional (CISSP)


Qualified ISO27001 Lead Auditor and / or Implementer


Certificate in Information Security Management Principles (CISMP)

* Knowledge and understanding of multiple Information Security-related requirement sources/standard, examples:

* The Government Security Policy Framework (SPF), along with NCSC Security Guidance

* Familiarity with MOD DCPP, JSP440, and other related MOD Standards

* RMADS and DART submission process and CyDR accreditation

* ISO27001 (Information Security Management)

* Data Protection Act / GDPR

* BS 25999 / ISO22301 (Business Continuity Management)

* UK Government Cyber Essentials Scheme
EPC Resources
High Wycombe, United Kingdom, gb
Apply Now