[Hiring] Information Security Governance, Risk & Compliance Manager @SLR Consulting

Role Description

We are seeking an Information Security GRC Manager to manage and mature the organisation’s information security governance, risk management, and compliance capability. Reporting to the Security Director, this role will act as a core second-line security function, providing oversight, assurance, and pragmatic guidance across the business.

This is a hands-on managerial role, balancing:

• Framework ownership
• Risk analysis
• Third-party risk management
• Audit coordination
• Information security awareness
• Stakeholder engagement

The Information Security GRC Manager will report to the Director of Cybersecurity and work closely with IT, Legal, Compliance, and other business functions to ensure information security requirements are embedded into day-to-day operations, proportionate to risk, and aligned with business priorities, regulatory obligations, and client expectations.

Qualifications

• 6+ years’ experience in information security governance, risk, or compliance roles.
• Demonstrated ability to work collaboratively with business and IT teams, providing pragmatic, risk-based security guidance aligned with organisational priorities.
• Strong written and verbal communication skills, with experience engaging both technical and non-technical stakeholders.
• Strong working knowledge of ISO 27001, SOC 2, Cyber Essentials Plus and security risk management practices.
• Experience working with multiple stakeholders across IT, Legal, Compliance, and business functions in complex or regulated environments.
• Experience managing information security audits, certifications, and assurance activities.

Requirements

• Maintain and evolve the organisation’s information security governance framework in line with Cyber Essentials, ISO 27001, the NIST Cybersecurity Framework, and other recognised standards.
• Own and manage the information security policy and standards suite, ensuring policies and standards are current, risk-based, and consistently applied.
• Support the definition of information security roles, responsibilities, and information security related decision-making processes across the organisation.
• Ensure information security governance is integrated into enterprise processes, including technology delivery, data management, M&A activities, procurement, and HR.
• Own and operate the cyber and information security risk management framework, including risk identification, assessment, treatment, and reporting.
• Maintain the information security risk register and track remediation activities to closure.
• Conduct and oversee information security risk assessments for new systems, projects, and business initiatives.
• Provide clear, proportionate information security risk advice to business and technology stakeholders.
• Manage compliance activities against ISO 27001, SOC 2, Cyber Essentials Plus, and other relevant frameworks and regulations.
• Coordinate internal and external audits, certifications, client security questionnaires and assessments.
• Work closely with Legal and Compliance teams to ensure information security controls support regulatory and contractual obligations.
• Track regulatory and standards developments and assess their impact on the organisation.
• Manage the third-party information security risk management process, including supplier due diligence and ongoing assurance.
• Support procurement and vendor management teams with information security requirements and risk assessments.
• Ensure appropriate information security oversight of critical suppliers, partners, and service providers.
• Support information security due diligence activities for mergers, acquisitions.
• Assist with the assessment of information security risks associated with acquisitions.
• Support the onboarding of acquired entities into group information security governance and compliance frameworks.
• Support the improvement and delivery of information security awareness and training activities across the organisation.
• Act as a trusted point of contact for information security governance, risk, and compliance matters.
• Promote a consistent, risk-aware, and pragmatic security culture.
• Develop, maintain, and report meaningful information and cyber security metrics and key risk indicators (KRIs) to the Director of Cybersecurity and senior stakeholders.
• Contribute to maturity assessments and track progress against agreed improvement plans.
• Support control testing, assurance activities, and continuous improvement initiatives.

Benefits

• Clear, effective information security governance and policy framework in place and adopted.
• Improved visibility and management of cyber and information security risks.
• Successful audit and certification outcomes with reduced findings over time.
• Timely and effective management of third-party, M&A and business change related security risks.
• Positive stakeholder feedback on the quality and practicality of Information Security GRC support.

Company Description

We are a global environmental and ESG consultancy operating in over 130 countries, supporting clients to manage environmental, climate, and sustainability risk. As the organisation continues to grow through organic expansion and acquisitions, maintaining strong information security governance, compliance, and effective risk oversight is essential to safeguarding data, maintaining client trust, and enabling sustainable growth.