Job Description
The OpportunityNational enterprise scale business is seeking a highly capable Governance, Risk & Compliance (GRC) Lead to drive the evolution of their security and risk landscape during a period of significant transformation and investment. This is a rare chance to step into a senior, influential position—shaping the GRC strategy, building capability, and ensuring regulatory excellence across a complex and high-profile environment.The RoleWorking as the Right-hand to the Head of Information Security, you will:Leadership & Ownership
* Lead the entire GRC portfolio and shape a function that is still maturing.
* Manage a small but growing team, across multiple sites
Governance & ISMS
* Own the ISMS and drive the organisation’s journey to ISO 27001 certification.
* Ensure ongoing Cyber Essentials and Cyber Essentials Plus compliance across the business.
* Develop, maintain and embed policies, processes and governance structures.
Risk Management
* Stand up and mature the IT risk management framework across the business.
* Produce risk registers, KRIs, governance packs and executive-ready reporting.
* Oversee and enhance third-party risk assurance.
Regulatory & Framework Compliance
* Support delivery of obligations under the Security & Resilience Bill and CAF.
* Provide guidance on NIS2 for international operations.
* Anticipate evolving regulatory requirements and prepare the organisation accordingly.
Incident Response Governance
* Lead scenario planning, readiness and policy work on the GRC side of incident response.
* Work closely with the Security Operations Lead, who owns technical response.
The PersonWith a strong background in GRC and ideally possessing an information security certification such as CISSP, CISM or CRISC, you will have:
* The ability to interpret and challenge technical controls
* Experience managing or maturing an ISMS and delivering ISO 27001 compliance.
* Solid IT risk management experience.
* Strong communication skills with senior stakeholders, including exec-level reporting.
Most importantly you will be:
* Practical, hands-on, comfortable shaping a function that is still developing.
* Able to influence, challenge and communicate with technical stakeholders.
* Detailed in documentation, audit readiness and governance reporting.
Exposure to public-sector aligned frameworks (CAF, NIS/NIS2), will be beneficial, though not essential.