Job Summary
We’re looking for an experienced Information Security Manager with a strong background in Governance, Risk, and Compliance (GRC). This pivotal role oversees all GRC requirements, defining and managing the organisation’s information security strategy, policies, and procedures to ensure asset confidentiality, integrity, and availability. A key aspect of this role involves expertise in data protection and regulatory compliance across the UK and EU markets. A firm grasp of IT technical knowledge is vital for adequate risk understanding, assessment, and remediation. You will manage risk, drive compliance, and cultivate a robust security-aware culture
Main Responsibilities
* Policy Development: Develop, review, and take ownership of comprehensive IT and security policies, standards, and procedures, ensuring alignment with organisational objectives and regulatory requirements. Lead the development, implementation, and ongoing maintenance of the Information Security Management System (ISMS) in accordance with ISO 27001 standards
* Data Protection Responsibility: Formulate a robust data protection strategy that aligns with UK GDPR, EU GDPR, and other relevant privacy regulations (e.g., ePrivacy Directive, NIS Directive, DORA, NIS2). Act as the primary point of contact for all data protection matters, ensuring ongoing compliance. Manage and report data breaches in compliance with regulatory requirements.
* Technical Risk Management: Lead the technical risk management process, assisting stakeholders across the group to conduct information security risk assessments (including DPIAs), develop and implement technical mitigation strategies, and manage the organisation’s information security risk register.
* Vulnerability Management & Technical Mitigation: Oversee the vulnerability Management program, penetration testing, and security assessments to identify vulnerabilities and recommend technical remediation strategies. Raise, prioritise, and follow up on vulnerabilities with stakeholders, escalating risks if they are not remediated.
* Security Operations & Incident Response: Oversee the technical implementation and operational effectiveness of security controls and technologies. Oversee the governance of information security incident processes, ensuring correct procedures are followed, leading security incident investigations, and cascading post-incident review results. Support operational resilience activities by acting as Incident Manager during the critical incident.
* Compliance & Audit Management: Establish, maintain, and assess compliance with internal security policies and industry standards (e.g., ISO/IEC 27001/2, PCI-DSS v4.0, NIST Cybersecurity Framework 2.0, and Cyber Essentials Plus). Lead and manage internal and external audits, actively assisting in obtaining and maintaining relevant certifications.
* Vendor & Third-Party Security: Assess, manage, and conduct due diligence on information security and data protection risks associated with third-party vendors. Review and negotiate Data Processing Agreements (DPAs) and security clauses, leveraging DPIAs to assess personal data processing posture and provide stakeholder recommendations.
* Awareness & Training: Develop and deliver ongoing information security and data protection awareness training, including regular phishing simulations, to foster a security-conscious culture.
* Stakeholder Engagement: Collaborate across departments (Legal, Service Delivery, HR) to embed security principles, translate technical risks into business-friendly advice, and liaise with regulatory bodies (e.g., ICO, DPA equivalents in EU) as required.
Essential Criteria
* Proven experience (typically 3+ years) in information security, specialising in Cyber Security Governance, Risk, and Compliance (GRC) for managing risks, controls, and compliance activities.
* Ability to translate complex technical risks into clear business impact for non-technical stakeholders
* Strong understanding of cyber threats, insider risk, security principles and network security and impact assessment to identify and prioritise risks across diverse IT environments.
* Experience with leading vulnerability scanning tools (e.g., Nessus, Qualys, Tenable.io, Rapid7 InsightVM) and interpreting scan results to drive remediation.
* Proven ability to coordinate and manage penetration testing engagements (web, network, mobile, cloud) and security assessments.
* Strong technical understanding of common vulnerabilities (e.g., OWASP Top 10, CVEs) and attack vectors.
* Understanding enterprise network security technologies: Firewalls (Palo Alto, Cisco ASA, Fortinet), IDS/IPS, VPNs, proxies, DLP, CASB and network segmentation architectures
* In-depth knowledge and practical experience of UK DPA / EU GDPR.
* Demonstrable experience with Information Security Management Systems (ISMS)
* Solid understanding of compliance frameworks like ISO 27001/27002, NIST Cybersecurity Framework 2.0, and PCI DSS v4.0
Competencies & Skills
* Knowledge in developing and implementing technical remediation plans, including patch management, secure configuration baselines, and security hardening techniques for operating systems, databases, network devices and applications
* Knowledge of cloud platforms (e.g. AWS, Azure), endpoint protection, IAM, and SIEM/logging tools.
* Experience with Microsoft Azure Security tools (Purview).
* Experience in the Transport industry sector.
* Certification highly preferred, CISSP, CISM, CDPO, and ISO 27001 or other relevant certificates
Hours of work
38 hours per week, Monday to Friday but must be flexible to work over and above these hours if deemed necessary
The Equality Act
ComfortDelGro is an equal opportunity employer and all qualified applicants will receive consideration for employment with due regard to legal obligations for protected characteristics i.e. age, disability, marriage and civil partnership, gender reassignment, pregnancy and maternity, race, religion and belief, sex and sexual orientation
Salary
Competitive
How to apply
Please email your CV and a cover letter to: vacancies@metroline.co.uk
Applications should include:
* The reasons you are applying for the post
* Why you believe you are a suitable candidate
* Any relevant qualifications or experience