The opportunity
As an Information Security GRC (Governance, Risk & Compliance) Analyst, you will play a pivotal role in strengthening and maturing the organization’s security and compliance framework. This role involves ownership of governance, risk management, and compliance processes, providing subject matter expertise across frameworks such as ISO 27001, NIST CSF, Cyber Essentials, and regulatory requirements. You will partner with stakeholders across the business, lead compliance initiatives, and drive continuous improvement of the security posture through automation, tooling, and risk-based decision-making.
This is a permanent, hybrid role, based in our Swindon office, with the requirement to be in the office 3 days a week.
The benefits:
1. Salary - £60,000
2. Bonus scheme - on target bonus 10%
3. Pension scheme - contribute up to 5% of your salary and Openwork will match you and put in an extra 5%
4. Critical illness cover
5. Income protection - 1x salary
6. Death in service - 4x salary
7. 27 days holiday + bank holidays, with the opportunity to buy up to an additional 10 days
8. A range of other flexible benefits to include private medical insurance, dental insurance and much more.
Key Accountabilities:
9. Maintain and continually improve the Information Security Management System (ISMS) using Vanta ISMS and other GRC tools for evidence collection, automation, and reporting.
10. Act as SME for ISO 27001, Cyber Essentials, NIST CSF, CIS Controls, and other frameworks, ensuring alignment and certification readiness.
11. Lead enterprise-wide risk assessments and risk treatment planning, ensuring remediation is prioritized and tracked effectively.
12. Develop, review, and enhance security policies, procedures, and standards, ensuring they are business-aligned and enforced.
13. Oversee regulatory compliance activities (GDPR, FCA, DPA, etc.), ensuring obligations are mapped, tracked, and reported to stakeholders.
14. Manage supplier and third-party risk processes, including due diligence assessments, security questionnaires, and ongoing assurance reviews.
15. Coordinate responses to customer security due diligence requests and RFPs, providing assurance of the organization’s security practices.
16. Support incident response planning, including developing playbooks, running tabletop exercises, and post-incident reviews.
17. Conduct control testing and assurance reviews, escalating gaps and overseeing remediation.
18. Prepare detailed management reports, dashboards, and metrics for senior leadership, risk committees, and audit committees.
19. Work closely with internal/external auditors and regulators, leading audit preparation, evidence collation, and corrective action planning.
What will you need to succeed?
20. Degree in Information Security, Computer Science, or related discipline.
21. Certifications such as ISO 27001 Lead Implementer/Lead Auditor, CISM, CRISC, CISSP, or equivalent.
22. Previous experience in financial services, legal, technology, or other highly regulated environments.
23. Hands-on experience using Vanta ISMS or equivalent ISMS/GRC platforms (e.g., Drata, OneTrust, Archer, ServiceNow GRC).
24. Strong knowledge of ISO 27001 (implementation, maintenance, audit readiness) and experience with certification programs.
25. Deep familiarity with security frameworks (NIST CSF, Cyber Essentials, CIS Controls, PCI DSS, SOC 2, COBIT).
26. Proven experience managing regulatory compliance programs (GDPR, FCA, DPA, HIPAA, etc.).
27. Advanced risk management expertise: threat identification, assessment methodologies, risk registers, and treatment plans.
28. Experience leading internal and external audits, including preparation, evidence collection, and remediation tracking.
29. Solid understanding of IT infrastructure, cloud platforms, and security technologies (e.g., identity & access management, endpoint protection, SIEM, firewalls, vulnerability management, patching, and encryption) to provide credible assurance on control design and testing effectiveness.
30. Policy governance: drafting, reviewing, and maintaining information security policies and standards.
31. Data governance and privacy knowledge, including data classification, retention, and handling.
32. Incident response planning and support, including evidence capture and lessons learned.
33. Familiarity with security tooling integration into compliance platforms (e.g., Vanta integrations with endpoint, cloud, and identity providers)
Why us?
We're a dynamic, fast paced, and growing business with huge ambition. This is all made possible by the brilliant people who are part of The Openwork Partnership family. We're investing heavily in our colleagues, continuously striving to give them the platform to develop personally and professionally and reach their full potential.
We’re also very proud of our culture, as one of the Best 100 Large Companies to work for in 2022. The Openwork Partnership values, and respects individuality and we are committed to building an inclusive culture and environment which truly recognises and celebrates our colleague’s individual differences and identities – just like our financial advice, for us, it’s personal. We believe everyone can make a difference and your race, religion, disability, and gender will never be a barrier. At Openwork, we have a strong ethic of care for each other where you can balance a successful career with your commitments and interests outside of work. We believe that you will bring your best self to work if you are trusted to choose when, where and how you do it.