A leading London based brand is looking for an experienced Information Security GRC Risk Manager to take ownership of their Information Security risk framework, driving a mature, risk‑led culture across the organisation.
Reporting into the Head of Information Security GRC, this highly visible and autonomous role works closely with senior leadership to shape risk strategy, lead governance forums, and provide clear insight into risk exposure, controls, and remediation.
This role will play a key part in building and strengthening the GRC function, improving reporting (KPIs/KRIs), and embedding robust policy and risk management practices.
Key responsibilities
- Own and operate the Information Security risk management framework, ensuring alignment with enterprise risk management (ERM) practices
- Act as the central point of accountability for Information Security risk, driving consistent identification, assessment, and management of risks across the organisation
- Creation and management of risk artefacts required for the management of information security risk (risk acceptance documents, risk management plans, issue logs, risk statements, etc.)
- Lead risk assessments and workshops, ensuring risks are clearly articulated, appropriately rated, and aligned to defined risk appetite
- Challenge, drive and validate risk positions and treatment plans, ensuring they are robust, proportionate, and business‑aligned
- Drive risk‑based decision‑making, including escalation of material risks to senior leadership and governance forums
- Prepare and document risk acceptance decisions, clearly articulating residual risk, and drive these through appropriate governance forums to obtain formal sign‑off
- Maintain and continuously enhance the information security risk register, ensuring accuracy, completeness, and actionable insight
- Identify and manage emerging risks, including those associated with AI/ML systems (bias, privacy, security, and model integrity)
Qualifications
- Strong expertise in identifying, assessing, and managing information security risks aligned to business risk appetite
- Proven ability to own risk processes, make informed decisions, and appropriately challenge or escalation risk positions
- Solid experience in security control assessment, testing, gap identification, and remediation tracking
- Good working knowledge of key frameworks and regulations (ISO 27005, NIST CSF/800‑53, GDPR, emerging AI standards)
- Effective communicator with the ability to influence senior stakeholders and translate technical risk into business impact
- Highly organised and methodical, delivering clear risk reporting (KPIs/KRIs), managing multiple priorities, and leveraging GRC tools
- Strong stakeholder and user facing engagement experience
Salary between £80,000 to £90,000 plus benefits – flexible depending on experience.
