Information Assurance Lead

Job Title: Information Assurance Lead
Contract Type: Contract
Location: Scotland
Salary: £350 - £400 per day + Outside IR35
Start Date: July 2021
Reference: BBBH27385_1624883689
Contact Name: Zoe Latuszka
Contact Email:
Job Published: June 28, 2021 13:34

Job Description

Information Assurance Lead
6 Months
£400 per day. Outside IR35
Remote for foreseeable. When the risk of COVID infection is eliminated or much reduced, many of the team's activities will take place at our offices in Edinburgh.

An experienced Information Assurance Lead is required to support Registers of Scotland's Risk and Information Governance function in the improvement of its Information Security Management System (ISMS), and the development of its broader assurance offering. The role is required to respond to our development needs around information security governance, policy, practice and culture, responding to the outcomes of audit and other assurance findings, and moving our existing ISO27k aligned ISMS to a position of 'certification readiness'. The postholder will lead the identification, analysis, prioritisation and control implementation of our non-technical security risks, working closely with our established governance groups and colleagues across RoS engaged in the wider information security and assurance agenda
The Risk and Information Governance Service sits within the Corporate Services Directorate and provides risk, compliance and assurance services across our organisation. We are building an increasingly mature information security risk management capability, facilitated in collaboration across our established IT Security and Identity Team, our Risk and Information Governance Team, and wider teams and stakeholder groups engaged in the security agenda (for example our People and Estates functions). Our established governance groups will be a principal client for the post-holder's work, working in consultation with the Head of Risk and Information Governance, The Head of Digital, and the IT Security and Identity Team Lead. The post holder will work with existing team members and subject matter experts across these areas of responsibility and more widely, to achieve the desired outcomes.
Our organisational objective is to achieve confidence in the effective operation of our ISMS, such that ISO27001 certification at a future point is achievable. You will play a lead role in achieving this, facilitating, influencing and coordinating across our stakeholders. You will add value to our existing practice, identify non-technical security management solutions, and support their delivery.
During the six-twelve months of this contract, the completion of the following items of work and objectives are required:

  • Author for approval a number of non-technical information security policies and standards
  • Facilitate security risk assessment exercises with business stakeholders
  • Record, assess and prioritise identified security risks
  • Work in partnership to produce and deliver against risk treatment plans
  • Monitor and report on risks and control implementation
  • Coach, mentor and knowledge transfer with stakeholders at both decision making and practitioner levels
  • Design and implement a security incident management and reporting process
  • Develop a security awareness and exercising programme to meet the organisation's needs
  • Develop an Audit Plan for our information security management system
  • Coordinate and assist in the implementation of our ISMS Audit Plan
  • Coordinate and assist in the internal audit of our ISMS

You will also contribute and add value to:

  • The improvement and migration of our information security risk register
  • The improvement and migration of our information asset register
  • The improvement of our supplier due diligence processes
  • The development of our wider strategy for an enduring information assurance function

Essential skills
The successful candidate will have a strong understanding and background in nontechnical information security and risk management, but the ability to effectively collaborate, orchestrate and deliver is essential.
Certified Information Systems Security Professional (CISSP) or equivalent
Certified ISO27001 ISMS Lead Implementer, Lead Auditor or equivalent Significant and demonstratable experience in the following areas:

  • Risk management practice (identification, scoring, prioritisation, etc)
  • Information assurance functions
  • Aligning security documentation to required recognised standards, including ISO27001
  • Leading organisations through significant security certification activities, such as ISO27001
  • Building security capability, training and awareness or security exercising programmes
  • Designing information security incident management procedures

Desirable Skills
Certified Lead Implementer Business Continuity Management Systems or equivalent
A sound background in all areas of Information Security, with an emphasis on: o Audit o Risk o Compliance and Assurance o Business and Process Analysis