Department and Location Overview

Formed in 2014 the Information Security Group (ISG) focuses on delivering operational and strategic information / cyber security and business continuity. The group is independent of IT. Operationally the Information Security Committee and Conduct and Risk Committee oversee the group. The Chief Global Information Security Officer reports into the General Counsel and Global Risk Partner.

The ISG department is based mainly in the firm’s London and Manchester offices.

The Freshfields Global Centre in Manchester provides both business and legal services to the firm. Our services are delivered in a way which supports the global nature of our firm and our clients, enables our fee earners to deliver exceptional service to our clients and to do that in a way which is efficient and effective.

Role summary / purpose of job

The primary focus of this role is to assess the security of new and current suppliers and audit the security and business continuity controls applied to core areas of the firm’s operation. This is a vital role in improving the firm’s compliance position during a period of heightened technological change.

Key responsibilities and deliverables

• Perform information security assessments on new and current suppliers.
• Carry out specific Artificial Intelligence (AI) and emerging technology risk assessments. Evaluate security risks introduced by AI/ML tools, LLM deployments, and automation used by suppliers internally.
• Manage continuous third-party monitoring.
• Monitor automated risk monitoring platforms (BitSight and SecurityScorecard).
• Review and update ISG vendor and audit related policies and processes.
• Design risk mitigation measures in response to information security findings arising from supplier assurance activity.
• Support assurance and review activity following incidents or investigations, including control assessment, root cause analysis, risk identification, and lessons learned.
• Metrics and governance reporting. Produce regular KPI dashboards for management reporting.

Key requirements

• IT/information security auditing experience and/or running third party risk management processes.
• Detailed understanding of ISO 27001/ ISO22301
• Relevant auditing qualifications (Lead ISO27001 auditor, Internal ISO27001 auditor, or equivalent alternative auditing qualifications)
• Working knowledge of technology, software and approaches utilised in the corporate and legal industry.
• Ability to work autonomously, effectively prioritise and manage large and varied workloads, adapting action plan accordingly.
• Experience of influencing stakeholders across departments and translating complex technical requirements into clear practical actions.
• Working knowledge of DORA, NIS2, UK GDPR, EU AI Act, and the UK Cyber Security & Resilience Bill

Desirable

• CISM
• CISSP
• Knowledge of Cloud services (SaaS, PaaS and IaaS)
• Knowledge of containers and virtualisation
• Understanding of global cyber security and privacy laws and application to both internal and external data subjects
• Previous legal sector experience.

Behaviours required to perform the role

• An excellent communicator and multi-tasker with exceptional organisational abilities
• Ability to engage across diverse global jurisdictions, aligned with the firm's stated diversity values.
• Ability to influence and collaborate with colleagues across teams.
• Comfortable interpreting security metrics and presenting risk posture to senior leadership and governance committees. Ability to combine a good eye for detail with big picture corporate considerations.
• Detailed, focused and pragmatic
• Motivated and initiative-taking, with an eagerness to learn and develop.

For individuals assigned and/or hired to work in New York and California or reporting to someone in those states, Freshfields is required by law to include a reasonable estimate of the compensation range for this role. This compensation range is specific to the States of New York and California and takes into account the wide range of factors that are considered in making compensation decisions including but not limited to skill sets; experience and training; licensure and certifications; and other business and organizational needs. The disclosed range estimate has not been adjusted for the applicable geographic differential associated with the location at which the position may be filled, and compensation decisions are dependent on the facts and circumstances of each case. A reasonable estimate of the current range is $42/hour.