Job Description
The Role:The Compliance Manager is accountable for the design, operation, and continuous improvement of the organisation's Information Security Management System (ISMS) and its associated certification programme. This role is not a technical security engineering position. Instead, it demands a highly organised, process-oriented compliance professional who can orchestrate cross-functional teams, manage external auditors, close control gaps, and ensure that the control environment remains audit-ready at all times. The Compliance Manager serves as the primary interface between the organisation's day-to-day operations and its ISO 27001 certification obligations.
Major Areas of Responsibility:
- ISMS Program Ownership
- Own, maintain, and continuously improve the ISO 27001-aligned Information Security Management System (ISMS), including its scope, Statement of Applicability (SoA), risk treatment plan, and all supporting documentation.
- Serve as the internal subject-matter authority for ISO/IEC 27001 standard requirements and, where applicable, supplementary standards (ISO 27002, 27005, 27017, 27018, SOC 2 overlap).
- Maintain the organisation's certification roadmap and annual audit calendar, coordinating with the external certification body and any internal audit function.
- Ensure the ISMS programme remains aligned with organisational strategy, evolving business requirements, regulatory changes, and threat landscape shifts.
- Control Framework Management
- Maintain a complete, current, and authoritative ISO 27001 control framework, mapping Annex A controls (and relevant supplementary controls) to business processes, asset owners, and accountable teams.
- Conduct and manage periodic control effectiveness assessments to verify that controls are designed adequately and are operating as intended.
- Drive gap remediation: identify control deficiencies, assign remediation owners, set target dates, track progress to closure, and escalate where timelines are at risk.
- Ensure evidence artefacts (policies, procedures, records, logs, test results) are complete, current, well-organised, and retained in accordance with the ISMS evidence management framework.
- Manage policy and procedure lifecycle-drafting, review, approval, version control, and annual attestation-in collaboration with policy owners.
- Audit Management & Readiness
- Scope, plan, and manage both internal and external ISO 27001 audits (Stage 1, Stage 2 certification, and annual surveillance/recertification audits).
- Serve as the primary liaison with the external certification body: coordinate logistics, manage the audit schedule, prepare opening and closing meetings, and facilitate auditor access to systems, evidence, and personnel.
- Proactively assess control adequacy before external audits.
- Manage all audit findings (minor nonconformities, major nonconformities, and observations): ensure timely root cause analysis, corrective action plans, evidence of closure, and follow-up verification.
- Maintain a perpetual audit-readiness posture, ensuring the organisation can demonstrate an effective ISMS at any point during the certification cycle-not only at audit time.
- Risk Management Integration
- Facilitate the information security risk assessment and risk treatment process working with technical and business stakeholders to identify, evaluate, and treat information security risks.
- Maintain the risk register and risk treatment plan, tracking risk acceptance decisions, treatment progress, and residual risk posture.
- Ensure risk assessment outputs are reflected in the SoA and control framework, and that significant residual risks are escalated appropriately to leadership.
- Cross-Functional Stakeholder Engagement
- Identify and engage the correct accountable owners across product, engineering, infrastructure, IT, legal, HR, and business operations to obtain evidence, close gaps, and ensure control sustainability.
- Facilitate Management Review meetings as required by the standard, preparing agenda materials, risk summaries, audit result summaries, and improvement recommendations.
- Develop and maintain a stakeholder engagement model that clarifies each team's ISMS responsibilities without requiring them to become compliance specialists.
- Act as a trusted advisor to leadership on the organisation's compliance posture, certification status, and material risks.
- Support teams as they address questions regarding information security management, including responses to customer security questionnaires
- Manage and support incident response efforts, including containment, investigation, and recovery.
- Compliance Programme Governance
- Maintain a compliance calendar covering ISMS obligations-control reviews, policy attestations, risk assessments, internal audits, and external audit milestones.
- Produce regular compliance status reports and management dashboards that accurately reflect the state of the control environment, open gaps, and remediation progress.
- Contribute to supplier assurance activities by assessing third-party compliance requirements relevant to the ISMS scope.
Key Stakeholders:
This role will be successful if able to build relationships and work directly with the following stakeholders:
- VP of Information Technology and Data
- Group Privacy and Information Security Officer
- Group Governance, Risk, and Compliance
- SVP of Product
- SVP of Engineering
- Engineering Management
- Legal and Compliance
Knowledge and Experience - Required:
- Bachelor's degree in Information Security, Computer Science, Business Administration, or a related field; or equivalent professional experience.
- 5+ years of experience in information security compliance, GRC (Governance, Risk, and Compliance), or audit management roles.
- Demonstrated, hands-on experience managing an ISO 27001 ISMS through at least one full certification or recertification audit cycle-including scoping, internal audits, external audit management, and nonconformity remediation.
- Proven ability to manage cross-functional stakeholders without direct authority-influencing product, engineering, HR, legal, and operations teams to meet compliance obligations.
- Experience maintaining control frameworks, risk registers, and ISMS documentation libraries.
- Track record of writing and managing information security policies and procedures.
Knowledge and Experience - Desired:
- Deep knowledge of the ISO/IEC 27001:2022 standard, Annex A controls, and supporting guidance in ISO/IEC 27002:2022.
- Strong understanding of information security risk assessment methodologies.
- Ability to read, interpret, and apply compliance and audit requirements without needing to be a hands-on technical security practitioner.
- Excellent written and verbal communication skills; able to translate complex compliance requirements into clear, actionable guidance for non-security audiences.
- Strong project and programme management skills: ability to manage multiple workstreams, deadlines, and stakeholders simultaneously.
- CISM (Certified Information Security Manager) or CRISC (Certified in Risk and Information Systems Control).
- Working knowledge of complementary frameworks such as SOC 2 (Type I/II), NIST CSF, CIS Controls, GDPR, or CCPA-particularly where they overlap with or supplement the ISO 27001 control environment.
- Prior experience in a regulated industry (financial services, healthcare, or public sector) where certification drives contractual or regulatory obligations.
Travel:
- Travel is expected to complete job function - including potential significant periods of travel related to coordination of audit readiness and execution. Overall travel is not to exceed 50% of time.
