Information Security Governance, Risk & Compliance (SGRC) Manager
Job Description
About the Company
We are a global environmental and ESG consultancy operating in over 130 countries, supporting clients to manage environmental, climate, and sustainability risk. As the organisation continues to grow through organic expansion and acquisitions, maintaining strong information security governance, compliance, and effective risk oversight is essential to safeguarding data, maintaining client trust, and enabling sustainable growth.
The Opportunity
We are seeking an Information Security GRC Manager to manage and mature the organisation’s information security governance, risk management, and compliance capability. Reporting to the Security Director, this role will act as a core second-line security function, providing oversight, assurance, and pragmatic guidance across the business.
This is a hands-on managerial role, balancing framework ownership, risk analysis, third-party risk management, audit coordination, information security awareness and stakeholder engagement. The Information Security GRC Manager will report to the Director of Cybersecurity and work closely with IT, Legal, Compliance, and other business functions to ensure information security requirements are embedded into day-to-day operations, proportionate to risk, and aligned with business priorities, regulatory obligations, and client expectations.
Key Responsibilities
Information Security Governance & Policy Management
Maintain and evolve the organisation’s information security governance framework in line with Cyber Essentials, ISO 27001, the NIST Cybersecurity Framework, and other recognised standards.
Own and manage the information security policy and standards suite, ensuring policies and standards are current, risk-based, and consistently applied.
Support the definition of information security roles, responsibilities, and information security related decision-making processes across the organisation.
Ensure information security governance is integrated into enterprise processes, including technology delivery, data management, M&A activities, procurement, and HR.
Risk Management
Own and operate the cyber and information security risk management framework, including risk identification, assessment, treatment, and reporting.
Maintain the information security risk register and track remediation activities to closure.
Conduct and oversee information security risk assessments for new systems, projects, and business initiatives.
Provide clear, proportionate information security risk advice to business and technology stakeholders.
Compliance, Audit & Assurance
Manage compliance activities against ISO 27001, SOC 2, Cyber Essentials Plus, and other relevant frameworks and regulations.
Coordinate internal and external audits, certifications, client security questionaries and assessments.
Work closely with Legal and Compliance teams to ensure information security controls support regulatory and contractual obligations.
Track regulatory and standards developments and assess their impact on the organisation.
Third-Party & Supply Chain Security
Manage the third-party information security risk management process, including supplier due diligence and ongoing assurance.
Support procurement and vendor management teams with information security requirements and risk assessments.
Ensure appropriate information security oversight of critical suppliers, partners, and service providers.
M&A and Business Change Support
Support information security due diligence activities for mergers, acquisitions.
Assist with the assessment of information security risks associated with acquisitions.
Support the onboarding of acquired entities into group information security governance and compliance frameworks
Awareness & Stakeholder Engagement
Support the improvement and delivery of information security awareness and training activities across the organisation.
Act as a trusted point of contact for information security governance, risk, and compliance matters.
Promote a consistent, risk-aware, and pragmatic security culture.
Metrics, Reporting & Continuous Improvement
Develop, maintain, and report meaningful information and cyber security metrics and key risk indicators (KRIs) to the Director of Cybersecurity and senior stakeholders.
Contribute to maturity assessments and track progress against agreed improvement plans.
Support control testing, assurance activities, and continuous improvement initiatives.
Candidate Profile
Essential
6+ years’ experience in information security governance, risk, or compliance roles.
Demonstrated ability to work collaboratively with business and IT teams, providing pragmatic, risk-based security guidance aligned with organisational priorities.
Strong written and verbal communication skills, with experience engaging both technical and non-technical stakeholders.
Strong working knowledge of ISO 27001, SOC 2, Cyber Essentials Plus and security risk management practices.
Experience working with multiple stakeholders across IT, Legal, Compliance, and business functions in complex or regulated environments.
Experience managing information security audits, certifications, and assurance activities.
Desirable
Experience in consultancy, professional services, or regulated sectors.
Exposure to third-party risk management and supplier assurance.
Experience supporting M&A security due diligence or business integration.
Relevant certifications such as CISA, CRISC, CISSP, or ISO 27001 Lead Implementer/Auditor.
Success Measures
Clear, effective information security governance and policy framework in place and adopted.
Improved visibility and management of cyber and information security risks.
Successful audit and certification outcomes with reduced findings over time.
Timely and effective management of third-party, M&A and business change related security risks.
Positive stakeholder feedback on the quality and practicality of Information Security GRC support.
Why This Role Matters
The Security GRC Manager plays a critical role in ensuring information security is assured, measurable, and trusted, supporting the organisation’s mission and global growth. Through strong oversight and practical risk management, the role enables the business to operate securely while meeting client, regulatory, and stakeholder expectations.