Information Risk Assistant Manager
Title: Information Risk Assistant Manager (Grade D)
Business unit: Information Risk, Information Assurance
The role holder will be a key assistant manager in the internally facing Information Assurance team, supporting the information risk management & reporting aspects of Information Assurance. The role holder will be responsible for helping to implement the Information Risk Management framework within KPMG UK, including providing the status of information risk and compliance across the firm, managing risk reporting and supporting the ISMS methodology documents for the UK firm's ISO 27001 certification.
• Support the development and implementation of the firm's Information Risk Management framework, including the day to day processes and artefacts.
• Assist with reviewing the output of the Information Risk Management framework implementation, operations, audit and compliance checks to ensure the framework is operating as designed
• Identify improvements to the Information Risk Management framework based on changes in requirements (e.g. KPMG global requirements, ISO 27001, Cyber Essentials, audit findings, information security strategy, etc.) and emerging challenges
• Monitor and review information security risks captured within Information Assurance which may be populated from multiple information security risk sources (e.g. Risk Assessment team, etc.) and help run the day to day operations of the Information Risk Register.
• Provide support for the GRC tools including coordination of any changes, as well as supporting the relationship with our providers (currently SureCloud and ServiceNow).
• Foster an environment that drives appropriate information risk control behaviour, including early anticipation, identification and mitigation of information risk, escalating issues as necessary
• Support the firm's mission to build client trust and confidence with regard to information security
• Stay abreast of industry best practice in relation to information security governance, risk & compliance
• Assist with coordinating the formal governance review required to support the firm's Information Security Management System
• Coordinate governance alignment with the UK ISO 27001 information security management system
• Support the Information Risk Management operations, management and governance bodies to allow them to assess the Information Security risk position on a regular basis
• Support the Information Risk Manager in making the Information Assurance risk governance bodies effective
• Provide information risk management input into Capability and Regional risk agendas as required
• Assist with the creation and provision of meaningful and actionable information risk reporting and dashboards, including changes to the current information risk position related to policies owned by the Head of Information Assurance.
• Coordinate with wider information security teams reporting to ensure risk reporting aligns and supports wider information security goals
Awareness and collaboration
• Collaborate with UK Enterprise Risk Management (ERM) resources to ensure alignment and integration
• Collaborate with the Information Security Policy team to assist with the development and implementation of the KPMG UK information security policies across the firm and ensure changes to policies are integrated into the Information Risk Management framework and Information Security Management System
• Establish strong relationships with first line of defence stakeholders and other relevant stakeholders, as relevant to role
• Support any Information Risk Management framework communications, outside of the Information Security function
• Promote good information security practice and standards across the firm
Technical knowledge and qualifications
• 2 to 3 years of experience in information security (ideally in a risk management capacity)
• Strong working knowledge of information security standards (e.g. ISO 27001, ISO 27005, ISO 31000, Cyber Essentials, ISF Standard of Good Practice for Information Security, ISF IRAM, NIST Cybersecurity Framework, CIS Top 20 Controls, etc.)
• Good understanding of information risk management
• Good knowledge of legal and regulatory requirements impacting information security (including data privacy)
• Ability to communicate clearly and simply, both verbally and in writing
• Proven ability to identify and articulate information security requirements, risks and issues, and to make clear decisions and recommendations
• Ability to understand business drivers and risk appetite and to align information security compliance accordingly
• Problem solving skills
• A self-starter, with a proven need for excellence
• Ability to prioritize and manage a complex workload, including multiple tasks for themselves
• A good team player
• Good inter-personal skills and ability to communicate effectively with stakeholders at all levels
• Multi-cultural awareness and sensitivity
• Strong integrity, independence and resilience
• Excellent attention to detail, combined with strategic vision