Job description

ROLE TITLE AND CONTEXT

Title:                 Information Security (IS) Governance Analyst
Business unit:   Enterprise-Wide Technology
Department:      Information Assurance, Information Security

REPORTING RELATIONSHIPS

Reports to:        Information Security (IS) Governance Lead (Grade B)
Direct reports:   None

JOB PURPOSE

The Information Security Governance Analyst will be part of the 2nd line of defence and will be responsible for supporting the Information Security Governance Lead to deliver strategic objectives.

KEY STAKEHOLDERS

• Director of Information Assurance
• Information Security Risk and Compliance Teams
• Information Security Operations Teams
• Information Security Architecture and Advisory
• Capability Business Units stakeholders
• KPMG's Enterprise and Capability Risk /Governance functions
• Awareness and Education Team

KEY RESPONSIBILITIES

• Maintain information security policies, processes, standards and procedures. 
• Conduct reviews and evaluate policies, standards, processes and procedures as directed.
• Maintain the Information Security Common Control Framework, connecting with Risk and Compliance teams to implement changes.  
• Provide advice, guidance, and support to the firm on information security policies, standards and controls.  
• Provide support for internal and external audits; ISO27001, PCI-DSS, Cyber Essentials and Cyber Essentials+, SOC2 and other security compliance programmes.
• Analyse data to provide insights on the governance, risk and compliance maturity and effectiveness.
• Provide capability line reporting on key risk and controls including key performance indicators and metrics.
• Provide reporting on remediation progress and next steps. including regular review of compliance remediation activities.
• Demonstrate and maintain expertise in information security governance, threats and vulnerabilities, legal and regulatory changes.

KNOWLEDGE, EXPERIENCE AND SKILLS

• A minimum of 3 years' experience in an information security governance role, with 2+ years' experience in an analytical role.
• Demonstrable work experience in developing and maintaining Information Security policies and controls frameworks.
• Good knowledge and practical experience utilising global frameworks including I SO 27001, ISO 27701, CIS, SOC 2 Type 1/2 Report, PCI-DSS, NIST Cybersecurity framework and ISF.
• Good understanding of privacy requirements (including GDPR, ISO 27701, etc.).
• Good working knowledge of the IT security aspects of IT infrastructure (network and servers) and services, including Cloud computing and application security.
• Excellent written and verbal communication skills, including report writing.
• Strong analytical and problem-solving skills.
• Security certifications preferred (CISSP, CISM or equivalent).
• Experience of working with automated continuous controls monitoring tools would be beneficial.