Information Security Analyst

Who is ERM?
ERM is a leading global sustainability consulting firm, committed for nearly 50 years to helping organizations navigate complex environmental, social, and governance (ESG) challenges. We bring together a diverse and inclusive community of experts across regions and disciplines, providing a truly multicultural environment that fosters collaboration, professional growth, and meaningful global exposure. As a people-first organization, ERM values well-being, career development, and the power of collective expertise to drive sustainable impact for our clients—and the planet.

Job Objective

We prioritize the security and privacy of our customers' data and are committed to maintaining the highest standards of information security. The Cyber Security Compliance Specialist will play an essential role in managing information security governance, risk, and compliance. This is a contractual role for 6 months.

Key Responsibilities

• Client Requests and Contract Reviews:
  • Serve as a point of contact for client requests for information related to information security compliance. Must have deep understanding in this and provide detailed evidence-based responses.
  • Review contracts and agreements to ensure compliance with information security requirements and standards.
  • Attending client meetings and address their security concerns.
• Third-Party Risk Management:
  • Manage third-party risk assessment processes, including vendor security assessments and due diligence.
  • Evaluate third-party security controls and assess their alignment with organizational policies and standards.
• Exception Requests:
  • Review and evaluate exception requests related to information security policies and standards.
  • Assess the impact of proposed exceptions and make recommendations to management for approval or mitigation.
• Business Resilience
  • Conduct business impact assessments across critical business services and departments, ensuring that impact levels, as well as security and resilience measures, are documented.
  • Facilitate business continuity and disaster recovery exercises across business services.

Foundational Responsibilities

• Compliance Management:
  • Assist in the development, implementation, and maintenance of the company's information security compliance program.
  • Ensure adherence to regulatory requirements, industry standards, and internal policies and procedures.
  • Conduct regular compliance assessments and audits to identify gaps and areas for improvement.
• Governance Support:
  • Support the establishment and maintenance of information security governance frameworks, policies, and procedures.
  • Assist in the development of governance documentation, including charters, policies, standards, and guidelines.
  • Provide guidance and support to stakeholders on governance-related matters, ensuring alignment with business objectives.
• Risk Management:
  • Assist in the identification, assessment, and mitigation of information security risks across the organization.
  • Conduct risk assessments and analyze security controls to ensure effectiveness and compliance with ISO 27001 requirements.
  • Collaborate with stakeholders to develop and implement risk mitigation strategies and action plans.
  • Maintain central risk management tooling to record and report risks to key stakeholders.
• ISO 27001 Compliance:
  • Support the maintenance and continual improvement of a global Information Security Management System (ISMS) and ISO 27001 certification .
  • Manage ISMS non-conformities and corrective action plan.
  • Support external ISO 27001 audits to maintain certification.
  • Assist in the development and documentation of ISO 27001 policies, procedures, and controls.
  • Conduct internal audits to assess compliance with ISO 27001 standards and identify areas for improvement.
  • Identify and help implement continuous improvement initiatives within the ISMS and across the wider business.
• Security Awareness and Training:
  • Assist in the development and delivery of security awareness and training programs for employees.
  • Promote a culture of security awareness and best practices throughout the organization.

Influence And Decision-Making Authority

Operating within practices and procedures covered by precedent or well-defined policies; end results will be subject to review. The job will contain a variety of activities and clear short-term objectives. The job holder may determine their own priorities whilst meeting clear outcomes.

Explains policies, practices and procedures of the job area to parties within and outside of own job function. May have responsibility for communicating with parties external to the organisation (e.g., customers, vendors, etc.).

Job Requirements & Capabilities

Qualifications:

• Bachelor's degree in Computer Science, Information Security, or a related field.
• Lead Implementer Training ISO27001
• ISO 27001 Lead Auditor (desirable)
• CISA (desirable)
• CRISC (desirable)

Job specific capabilities/skills:

• 3-4 years of experience in information security, compliance, or related field.
• Strong English Verbal communication skills, including presentation skills, with an ability to communicate with a range of technical and non-technical team members, stakeholders, and clients.
• Hands on experience with GRC related tooling (e.g., risk management and third party security).
• Strong English Written communication skills, for example to write technical reports and professionally respond to client security assessments, master service agreements, and general queries.
• Flexible to work on contractual role.