Information Security Governance, Risk & Compliance (SGRC) Manager

About the role

We are a global environmental and ESG consultancy operating in over 130 countries, supporting client s to manage environmental, climate, and sustainability risk. As the organisation continues to grow through organic expansion and acquisitions, maintaining strong information security governance, compliance, and effective risk oversight is essential to safeguarding data, maintaining client trust, and enabling sustainable growth. We are seeking an Information Security GRC Manager to manage and mature the organisation's information security governance, risk management, and compliance capability. Reporting to the Security Director, this role will act as a core second-line security function, providing oversight, assurance, and pragmatic guidance across the business. This is a hands-on managerial role, balancing framework ownership, risk analysis, third-party risk management, audit coordination, information security awareness and stakeholder engagement. The Information Security GRC Manager will report to the Director of Cybersecurity and work closely with IT, Legal, Compliance, and other business functions to ensure information security requirements are embedded into day-to-day operations, proportionate to risk, and aligned with business priorities, regulatory obligations, and client expectations.

Responsibilities

• Information Security Governance & Policy Management
• Maintain and evolve the organisation's information security governance framework in line with Cyber Essentials, ISO 27001, the NIST Cybersecurity Framework, and other recognised standards.
• Own and manage the information security policy and standards suite, ensuring policies and standards are current, risk-based, and consistently applied.
• Support the definition of information security roles, responsibilities, and information security related decision-making processes across the organisation.
• Ensure information security governance is integrated into enterprise processes, including technology delivery, data management, M&A activities, procurement, and HR.
• Risk Management
• Own and operate the cyber and information security risk management framework, including risk identification, assessment, treatment, and reporting.
• Maintain the information security risk register and track remediation activities to closure.
• Conduct and oversee information security risk assessments for new systems, projects, and business initiatives.
• Provide clear, proportionate information security risk advice to business and technology stakeholders.
• Compliance, Audit & Assurance
• Manage compliance activities against ISO 27001, SOC 2, Cyber Essentials Plus, and other relevant frameworks and regulations.
• Coordinate internal and external audits, certifications, client security questionaries and assessments.
• Work closely with Legal and Compliance teams to ensure information security controls support regulatory and contractual obligations.
• Track regulatory and standards developments and assess their impact on the organisation.
• Third-Party & Supply Chain Security
• Manage the third-party information security risk management process, including supplier due diligence and ongoing assurance.
• Support procurement and vendor management teams with information security requirements and risk assessments.
• Ensure appropriate information security oversight of critical suppliers, partners, and service providers.
• M&A and Business Change Support
• Support information security due diligence activities for mergers, acquisitions.
• Assist with the assessment of information security risks associated with acquisitions.
• Support the onboarding of acquired entities into group information security governance and compliance frameworks
• Awareness & Stakeholder Engagement
• Support the improvement and delivery of information security awareness and training activities across the organisation.
• Act as a trusted point of contact for information security governance, risk, and compliance matters.
• Promote a consistent, risk-aware, and pragmatic security culture.
• Metrics, Reporting & Continuous Improvement
• Develop, maintain, and report meaningful information and cyber security metrics and key risk indicators (KRIs) to the Director of Cybersecurity and senior stakeholders.
• Contribute to maturity assessments and track progress against agreed improvement plans.
• Support control testing, assurance activities, and continuous improvement initiatives.
• Candidate Profile
• Essential
• 6+ years' experience in information security governance, risk, or compliance roles.
• Demonstrated ability to work collaboratively with business and IT teams, providing pragmatic, risk-based security guidance aligned with organisational priorities.
• Strong written and verbal communication skills, with experience engaging both technical and non-technical stakeholders .
• Strong working knowledge of ISO 27001, SOC 2, Cyber Essentials Plus and security risk management practices.
• Experience working with

Your Match

How well this role fits your profile.

Company Intel

What employees say

Worked at slrconsulting? Share your experience