Information Security Auditor

About the role

Freshfields is a global law firm with a long-standing track record of successfully supporting the world's leading national and multinational corporations, financial institutions and governments on ground-breaking and business-critical mandates. Our people make our firm - we are a people business and want to create a welcoming and supportive environment where all can flourish. We see diversity as a strength which creates fresh perspectives and generates new ideas. We enjoy our work and are determined to do an outstanding job. We deliver best when working in teams. We think and work globally - we do not just say we are one firm; we act like one firm right across the world. We work wherever our clients need us. This is how we define ourselves, not by reference to where we have offices. Cross-border work is not just what we do, it is what we excel at. We understand what it really takes to work across different legal systems and commercial environments and to bridge language and cultural gaps. We aim to add value in everything we do - we are enthusiastic about helping our clients succeed. We use our experience and creativity to help clients make judgements and achieve their goals. In everything we do, we seek to make a real difference to the communities in which we operate. Department and Location Overview Formed in 2014 the Information Security Group (ISG) focuses on delivering operational and strategic information / cyber security and business continuity. The group is independent of IT. Operationally the Information Security Committee and Conduct and Risk Committee oversee the group. The Chief Global Information Security Officer reports into the General Counsel and Global Risk Partner. The ISG department is based mainly in the firm's London and Manchester offices. The Freshfields Global Centre in Manchester provides both business and legal services to the firm. Our services are delivered in a way which supports the global nature of our firm and our clients, enables our fee earners to deliver exceptional service to our clients and to do that in a way which is efficient and effective. Role summary / purpose of job The primary focus of this role is to assess the security of new and current suppliers and audit the security and business continuity controls applied to core areas of the firm's operation. This is a vital role in improving the firm's compliance position during a period of heightened technological change. Key responsibilities and deliverables Perform information security assessments on new and current suppliers. Carry out specific Artificial Intelligence (AI) and emerging technology risk assessments. Evaluate security risks introduced by AI/ML tools, LLM deployments, and automation used by suppliers internally. Manage continuous third-party monitoring. Monitor automated risk monitoring platforms (BitSight and SecurityScorecard). Review and update ISG vendor and audit related policies and processes. Design risk mitigation measures in response to information security findings arising from supplier assurance activity. Support assurance and review activity following incidents or investigations, including control assessment, root cause analysis, risk identification, and lessons learned. Metrics and governance reporting. Produce regular KPI dashboards for management reporting. Key requirements IT/information security auditing experience and/or running third party risk management processes. Detailed understanding of ISO 27001/ ISO22301 Relevant auditing qualifications (Lead ISO27001 auditor, Internal ISO27001 auditor, or equivalent alternative auditing qualifications) Working knowledge of technology, software and approaches utilised in the corporate and legal industry. Ability to work autonomously, effectively prioritise and manage large and varied workloads, adapting action plan accordingly. Experience of influencing stakeholders across departments and translating complex technical requirements into clear practical actions. Working knowledge of DORA, NIS2, UK GDPR, EU AI Act, and the UK Cyber Security & Resilience Bill Desirable CISM CISSP Knowledge of Cloud services (SaaS, PaaS and IaaS) Knowledge of containers and virtualisation Understanding of global cyber security and privacy laws and application to both internal and external data subjects Previous legal sector experience. Behaviours required to perform the role An excellent communicator and multi-tasker with exceptional organisational abilities Ability to engage across diverse global jurisdictions, aligned with the firm's stated diversity values. Ability to influence and collaborate with colleagues across teams. Comfortable interpreting security metrics and presenting risk posture to senior leadership and governance committees. Ability to combine a good eye for detail with big picture corporate considerations. Detailed, focused and pragmatic Motivated and initiative-taking, with an eagerness to learn and develop. For individuals assigned and