Overview

PCI Pal’s Information Security team requires a dynamic and proactive individual to lead all Governance, Risk and Compliance (GRC), audit requirements for our team and the company. We are an agile and innovative team responsible for ensuring the confidentiality, integrity and availability (CIA) of our internal, external environments, and client solutions are always maintained. The Lead GRC & Audit role focuses on ownership of all Information Security GRC, audit and project initiatives, including proactive cross-functional collaboration with a variety of business stakeholders. The role encompasses all facets from ensuring that GRC and audit requirements are suitably managed, maintained and matured.

Primary responsibilities

• Managing, maintaining, and maturing the established audit lifecycles for the following frameworks: PCI DSS v4.0; ISO 27001:2022; ISO 9001:2015; ISO 14001:2015; Cyber Essentials; Cyber Essentials Plus; SOC2 Type 1 – 3; HIPAA
• Collaborate with team members, peers, and across the business to ensure mandatory and audit defined GRC requirements are effectively managed, maintained and matured
• Lead with a progressive and pragmatic approach to implementing and maturing innovative GRC and Data Privacy solutions, processes and procedures
• Assist in defining the technical requirements for tactical and strategic Information Security roadmaps
• Function as a subject matter expert within the team and with peers for all matters relating to GRC and audit management
• Manage, maintain and mature the third-party vendor risk management programme
• Work in close collaborative partnership with the Legal and People teams
• Ensure that all procedural, process, and policy documentation pertaining to GRC and audit requirements remains up-to-date and relevant
• Provide assistance, as required, to complete GRC/Audit requirements for client-derived security self-assessment (SSA) questionnaires
• Manage PCI Pal’s outsourced Data Privacy programme and ensure compliance with global data privacy regulations
• Assist in maintaining our commitments to a security, education, training and awareness (SETA) programme

Qualifications

• Exceptional knowledge of steering and strategically managing GRC and audit roadmaps and associated strategy within an overarching Information Security framework
• Subject matter expert level knowledge of information security frameworks (as listed in the responsibilities), e.g. PCI DSS, ISO 27001:2022, SOC2
• Strong understanding of EU/UK GDPR and the Data Protection Act 2018
• Led and managed audit programmes from inception to completion for PCI DSS and ISO 27001:2022; experience in managing SOC2 audits is highly desirable; CSA CCM v4.0 and cloud security frameworks experience is highly desirable
• Excellent knowledge of risk management principles and their relevance to maintaining a GRC programme
• Collaborative, proactive, professional and pragmatic work ethic
• Thorough understanding of cyber security assurance methodologies and frameworks (e.g. NIST, CIS)
• Preliminary understanding of AI GRC requirements to develop and mature AI GRC and assurance needs
• Excellent written skills for writing, reviewing and maturing GRC and Data Privacy governance documentation
• Extensive experience managing relationships with MSSPs and external audit service providers
• Structured, methodical working ethos aligned to project management principles
• Ability to communicate GRC and audit requirements effectively to all levels of seniority
• Comfort with cloud GRC and Data Privacy services as well as traditional tooling
• Tenacious with delivering high-quality results for the team and the business
• Certifications (completed or desired): CISA; ISO 27001 Lead Implementer; GRCP; PCIP; CISSP; CISM
• Extensive knowledge of Information/Cyber Security processes related to maintaining compliant PCI DSS and ISO-certified environments

Benefits

• 25 days holiday, rising to 28 days per annum with length of service
• Day off on your birthday
• Medical, dental and optical insurance cover (after qualifying period, subject to terms)
• Exciting and flexible working environment with friendly and committed co-workers
• UK Electric Vehicle Scheme (after qualifying period, subject to terms)
• Work from anywhere policy: 2 weeks per year
• Training and development opportunities
• Access to an employee assistance programme and wellbeing support hub
• Team events, ad-hoc incentives and competitions

Apply now

First Name* Last Name* Email* Contact Number* Please attach a covering letter in PDF or Word Format* Please attach your CV in PDF or Word Format*

By submitting this form you agree to our Privacy Policy, and to the data you submit above being used to process your application.