Information Security Assurance Officer

King's Service Centre

King's Service Centre is home to an innovative and forward thinking team supporting the services of King's College London.

Department: Office of the CIO - Office of the CIO

Employment Type: Permanent - Full Time

Location: Newquay, Cornwall, UK

Description

Information Security Assurance Officer
Overview of role
The Information Security Assurance Officer has a joint reporting line to both the Head of IT Assurance and the Associate Director of Information Security Assurance. Their work is reported on a termly basis to the Audit, Risk and Compliance Committee, and internal information security governance groups quarterly.
The role will focus mainly on supporting compliance to the ISO/IEC 27001:2022 standard for the University, as well as contributing to building and maintaining the Information Security Management System that coordinates internal policies and processes. Other aspects to the role include an internal audit function to support standards and continual improvements.
Our people are at the heart of King’s strategic ambitions. By supporting our staff to develop their potential within a positive and inclusive culture, we are building a thriving staff community. As such, it is essential that the candidate upholds our Principles in Action by displaying the four key behaviours: include, challenge, support, and connect.
This role is based within the IT Assurance team at King’s Service Centre in Cornwall, however, there will be some need to travel to the London campuses.

Key Responsibilities

1. Support the Associate Director of Information Security Assurance in developing the compliance elements of ISO/IEC 27001:2022.
2. Conduct fieldwork for internal audits, working from the annual plan, to keep the timescales for completion on track.
3. Creation of reports to the relevant management teams following audits, including recommendations for improvements where necessary.
4. Contribute to the improvement of information security culture across the University by building relationships and supporting best practice through recommendations.

The above list of responsibilities is not exhaustive, and the post holder will be required to undertake such tasks and responsibilities as may be reasonable expected within the scope and grading of this post.

Key Skills, Knowledge and Experience

The role holder should possess a good working knowledge of information security best practices, but it is not essential for them to have a deep knowledge of all areas. These areas include, but are not limited to:

1. ISO/IEC 27001:2022, 27002:2022 and 27005:2022 Standards
2. NIST and CIS Controls
3. Payment Card Industry Data Security Standards (PCI DSS)
4. Compliance monitoring and auditing
5. Development of information security-related policies

Whilst it is helpful for the role holder to have some knowledge and experience in a selection of these areas, it is more important that they can research the legislative and regulatory frameworks that impact departments across the University and can apply critical judgement to the performance of management against that framework. Candidates who have a background in operational IT Security, Cyber Security or in internal audit or assurance assessment will be well suited to this role. In addition, the successful candidate will be expected to be well-organised, thorough and have an eye to detail. They will be expected to be able to complete work on their own, exercising their own judgement and have an ability to communicate to all levels of staff. This includes the ability to negotiate outcomes with senior management. A good knowledge and understanding of risk management, including a practical appreciation of the proper application of risk appetite, is also a necessary requirement for this role.

Essential Criteria:

1. A good understanding of current technical security products used as operational IT security controls.
2. An ability to thoroughly research and understand all legal and regulatory frameworks which apply to Higher Education in England, to provide appropriate levels of assurance on activity at the University.
3. Thorough understanding of risk management and an appreciation of the effective application of risk appetite.
4. An ability to influence, negotiate and build relationships at all levels of the organisation.
5. An ability to prepare reports with an appropriate level of detail for the anticipated audience, including an ability to make practical recommendations for remedial actions.
6. Team player, but with an ability to work independently and proactively to a set of high-level criteria.
7. Rigorous, analytical approach with an eye for detail.
8. Ability to work under pressure and to deadlines, and to co-ordinate with others to meet internal team deadlines.
9. Excellent relationship building skills.
10. Excellent presentational skills in both written and oral communications.

Desirable Criteria:

1. Experience or detailed understanding of the UK Higher Education system.
2. Certification in any of the following: ISO 27001 (Foundation or Lead Implementer), ISO 27001 Lead Auditor, CC, CompTIA Security+.