Share this Job

Information Risk Manager

Date: Jan 19, 2021

Location: London, United Kingdom

Company: KPMG UK

The Role

The role holder will be a key manager in the Information Assurance team, managing the information risk & reporting aspects of Information Assurance. The role holder will be responsible for implementing the Information Risk Management framework, including providing the status of information risk and compliance across the firm, managing risk reporting and supporting the ISMS methodology documents for the UK firm’s ISO 27001 certification

Key Stakeholders

Chief Information Security Officer, Head of Information Assurance
Risk Framework Lead, Information Assurance
Information Risk Management Framework Workstream Lead, ISTP
Information Risk Assessment team
Assurance & Remediation Lead
Business Continuity & Crisis Management Lead
Security Advisory & Assessments Lead
First line of defence business and functional managers across the firm including Project Managers, BISOs (Business Information Security Officers), Procurement, and Supplier Managers

Key Responsibilities

Risk management

- Manage and enhance the firm’s Information Risk Management framework, including the management of related processes, artefacts, and providing requirements as input for GRC tooling and solution design
- Review the output of the Information Risk Management framework implementation, operations, audit and compliance checks to ensure the framework is operating as designed
- Respond and improve the Information Risk Management framework based on changes in requirements (e.g. KPMG global requirements, ISO 27001, Cyber Essentials, audit findings, information security strategy, etc.)
- Integrate Information Risk Management framework requirements into the firm’s Information Security Management System from other similar management systems (e.g. Business Continuity Management System, Information Privacy Management System, etc.)
- Monitor information security risks captured within Information Assurance which may be populated from multiple information security risk sources (e.g. Risk Assessment team, etc.).
- Enable the Information Risk Management framework operations, management and governance bodies to assess the Information Security risk position on a regular basis with an Information Security view and with input across KPMG UK where feasible
- Align any Information Risk Management framework communications, outside of the Information Security function, with a standard approach to Information Security executive management, business engagement and service management
- Foster an environment that drives appropriate information risk control behaviour, including early anticipation, identification and mitigation of information risk, escalating issues as necessary
- Support the firm’s mission to build client trust and confidence with regard to information security
- Stay abreast of industry best practice in relation to information security governance, risk & compliance

- Facilitate the formal governance review and approval process required to support the firm’s Information Security Management System
- Manage the relationship with GRC tooling providers (currently SureCloud and ServiceNow)
- Support the CISO and Head of Information Assurance in making the Information Assurance risk governance bodies effective
- Provide information risk management input into Capability and Regional risk agendas as required

- Manage the provision of meaningful and actionable information risk reporting and dashboards, including changes to the current information risk position related to policies owned by the Head of Information Assurance.
- Ensure that reporting generated from the Information Risk Management framework is delivered to appropriate information security governance bodies for review and processing

- Contribute to the development and implementation of the KPMG UK information security policies across the firm and ensure changes to policies are integrated into the Information Risk Management framework and Information Security Management System
- Contribute to policy compliance and oversight activities, including audits
- Promote good information security practice and standards across the firm
Awareness and collaboration

- Establish strong relationships with first line of defence stakeholders, as relevant to role
- Establish strong relationships with other relevant stakeholders, including ISTP workstream leads
- Build on and preserve the firm’s reputation with clients, with regard to information security
Knowledge, Experience and Skills

Technical knowledge and qualifications

- Proven experience of information security in a risk management capacity
- Strong working knowledge of information security standards (e.g. ISO 27001, ISO 27005, ISO 31000, Cyber Essentials, ISF Standard of Good Practice for Information Security, NIST Cybersecurity Framework, CIS Top 20 Controls, etc.)
- Subject matter expert in information risk management
- Understanding of privacy requirements (including GDPR)
- Good knowledge of legal and regulatory requirements impacting information security
- Ability to communicate clearly and simply, both verbally and in writing
- CISSP certification and/or CISM desirable
Leadership skills

- Experience of leading and inspiring others, providing guidance, mentoring and planning
- Strong influencing skills
- Ability to prioritize and manage a complex workload, including multiple tasks for themselves and direct reports
Analytical skills

- Proven ability to identify and articulate information security requirements, risks and issues, and to make clear decisions and recommendations
- Ability to understand business drivers and risk appetite and to align information security compliance accordingly
- Experience of leading projects
- Problem solving skills
Personal qualities

- A self-starter, with a proven need for excellence
- A good team player
- Good inter-personal skills and ability to communicate effectively with stakeholders at all levels
- Multi-cultural awareness and sensitivity
- Strong integrity, independence and resilience
- Excellent attention to detail, combined with strategic vision

Job Segment: Information Technology, IT Manager, Risk Management, Law, Manager, Technology, Finance, Legal, Management