Share this Job

Policy and Standards Manager

Date: Sep 12, 2021

Location: London, United Kingdom

Company: KPMG UK

Title: Policy and Standards Manager (Grade C)
Business unit: Policy and Risk, Information Assurance
Department: Risk and Legal


The Team
The role holder will be a key manager in the Information Assurance team and will have visibility of the three lines of defence in the KPMG UK firm, delivering second line of defence policy and standards activities, providing oversight over the first line of defence and supporting the third line of defence when necessary. The role holder will also have responsibility for supporting the development, maintenance and change control of the firm’s information security policies and standards

The Role
Policy
• Support the development, maintenance, change control and communication of the UK firm’s information security policies, standards, guidelines, controls and supporting documents
• Track internal and external requirements used as input into policy, standard, guideline and control changes with various control owners and other stakeholders
• Work with KPMG Global information protection group (IPG) and the policy focus group (PFG) to track changes and provide input into Global policies, standards and other supporting documents
• Align KPMG Global policies, standards and other supporting documents with UK firm’s policies, standards and other supporting documents
• Ensure policies are compliant with the UK’s ISO 27001 Information Security Management System
• Coordinate policy, standards and other supporting document changes with Awareness and Education lead for alignment
• Work with Information Security internal and KPMG UK communications teams for appropriate policy, standards and other supporting document publishing
• Support Information Risk Management Framework Lead and supporting staff to ensure UK policies, standards and other supporting documents can be converted and integrated within KPMG’s governance risk and compliance (GRC) solution
• Coordinate controls mapping to industry standards with control owners with support from industry standard control mapping solutions (e.g. unified compliance framework, etc.)
• Promote good information security practice and standards across the firm
• Support third line of defence internal and external audits
• Support the firm’s mission to build client trust and confidence with regard to information security
• Stay abreast of industry best practice in relation to information security governance, risk & compliance
• Provide policy subject matter expertise input into culture and awareness initiatives and ad-hoc projects and help to create supporting guidance and materials
• Manage the policy exceptions process and act as an escalation point when necessary
• Provide support and guidance to the business, other teams within Information Assurance and the wider Information Security department on matters of policy.

Risk management
• Support proactive and timely identification, evaluation and recording of non-compliance and information security risks
• Foster an environment that drives appropriate information risk control behaviour, including early anticipation, identification and mitigation of information risk, escalating issues in line with the Information Risk Management Framework.

Awareness and collaboration
• Establish strong relationships with business and functional teams
• Establish strong relationships with IT and other relevant stakeholders
• Build on and preserve the firm’s reputation with clients, with regard to information security

The Person
Technical knowledge and qualifications
• A minimum of 5 years’ experience of information security in a governance, risk & compliance capacity
• Practical expertise in developing information security policy and standards (and the ability to write policy content in plain and precise English)
• Strong knowledge of information security standards (e.g. Cyber Essentials, ISF Standard of Good Practice for Information Security, ISO 27001, NIST Cybersecurity Framework, CIS Top 20 Controls)
• Sound understanding of privacy requirements (including GDPR, ISO 27701, etc.)
• Strong working knowledge of the IT security aspects of IT infrastructure (network and servers) and services, including Cloud computing and IT application security
• Security certifications preferred (CISSP, CISM or equivalent)

Leadership skills
• Strong influencing skills
• Ability to deal with a broad range of stakeholders at all levels, both internal and external, in a confident and assured manner
• Ability to prioritize and manage a complex workload, including multiple tasks for themselves and direct reports

Analytical skills
• Proven ability to identify and articulate information security requirements, risks and issues, and to make clear decisions and recommendations
• Ability to understand business drivers and risk appetite and to align information security compliance accordingly
• Strong analytical and problem solving skills
• Experience of leading projects

Personal qualities
• A good team player, with the ability to act independently and exercise sound judgment
• Excellent communication skills, both written and verbal with the ability to explain information security and risk management topics to non-experts.
• Multi-cultural awareness and sensitivity
• Strong integrity, independence and resilience
• Excellent attention to detail combined with strategic vision


Job Segment: Risk Management, Manager, Database, Cloud, Compliance, Finance, Management, Technology, Legal