An organisation is seeking an Information Security GRC & Awareness Lead to own and evolve its security governance, risk management, policy framework, and awareness strategy. This role ensures cyber security is effectively governed, risk-managed, and embedded across the organisation through structured frameworks and strong stakeholder engagement.

You will operate at a senior level, working across IT, Risk, Legal, Compliance, and business functions to ensure alignment with regulatory frameworks and organisational risk appetite.

Key Responsibilities:

Security Governance & Frameworks:

• Design and maintain the organisation’s information security governance model.
• Define roles, responsibilities, escalation paths, and governance structures.
• Align frameworks with recognised standards (e.g. ISO 27001, NIST CSF, UK CAF).
• Integrate cyber governance into wider enterprise governance structures.

Information Security Risk Management:

• Lead the development and operation of the cyber risk management framework.
• Oversee risk identification, assessment, treatment, and reporting processes.
• Ensure risk registers are maintained and embedded into governance forums.
• Align cyber risk with enterprise risk management (ERM) practices.

Policy, Standards & Compliance:

• Own the lifecycle of security policies, standards, and procedures.
• Ensure compliance with legal and regulatory requirements (e.g. NIS2, GDPR).
• Establish governance processes for policy review, approval, and communication.
• Maintain consistency and alignment across the policy ecosystem.

Awareness, Culture & Training:

• Develop and deliver a comprehensive cyber security awareness strategy.
• Drive behavioural change through campaigns, phishing simulations, and engagement.
• Engage senior stakeholders to promote a strong security culture.
• Measure effectiveness via KPIs, surveys, and cultural assessments.

Executive Reporting & Assurance:

• Deliver regular reporting to senior leadership and board-level stakeholders.
• Provide insight into governance effectiveness, risk posture, and compliance.
• Support internal and external audits and remediation activities.
• Lead maturity assessments (e.g. ISO 27001, CAF) and track improvement plans.

Stakeholder Engagement & Integration:

• Partner with Legal, Compliance, HR, and IT teams to embed GRC practices.
• Act as a subject matter expert across governance, risk, and policy.
• Support secure-by-design processes within business and technology initiatives.
• Adapt governance and awareness approaches across diverse teams and regions.

Desirable Skills & Experience:

• Degree in Computer Science, Information Security, or equivalent experience.
• Certifications such as CISSP, GICSP, or similar.
• Experience leading organisation-wide awareness and culture programmes.
• Exposure to ISO 27001 audits or similar assurance frameworks.

TMM Recruitment INDIT