Information Security Manager

We are seeking an experienced Information Security Manager (ISM) to lead our security efforts, ensuring compliance, risk management, and robust security operations.

Role Overview

As an Information Security Manager, you will be responsible for shaping, implementing, and maintaining Everflow’s information security strategy. You will work closely with stakeholders across the business, ensuring that security aligns with business objectives while meeting regulatory and compliance requirements.

Key Responsibilities

Stakeholder Engagement & Continuous Improvement

Engage with the Senior Leadership Team (SLT) to report on security posture, risks, and improvements.
Collaborate with IT, Regulations and Compliance teams to drive security initiatives.
Promote a strong security culture, ensuring security aligns with business goals.
Security Operations & Incident Management

Lead incident response efforts, develop playbooks, and ensure proper incident reporting and remediation.
Monitor and enhance threat detection & response capabilities.
Manage access control and identity management policies.
Business Continuity & Disaster Recovery

Develop and test business continuity and disaster recovery (BC/DR) plans.
Ensure data backup & recovery strategies are in place and effective.
Conduct tabletop exercises to assess response plan effectiveness.
Security Architecture & Technical Controls

Ensure secure configurations for systems, networks, and cloud environments.
Review and enhance data protection controls (e.g., encryption, DLP policies).
Implement security measures for Joiners, Movers, and Leavers (JML) processes.
Work with IT teams to strengthen cybersecurity measures (e.g., MFA, endpoint security).
Governance, Risk, and Compliance (GRC)

Develop, implement, and maintain security policies, standards, and procedures (e.g., ISMS).
Ensure compliance with ISO 27001, Cyber Essentials, GDPR, and other industry standards.
Conduct risk assessments, define risk treatment plans, and oversee mitigation measures.
Manage internal and external security audits, addressing any corrective actions.
Vendor and Third-Party Risk Management

Assess vendor security practices and conduct third-party risk evaluations.
Ensure vendors comply with contractual security requirements, conducting regular reassessments.
Implement automated review processes for vendor risk management.
Security Awareness & Training

Lead security awareness programs to minimise human risk (e.g., phishing simulations).
Provide training on data protection, security best practices, and compliance requirements.
Work with HR, IT, and Legal to embed security into business processes.
Engagement with Project & Product Managers
Perform Threat Modelling to identify attack vectors and risks early in development.
Conduct Risk Assessments for products handling PII, financial data, or sensitive business information.
Carry out Business Impact Analysis to understand security incident implications.
Ensure compliance with industry-specific regulations such as Ofwat, NIS2, and PCI DSS.
Review vendor agreements to ensure compliance with contractual obligations.
Implement Role-Based Access Control (RBAC) and Multi-Factor Authentication (MFA).
Ensure strong encryption for data at rest and in transit.
Establish logging & monitoring with SIEM and alerting for unusual activity.
Strengthen cloud security for Azure, AWS, or GCP environments, ensuring proper IAM roles and least privilege access.