About Ashurst:

Ashurst is a leading global law firm with a history spanning almost 200 years, and clear strategy for our future growth. Our in-depth understanding of our clients and commitment to providing exceptional standards of service have seen us become a trusted adviser to local and global corporates, financial institutions and governments in all areas of commercial law. To find out more please visit here

In order to comply with regulatory and client requirements, Ashurst will undertake appropriate vetting of staff. When applicants accept a job offer, Ashurst, alongside a specialist provider, will undertake professional verification and background checks. These checks are only undertaken with consent, and in accordance with our legal and regulatory obligations

Business Area: Information Technology

Role: Information Security Officer - 12 Month FTC

Location: Based at Ashurst's Glasgow office. Some international travel may be required from time to time.

Reporting to: Head of Information Security

Hours of work:

Monday to Friday, 09:00 - 17:30. You may be required to work additional hours from time to time.

Department/Role Overview:

The primary role of the Information Security Officer is to enable the information security function to deliver first class and timely security advisory and security assurance services to all areas of the Firm. Therefore supporting the objectives of the information security programme.

This is a senior role within the information security function and therefore this role is expected to communicate information security strategy and its requirements to all internal and external stakeholders.

Main responsibilities:

Information Security Advisory

As a trusted information security advisory with expert knowledge of the Firm's information security related processes, policies, standards and procedures, work with internal and external stakeholders to:

• Respond to internal and external questions and queries in relation to the Firm's information security control and governance framework.
• Assist with all aspects of client assessments of the Firm's IT security control environment and governance framework.
• Ensure that information security advice is aligned with business risk appetite.
• Provide subject matter leadership and response to any information security-related incidents, such that these are investigated in a timely manner and appropriate actions are taken.
• Provide regular insights to the threat landscape faced by law firms to enable timely advice on threat mitigation techniques.
• Support the information security function through knowledge and awareness sharing to ensure that the Firm's information assets and systems are adequately protected.
• Work closely with 3rd party suppliers to communicate new requirements and deliver solutions.
• Responsibility for responding to client security questionnaires, highlighting any gaps in compliance for remediation and proposing alternative compensating measures.
• Attend regular security briefings from all relevant internal and external sources.
• Maintain an in-depth knowledge of all relevant information security standards including ISO27001, NIST SP800 series, ASD Top25 and Cyber Essentials.
• In-depth knowledge of all IT policies and standards and how they should be interpreted and implemented.
• Assist with the preparation of draft security policies, procedures and standards and associated people awareness campaigns.

Information Security Advisory in IT Projects

Undertake information security advisor role for IT and Business Projects. Responsibilities include:

• Conduct information security risk assessments including identifying appropriate risk mitigation controls. Document associated risk treatment plans in sufficient detail for project team to implement.
• Validate common and system specific mitigation controls for each project deliverable, ensuring they are operational and appropriately implemented.
• Work with Project teams to ensure necessary IT system specific information security documentation is delivered as part of business take-on process and supporting materials in relation to specific projects.
• Collaborate with Data Privacy and Business Continuity functions to provide relevant information for both topic areas.
• Provide all assurance actions, information and documentation required to obtain approval from information security accreditor for the project deliverables.

3rd Party Security Advisory and Assessments

Undertake information security assessments of 3rd party services to the Firm including cloud service providers. Responsibilities include:

• Work independently and as required with internal stakeholders to assess the security control and governance framework of prospective and existing 3rd party technology solutions and cloud service providers.
• Conduct 3rd party information security risk assessments for prospective 3rd parties including identifying risk mitigation controls. Documenting and reporting findings to vendor management team.
• Definition of contractual security requirements.
• Conduct regular assessments of 3rd party compliance to the Firm's information security requirements, either remotely or via on-site assessments.

Security Awareness Duties

Actively participate in the Firm's Cyber Awareness programme. Defining and delivering content via multiple communication channels for staff and 3rd parties.

Security Incident Response

Supports the Firm's information security incident management processes. Leads or participates in assigned information security response scenarios.

Security Controls Assessment

Conducts information security administrative, physical and technical controls analysis of internal security control framework to ensure security controls have been implemented and continue to operate effectively in order to meet the information security policies and associated standards.

Risk and Control: Ensure that all activities and duties are carried out in full compliance with our regulatory requirements and internal policies.

Essential skills and experience:

• Thorough understanding and demonstrated experience implementing and assessing ISO 27001/27002 controls.
• Industry certified such as CISSP, CISM and/or CRISC.
• Industry certification in AWS and/or AZURE Cloud platform.
• Certified ISO27001 Lead Auditor, CISA.
• Excellent knowledge of ISO27005 Risk Management standard.
• Knowledge of global Data Protection and Privacy regulations.
• Ability to work with and across all business support functions in the firm.
• Excellent analytical skills.
• Excellent written and communication skills.
• Able to understand, interpret and respond to client requirements.
• Able to operate effectively and independently or as a member of a wider project team.
• Awareness/exposure to different software development life cycles and methods.
• Produce high level solutions/approaches, requiring systems analysis and design skills.
• Advanced knowledge of using MS office applications including MS Word, MS Excel and PowerPoint.
• Able to manage own workload and handle multiple tasks simultaneously.
• Detail oriented with an ability to work accurately and efficiently even when under pressure.
• Ability to complete set tasks with minimal supervision.
• Tactful and diplomatic when in pressured situations.
• Uses initiative - 'can do' approach.

Desired skills and experience

• Previous experience of working for a professional services organisation or within the legal sector.
• Familiarity with ITIL, Prince 2, Agile.
• Previous experience of implementing the NIST Risk Management Framework.