About Ashurst:

Ashurst is a leading global law firm with a history spanning almost 200 years, and clear strategy for our future growth. Our in-depth understanding of our clients and commitment to providing exceptional standards of service have seen us become a trusted adviser to local and global corporates, financial institutions and governments in all areas of commercial law. To find out more please visit here.

In order to comply with regulatory and client requirements, Ashurst will undertake appropriate vetting of staff. When applicants accept a job offer, Ashurst, alongside a specialist provider, will undertake professional verification and background checks. These checks are only undertaken with consent, and in accordance with our legal and regulatory obligations.

Department/Role overview:

The Information Security function within the global IT department aims to maintain appropriate safeguards to protect the confidentiality, integrity and availability of Ashurst's and its clients' information assets in both electronic and physical formats.

The Information Security function is ultimately responsible for the ongoing development and execution of the information and cyber security strategy to meet the needs and expectations of the Firm and its clients.

Reporting to the Head of Information Security, the Information Security Manager role is to coordinate information and cyber security efforts across the Firm through collaboration with internal stakeholders and digital products business functions and in line with the Firms information and cyber security strategy.

This role partners extensively with IT, Legal, Data Protection / Privacy , Business Risk & Compliance and Business Continuity Management functions to collectively support the Firms business resilience capability.

Main responsibilities:

• Contribute to the Information and Cyber Security strategy and supporting initiatives. Develop, monitor, measure and report on the execution of the plan to stakeholders.
• Management of the development and implementation of global information security policies, standards and guidelines.
• Management and operation of all components of the Information Security Management System (ISMS) with the objective of achieving and then maintaining ISO27001 certification for the Firm.
• Ensure the Firms Cyber Essentials PLUS certification is appropriate and maintained.
• Manage the Information Security Risk Management processes including risk identification, evaluation and remediation activities. Communicating risk information to other business risk tiers e.g. Enterprise Risk Management team) . Providing information security risk management status reports to senior business risk owners on a regular basis.
• Identify appropriate security metrics, collate required data and provide weekly / monthly security metrics performance reports to Head of Information Security and Information Security Steering Groups.
• Regularly assess the compliance of the Firms information assets to information security aspects of client contractual terms and Ashurst security requirements.
• Produce and maintain security whitepapers for all major IT Systems and IT Services.
• Contribute content and supporting evidence to client pitches and security questionnaires as required. Attend client security audits to explain the Firms information security strategy & ISMS processes .
• Manage the ISMS internal audit and technical penetration testing programme. Reporting the current status of the programme and any remediation actions to risk owners as required .
• Devise , plan and lead Information Security Audits and assurance assessments of the Firms supply chain providers (including Cloud services , professional service and product supply providers ) in the context of the Firms Third Party Risk Management programme and cyber risk profile of the provider .
• Oversee incident response planning and breach investigation practices. Collaborate with other business functions (e.g. Risk & Compliance & Data Privacy) to ensure that suspected or actual incidents are investigated, responded to and reported appropriately by the firm in line with the Firms incident response and reporting plan. Ensure root cause analysis is conducted , findings reviewed and implemented.
• Act as a subject matter expert for Information Security risk and control topics for the Firm providing appropriate advice and guidance to all business functions as necessary.
• Responsible for design, planning and execution of the information security awareness programme . Managing all aspects of the security awareness training syllabus delivered through the Firms compliance training programme.
• A flexible approach to working hours to facilitate collaboration with other team members , business functions and suppliers based in different time zones.
• Any other duties as assigned by line management

Risk and Control: Ensure that all activities and duties are carried out in full compliance with our regulatory requirements and internal policies.

Essential skills and experience:

•  Holder of a recognised professional certifications in Information Security i.e. CISM , CISA , CRISC , CISSP.
•  Excellent practical knowledge of enterprise and information security risk management methods & methodologies including the management and communication of risk information and advising on risk strategy decisions and treatment actions with business stakeholders .
•  Excellent knowledge of assessing the security posture of Cloud Technologies and business service provider entities.
•  A minimum of five years of IT experience in an operations or software development role.
•  A minimum of five years in an information security management role.
•  Experience of planning and executing activities to achieve the desired outcomes of an information security strategy.
•  Experience of driving the programme of business activities required for large organisation (3000 plus people ) to achieve ISO27001 certification.
•  Minimum 3 years' experience of managing an ISO27001 certified information security management system.
•  Minimum 2 years' experience of Information Security Audit programme management and execution.
•  Excellent knowledge of security detection and prevention methods and technologies , legal and regulatory compliance requirements and security industry best practice security control frameworks and standards i.e. ISO27001, ISO27002, ISO27005 ,ISO27017 ,ISO27018 ,ISO27032 ,NIST CSF , ASD Essential 8.
•  Advanced Microsoft Office application skills e.g. MS Word, Excel, PowerPoint and Visio.
•  Excellent written and verbal communication skills.
•  Excellent business stakeholder and people management skills.
•  Good project management skills and knowledge.
•  Experience of building productive working relationships with multiple business functions and work collaboratively as the leader or participant of a cross-functional project team.
•  Ability to effectively deliver quality work products on time on a regular basis with minimal supervision.
•  Excellent time management skills.
•  The ability to escalate issues in a timely manner as an when required.

Desired skills and experience:

•  Holder of Certificate in Cloud Security Knowledge (CCSK) Certification.
•  Experience of working as an information security manager role within a global professional services organisation.
•  Knowledge of web application software development languages