GRC Manager, Information Security

First National is proud to be an equal opportunity employer and is committed to diversity and inclusion regardless of race, color, religion, national origin, age, gender identity, physical or mental disability, sexual orientation and any other category protected by law.

First National supports requests for accommodation from applicants with disabilities; please contact Human Resources at accessibility@firstnational.ca should you need an accommodation at any point in the recruitment process.

We are hiring a Manager of GRC, Information Security!

Reporting To:

Senior Manager and Team Lead

Full-Time/Part- Time:

Full-time

Posting Date:

May 5, 2025

Closing Date:

May 16, 2025

Hours of Work:

8:30 a.m. – 5:00 p.m.

Grade:

Office Location:

16.4

Toronto, ON

Great location! Steps away from the main public transit station

What we offer:

Highly competitive compensation package which includes, base salary, bonus, benefits, and career advancement opportunities!

*Eligibility for benefits is dependent on the terms of employment

The Opportunity:

A strategic and integral member of the Information Security Team, reporting to the Senior Manager, Information Security, responsible for ensuring the security, integrity, and availability of the organization's information assets. The role will be responsible for the program management and continuous improvement of the GRC program (ISMS), including ISO 27001 certification and audit, SOC2 readiness and audits, day-to-day risk management, assessments, and controls testing, etc. Additionally, this Manager will oversee the enterprise Physical Security program.

How you will contribute:

Program Management:

Develop, implement, and enhance the GRC program supporting information security governance, risk management, and compliance.

Improve the Information Security Management Framework and build cross-organizational relationships.

Manage the security risk management and compliance strategy, framework, and approach, ensuring alignment with ISO 27001 and other security standards.

Track and communicate the status of risk response activities and advise teams on effective security controls.

Manage the Information Security Risk Management program, conducting regular Information Security Risk assessments.

Oversee risk treatment and ensure program-specific risk assessments (Data Security, IAM, etc.) align with the broader security risk program.

Collaborate with stakeholders to address key risks and improve processes, tools, and technologies.

Compliance Management:

Ensure adherence to relevant regulations and industry standards (specifically, SOC2 and ISO 27001).

Develop, document, and evaluate measures, metrics, and internal controls that contribute towards the ISMS objectives and SOC2 goals.

Review and update security policies, procedures, and standards to ensure compliance and security of First National assets.

Audit Management:

Support all security-related audit and certification processes (e.g., ISO27001, SOC2).

Support audit and assessment activities, including internal and external audits, vendor assessments, benchmarking, and more.

Third Party Vendor Compliance and Risk Management

Assist the vendor management team in ensuring third-party security compliance.

Assist in implementing technical controls to mitigate third-party risks and monitor progress on security improvements.

Physical Security:

Oversee physical security governance for First National, across all locations.

Develop and implement physical security policies and procedures, where required.

Conduct or coordinate physical security risk assessments.

Stay current with industry trends and emerging technologies and identify opportunities to integrate them into the GRC and information security program.

Identify new GRC requirements through industry resources, research, and consultation with technology subject matter experts.

The experience you need:

• A bachelor’s degree in computer science, information security, or equivalent work experience is required. Graduate degree preferred.
• Information security certifications, such as CISA, CISSP, ISO27001, CISM, or equivalent preferred.
• A minimum of 6 years of prior experience in GRC management in a medium or large size organization is required.
• Experience with SOC2 and ISO 27001 audits and certifications.
• Experience in developing and maintaining Information Security policies, standards, processes, guidelines, procedures, and controls, ideally within the Financial Services industry.
• Knowledge of physical security principles and practices.

Relationships:

• Ability to work effectively with business unit and IT department managers, including Application Development, Infrastructure, Operations, Network, Technical Support, and others.

Working Environment and Physical Demands Analysis:

• Periods of high volume with tight timelines
• Long periods of stationary position/sitting
• Prolonged periods of repetitive movement (i.e. using a keyboard and mouse)
• Long periods of time in viewing a computer screen
• Multi-tasking may include speaking to customers on a telephone call while looking up information on a computer program.
• Competitive Compensation
• Comprehensive benefits program (i.e., Health Spending Account, Maternity and Parental Leave Top Up)
• Hybrid working environment
• Extensive training programs to set our employees up for success
• Modern office environment conducive to collaboration
• Supportive teamwork culture
• Opportunities to give back to the communities and work through events focused on a variety of charities
• Ongoing social events throughout the year

The team you’ll join:

Founded in 1988, First National is one of Canada’s largest non-bank lenders. We provide residential mortgages exclusively through the mortgage broker channel and we are Canada’s largest commercial mortgage lender.

First National has been consistently recognized as a great place to work and we are proud that our employee engagement feedback is higher than our industry partners.

We would like to thank all applications for their interest in this existing vacancy, but only candidates selected for an interview will be contacted.