Information Security Analyst - GRC

Information Security Analyst - GRC
Salary: £45,000
Contract: 12-month Fixed Term Contract (FTC)
Location: Central Birmingham (Hybrid - 3 days per week on site)

• Third-Party Risk Management
• Conduct and coordinate information security and privacy risk assessments for new and existing suppliers.
• Assess supplier controls relating to data protection, information security, data hosting and subcontractor usage.
• Maintain accurate records of organisational data shared with third parties, including purpose of use, classification, sensitivity and processing location.
• Ensure supplier data handling arrangements clearly define retention, archiving and deletion requirements in line with internal policies and regulatory obligations.
• Support Procurement, Vendor Management, Legal and Information Security teams to embed supplier assurance throughout onboarding, renewal and contract processes.
• Track remediation actions with suppliers and internal teams, escalating high-risk issues where appropriate.
• Data Protection & GDPR Support
• Review how personal data is used across systems, processes and vendor solutions.
• Ensure data classification, sensitivity and lifecycle controls are clearly documented.
• Promote data minimisation by identifying unnecessary collection or retention of personal data and challenging excessive processing.
• Document personal data risks, gaps and recommended actions in line with risk management processes.
• Provide risk-based advice and technical input to business stakeholders on personal data processing.
• Governance, Risk & Compliance
• Support the review, development and implementation of information security and data protection policies.
• Contribute to information security risk registers and compliance monitoring activities.
• Produce compliance reports, dashboards and metrics for management and senior stakeholders.
• Assist with internal and external audits, including GDPR, PCI DSS and financial audits.
• Maintain compliance tracking across third-party risks, data lifecycle controls and privacy-related risks.
• Security & Privacy Operations
• Track remediation of identified compliance and control issues to ensure timely closure.
• Support incident response activities, particularly those involving third-party access or personal data.
• Document business and supplier processes to support governance, risk and compliance requirements.
• Produce clear, auditable documentation for assessments, risks, decisions and approvals.

You will bring a strong understanding of information security, privacy and risk management, with the confidence to engage and challenge stakeholders constructively.

• Good understanding of GDPR, the UK Data Protection Act, and information security control requirements.
• Experience conducting supplier assurance, security due diligence or third-party risk assessments.
• Ability to assess technical and organisational security controls.
• Strong analytical skills with excellent attention to detail.
• Clear written and verbal communication skills, able to work with legal, technical and operational teams.
• Experience supporting incident or breach investigations.
• Ability to manage multiple competing priorities and work pragmatically with stakeholders.

• Experience working in large, complex or multi-site environments.
• Relevant certifications such as CIPP/E, CIPM, CompTIA Security+, or BCS Practitioner Certificate in Data Protection