Information Security GRC Analyst

As an Information Security GRC (Governance, Risk & Compliance) Analyst, you will play a pivotal role in strengthening and maturing the organization's security and compliance framework. This role involves ownership of governance, risk management, and compliance processes, providing subject matter expertise across frameworks such as ISO 27001, NIST CSF, Cyber Essentials, and regulatory requirements. You will partner with stakeholders across the business, lead compliance initiatives, and drive continuous improvement of the security posture through automation, tooling, and risk-based decision-making.

• Maintain and continually improve the Information Security Management System (ISMS) using Vanta ISMS and other GRC tools for evidence collection, automation, and reporting.
• Act as SME for ISO 27001, Cyber Essentials, NIST CSF, CIS Controls, and other frameworks, ensuring alignment and certification readiness.
• Lead enterprise-wide risk assessments and risk treatment planning, ensuring remediation is prioritized and tracked effectively.
• Develop, review, and enhance security policies, procedures, and standards, ensuring they are business-aligned and enforced.
• Oversee regulatory compliance activities (GDPR, FCA, DPA, etc.), ensuring obligations are mapped, tracked, and reported to stakeholders.
• Manage supplier and third-party risk processes, including due diligence assessments, security questionnaires, and ongoing assurance reviews.
• Coordinate responses to customer security due diligence requests and RFPs, providing assurance of the organization's security practices.
• Support incident response planning, including developing playbooks, running tabletop exercises, and post-incident reviews.
• Conduct control testing and assurance reviews, escalating gaps and overseeing remediation.
• Prepare detailed management reports, dashboards, and metrics for senior leadership, risk committees, and audit committees.
• Work closely with internal/external auditors and regulators, leading audit preparation, evidence collation, and corrective action planning.

• Degree in Information Security, Computer Science, or related discipline.
• Certifications such as ISO 27001 Lead Implementer/Lead Auditor, CISM, CRISC, CISSP, or equivalent.
• Previous experience in financial services, legal, technology, or other highly regulated environments.
• Hands-on experience using Vanta ISMS or equivalent ISMS/GRC platforms (e.g., Drata, OneTrust, Archer, ServiceNow GRC).
• Strong knowledge of ISO 27001 (implementation, maintenance, audit readiness) and experience with certification programs.
• Deep familiarity with security frameworks (NIST CSF, Cyber Essentials, CIS Controls, PCI DSS, SOC 2, COBIT).
• Proven experience managing regulatory compliance programs (GDPR, FCA, DPA, HIPAA, etc.).
• Advanced risk management expertise: threat identification, assessment methodologies, risk registers, and treatment plans.
• Experience leading internal and external audits, including preparation, evidence collection, and remediation tracking.
• Solid understanding of IT infrastructure, cloud platforms, and security technologies (e.g., IAM, endpoint protection, SIEM, firewalls, vulnerability management, patching, encryption) to provide credible assurance on control design and testing effectiveness.
• Policy governance: drafting, reviewing, and maintaining information security policies and standards.
• Data governance and privacy knowledge, including data classification, retention, and handling.
• Incident response planning and support, including evidence capture and lessons learned.
• Familiarity with security tooling integration into compliance platforms (e.g., Vanta integrations with endpoint, cloud, and identity providers).

We are a dynamic, fast-paced, and growing business with huge ambition. Our culture values individuality and inclusion. We are committed to building an inclusive culture and environment which recognises and celebrates our colleagues' differences and identities. We believe everyone can make a difference and your race, religion, disability, and gender will never be a barrier. We have a strong ethic of care for each other, balancing a successful career with commitments outside of work.

This is a permanent, hybrid role, based in our Swindon office, with the requirement to be in the office 3 days a week.

• Salary - £60,000
• Bonus scheme - on target bonus 10%
• Pension scheme - contribute up to 5% of your salary and Openwork will match you and put in an extra 5%
• Critical illness cover
• Income protection - 1x salary
• Death in service - 4x salary
• 27 days holiday + bank holidays, with the opportunity to buy up to an additional 10 days
• A range of other flexible benefits to include private medical insurance, dental insurance and much more.