Risk and Communications Senior Analyst

Job Title: Group Information Security Risk and Communications Senior Analyst

Location: Hybrid working

Salary: Competitive base salary + benefits

Working Hours: 40 hours per week Monday – Friday

Job Status: Permanent

Who we are!

Constellation Automotive Group is Europe's largest vertically integrated digital car marketplace, combining leading digital brands across C2B, B2B, and B2C segments, with an annual Gross Merchandise Value exceeding £20 billion.

The Constellation Technology Team provides technology products and services in various domains, including technology operations, cybersecurity, and engineering, across the UK and Europe.

http://www.constellationtechhub.com/

We are excited to expand our team at our brand-new Tech Hub in Coimbra, where you will have a unique opportunity to influence the development and culture of this innovative hub.

As a Group Information Security Risk & Communications Senior Analyst, you’ll play a key role in helping to build and embed a Distributed Information Security Management Risk Management framework across Constellation Automotive Group. You’ll work closely with different business areas to support their compliance with customer, regulatory, and internal policy requirements.

Reporting to the Group Information Security Risk & Communications Manager as part of the wider Group Information Security Policy, Risk and Compliance team, this role is central to promoting a culture of risk awareness and accountability. We’re looking for someone with hands-on experience in running and improving Information Security Risk Management processes—ideally in digital and cloud-first environments. You’ll need a good mix of technical understanding and business insight, along with the confidence to build strong, trusted relationships across teams and with external partners.

Key responsibilities include:

• Helping to continuously improve our digital and cloud-first Information Security Management System (ISMS), designed to meet certification standards such as ISO/IEC 27001, NIST, and other relevant global frameworks—ensuring it is well-communicated, understood, and adopted across the Group.
• Contributing to the evolution of Group information security policies, standards and guidelines that enable business and customer success by building trust through security.
• Working closely with business and technology leaders to drive adoption of information risk policies, encouraging a culture of shared accountability for risk.
• Contributing to the design and improvement of automated risk management processes that enable fast, informed, and safe decision-making.
• Supporting the enhancement of our risk measurement framework, aligning with international standards such as ISO/IEC 27000 and NIST SP800, and helping to embed this framework as a common standard for assessing and automating information security risk across both business and technology teams.
• Working with risk owners to ensure timely assessment, approval and remediation of risks, and helping them demonstrate clear evidence of mitigation to customers, stakeholders, and regulators.
• Contributing to the design and improvement of automated Supplier Security Assurance processes that enable sensible decisions to be made about which suppliers we trust with our data and systems.
• Support the development and delivery of information and cyber security training and awareness.
• Support the delivery of routine Phishing Simulations and follow-up education.
• Act as a communication ambassador for Group Information Security, ensuring that all messages and policies issued from the Group Information Security team are framed through a business risk lens.
• Day to day contributions to the performance of the Policy, Risk and Compliance team’s Operational Objectives, KPIs and continuous performance of process excellence.

• Degree level education or equivalent experience, ideally in cyber security, technology, computing or a related field.
• Practitioner knowledge of relevant legislation and regulation such as Data Protection Act (DPA), GDPR and Payment Card Industry Data Security Standard (PCI DSS).
• Practitioner knowledge of industry best practice and frameworks such as ISO27001, NIST SP800 and the principles of enterprise risk management and governance techniques.
• Have obtained or be studying for a professional security management qualification, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other relevant credentials.
• Qualification/certifications from Cloud providers such as AWS, MS Azur etc.

Our policy is to employ the best qualified people and provide equal opportunity for the advancement of employees including promotion and training and not to discriminate against any person because of gender, race, ethnicity, age, sexual orientation, religion, belief or disability.