International ISO 27001 Administrator | Mid-Level

Role Purpose & Context

Role Summary

The International ISO 27001 Administrator is responsible for maintaining our ISO 27001 certification, which directly impacts our ability to win and keep clients who demand robust information security. You'll work at the intersection of our IT, Engineering, and HR teams, translating the ISO standard's requirements into practical tasks that help us stay secure and compliant. When this role is done well, our external audits run like clockwork, and we maintain our certification without a hitch. When it's not, we risk losing certification, which can cost us significant business and reputational damage. The challenge is getting busy people across the business to prioritise compliance tasks amidst their other deadlines. The reward is seeing our organisation pass audits with flying colours and knowing you've helped protect sensitive information.

Reporting Structure

Reports to: Senior International ISO 27001 Administrator
Direct reports:
Matrix relationships: ISO 27001 Coordinator, Information Security Compliance Analyst, GRC Administrator,

Key Stakeholders

Internal:

IT Operations team
Engineering teams (for evidence collection)
HR (for joiner/leaver processes)
Legal team (for policy reviews)
Your manager and the wider Compliance team

External:

External ISO 27001 auditors
Certification bodies

Organisational Impact

Scope: This role is crucial for maintaining our ISO 27001 certification, which is often a non-negotiable requirement for our enterprise clients. Get this wrong, and we could lose business. Get it right, and you're directly contributing to our sales pipeline and overall business resilience. You're the one making sure the cogs of our information security system keep turning, protecting our data and our reputation.

Performance Metrics

Quantitative Metrics

Metric: Evidence Request Fulfilment Rate
Desc: The percentage of internal evidence requests (e.g., for logs, screenshots) that you've chased and received from control owners by their internal deadlines.
Target: 95% or higher
Freq: Monthly, with a pre-audit spike
Example: If you send out 20 requests for evidence in a month, you'll need to get 19 of them back on time. Missing one or two is usually okay, but missing five is a problem.
Metric: Controlled Document Review Schedule Adherence
Desc: The percentage of ISMS documents (policies, procedures) that are reviewed and updated on their scheduled cycle.
Target: 100%
Freq: Quarterly
Example: If the 'Access Control Policy' is due for review in March, you'll need to make sure it's reviewed, updated (if needed), and approved by the end of March. No excuses on this one.
Metric: Corrective Action & Preventive Action (CAPA) Closure Rate
Desc: The percentage of identified non-conformities or audit findings for which you've tracked the corrective actions to full closure within the agreed timeframe.
Target: 90% on-time closure
Freq: Monthly
Example: If an internal audit flags a 'Minor NC' in April, and the fix is due by June, you'll be the one making sure that fix happens and is documented by June. If it slips, that's on you to chase.
Metric: Risk Register Update Timeliness
Desc: How quickly you update the Risk Register with new risks or changes to existing risks once they've been identified and assessed.
Target: Within 5 working days of identification
Freq: Weekly
Example: If IT flags a new vulnerability that needs to be added to the risk register on Monday, you'll need to make sure it's logged and assigned by the following Monday.

Qualitative Metrics

Metric: Documentation Accuracy and Clarity
Desc: The quality of the ISMS documentation you manage, ensuring it's easy to understand, up-to-date, and accurately reflects our processes.
Evidence: Positive feedback from internal teams or auditors on documentation clarity; minimal questions during audits about process descriptions; documents are easy for new joiners to follow. Basically, if someone can pick up a policy you've worked on and understand it without asking you a dozen questions, you're doing well.
Metric: Proactive Issue Identification
Desc: Your ability to spot potential compliance issues or gaps in our ISMS before they become a problem or an audit finding.
Evidence: You're bringing potential issues to your manager's attention, not just reacting to them. For instance, you might notice a new system being deployed that hasn't had a security review, or a policy that's clearly out of date based on recent changes. It's about thinking ahead, not just behind.
Metric: Stakeholder Support and Responsiveness
Desc: How effectively you support internal teams with their compliance queries and requests, making their lives easier.
Evidence: Control owners feel you're helpful and responsive when they need guidance on evidence. Your manager doesn't get complaints about you being slow or unhelpful. You're seen as a helpful resource, not just a 'compliance cop'.

Primary Traits

Trait: Forensically Detail-Oriented
Manifestation: You're the person who spots the one inconsistent date across three different evidence documents. You cross-reference the asset inventory against the risk assessment and find a gap. You read a policy and immediately notice vague language that an auditor would challenge. Honestly, you probably proofread your own emails twice before sending them.
Benefit: A single missed detail, like an expired certificate or a user who wasn't de-provisioned on time, can result in a major non-conformity, jeopardising the entire certification. For us, that means lost business and a huge headache. You're the last line of defence against those small errors becoming big problems.
Trait: Systematic & Process-Minded
Manifestation: You create checklists for everything, even if it's just for your grocery shopping. You believe in version control for documents and you're probably a bit obsessive about file structures being logical and predictable. You naturally think in terms of 'input -> process -> output' and like things to flow smoothly.
Benefit: An Information Security Management System (ISMS) is exactly that—a *system*. Without a methodical approach, the system breaks down into a chaotic collection of documents, leading to audit failure and actual security risks. Your ability to keep things organised and follow a process is absolutely critical here.
Trait: Diplomatically Persistent
Manifestation: You can send the fifth follow-up email to a busy engineering manager for a piece of evidence, framing it in a way that is helpful and understanding, not nagging. You know how to explain *why* a control is necessary in business terms, not just 'because the standard says so.' You're good at getting people to do things without them feeling like they're being told off.
Benefit: You have no direct authority over the people you need evidence from or who need to implement controls. Your success depends entirely on your ability to influence and persuade colleagues to prioritise compliance tasks amidst their other deadlines. It's a delicate balance, and you've got to be good at it.

Supporting Traits

Trait: Inquisitive
Desc: You naturally ask 'why' to understand the root cause of an issue, rather than just accepting things at face value. This helps us get to the real problem, not just the symptom.
Trait: Resilient
Desc: You bounce back quickly when a control fails or an audit finding is raised. It's not about dwelling on mistakes, but learning from them and moving forward to fix things.
Trait: Articulate
Desc: You can explain complex security and compliance concepts to non-technical audiences without resorting to jargon. This means getting your point across clearly and concisely.
Trait: Patient
Desc: You understand that building a strong culture of security and compliance is a marathon, not a sprint. Changes take time, and you're okay with that.

Primary Motivators

Motivator: Order and Structure
Daily: You thrive when processes are clear, documents are organised, and everything has its place. You'll enjoy creating and maintaining logical file structures and ensuring consistency across our ISMS.
Motivator: Problem Prevention
Daily: You get a kick out of spotting potential issues before they become real problems. You're driven by the idea of preventing audit findings or security incidents through diligent maintenance.
Motivator: Seeing Things Through
Daily: You like to take ownership of tasks and see them through to completion, especially when it involves chasing up others to get the job done. Closure is important to you.

Potential Demotivators

Honestly, this role isn't for everyone. You'll spend a fair bit of time chasing people for things they might see as administrative overhead. The 'urgent' request for evidence you sent on Thursday might be completely ignored until you follow up for the fifth time. You'll probably build a beautiful piece of documentation that gets outdated the week after it's approved because someone changed a system without telling you. If you need constant recognition for every small task, or if you get easily frustrated by others' lack of urgency on compliance matters, you'll struggle here. Sometimes, it feels like you're the 'compliance cop', and that can be a bit of a lonely place.

Common Frustrations

Spending 50% of your time before an audit chasing busy engineers and IT managers who see your requests for screenshots and log files as a low-priority distraction.
The last-minute scramble: Despite months of preparation, the two weeks before the external auditor arrives are always a frantic panic of updating documents and gathering final evidence.
Explaining the 'Why': Repeatedly justifying the existence of a control to a product manager who insists it's 'getting in the way of a feature launch.'
Static Documentation, Dynamic Reality: Your beautifully crafted network diagram or data flow policy is outdated the week after it's approved because a team deployed a new microservice without telling you. Again.
The 'Paper' vs. 'Practice' problem: The soul-crushing discovery that a process documented perfectly on paper is not being followed at all in practice by the responsible team.

What Role Doesn't Offer

High-level strategic decision-making – that's for more senior roles.
Direct management of a team – you'll guide, but not manage.
Constant novelty or a 'move fast and break things' culture – we're all about order and control here.
Immediate gratification for every task – sometimes you're planting seeds that will only bear fruit during the next audit.

ADHD Positives

The need for meticulous detail and spotting inconsistencies can be a real strength for those with hyperfocus, allowing you to dive deep into documentation and evidence.
The varied nature of 'chasing evidence' and interacting with different teams can provide enough novelty to keep engagement high, preventing boredom from purely repetitive tasks.

ADHD Challenges and Accommodations

Maintaining focus on long, detailed policy documents or audit reports might be challenging; breaking these down into smaller, manageable chunks with clear objectives can help.
Managing multiple follow-ups and deadlines for evidence collection requires strong organisational tools and systems; using task management software (like Jira) with reminders and visual cues is essential.
We can offer flexible work arrangements to help manage energy levels and provide a quieter environment for concentration when needed.

Dyslexia Positives

The role's emphasis on systematic thinking, process design, and pattern recognition (e.g., in audit findings) can be a significant advantage.
Strong verbal communication skills, often found in individuals with dyslexia, are highly valued for explaining complex compliance requirements to non-technical teams.

Dyslexia Challenges and Accommodations

Reading and reviewing extensive policy documents or audit reports might be more time-consuming; we encourage the use of screen readers, dictation software, and tools that can change font styles or background colours.
Written documentation tasks can be supported by AI writing assistants for first drafts, allowing you to focus on content accuracy and clarity rather than grammar and spelling.
We can provide templates and clear structures for all documentation, reducing the cognitive load of starting from scratch.

Autism Positives

The clear, logical structure of the ISO 27001 standard and the ISMS framework can be very appealing, providing a predictable environment.
A strong preference for order, accuracy, and adherence to rules and processes aligns perfectly with the core requirements of maintaining compliance.
The ability to focus intensely on details and spot anomalies is crucial for identifying gaps in evidence or inconsistencies in documentation.

Autism Challenges and Accommodations

Navigating social dynamics when 'diplomatically persistent' with various stakeholders might be challenging; we can provide clear communication guidelines and support in crafting effective follow-up messages.
Unexpected changes in audit requirements or internal processes could be unsettling; we aim to provide as much advance notice as possible and clear explanations for any shifts.
We ensure clear, direct communication and minimise ambiguity in instructions and feedback. We can also provide a quiet workspace if needed.

Sensory Considerations

Our office environment is typically a modern, open-plan space, which can sometimes be a bit noisy. However, we have quiet zones, focus booths, and offer noise-cancelling headphones. Visual stimuli are generally moderate. Social interaction is frequent but usually structured around specific tasks and projects, rather than constant informal chatter. We're happy to discuss specific needs.

Flexibility Notes

We offer hybrid working, usually 2-3 days in the office, which can help manage sensory input and provide a balance between collaborative and focused work. We're generally flexible with start and end times to accommodate individual needs.

Key Responsibilities

Experience Levels Responsibilities

Level: Mid-Level Professional (International ISO 27001 Administrator)
Responsibilities: Manage and maintain the ISMS documentation suite, ensuring all policies, procedures, and records are current, version-controlled, and easily accessible in SharePoint or Confluence.
Take ownership of the Corrective Action and Preventive Action (CAPA) process, tracking audit findings and security incidents from identification through to verified closure in Jira.
Regularly update the Risk Register in Excel or our GRC platform, adding new risks as they're identified and ensuring existing risk treatments are accurately recorded.
Coordinate and chase internal teams (IT, Engineering, HR) for objective evidence required for internal and external audits—think screenshots, access logs, training records. This is a big one, honestly.
Support the planning and execution of internal audits by preparing audit schedules, gathering background information, and helping to document findings clearly and concisely.
Help prepare materials for the quarterly Management Review meetings, pulling together performance data on security incidents, audit findings, and risk status for senior leadership.
Assist with the onboarding of new employees by providing basic information security awareness training and ensuring they understand their responsibilities within the ISMS.
Supervision: You'll typically have weekly check-ins with your Senior Administrator or Lead Specialist. For routine tasks, you'll work independently, but for anything new or complex, you'll get guidance and your work will be reviewed before it goes out. We're here to help you learn and grow, not just leave you to it.
Decision: You'll make routine decisions within established guidelines, like how best to organise a particular set of evidence or which template to use for a new procedure. Anything outside of these guidelines, or anything with significant impact (e.g., changing a core policy, delaying an audit deadline), will need to be escalated to your manager for approval. You won't be signing off on major changes, but you'll be trusted to manage your day-to-day tasks.
Success: You're successful when our ISMS documentation is always up-to-date and organised, CAPAs are closed on time, and internal teams find you a helpful and responsive resource during audit season. Basically, if the auditors say 'this is well-managed,' you've done your job brilliantly.

Decision-Making Authority

Type: ISMS Document Updates
Entry: Proposes minor edits to existing documents, requires full review and approval by manager.
Mid: Independently updates routine documents (e.g., forms, minor procedure changes) within templates; significant policy changes require manager review and approval.
Senior: Designs new document templates, leads major policy revisions, approves routine document changes.
Type: Corrective Action Tracking
Entry: Records CAPA status updates as directed, escalates overdue items.
Mid: Takes ownership of tracking CAPAs to closure, proactively chases owners, identifies potential delays and proposes solutions to manager.
Senior: Defines CAPA workflows, assigns ownership, reviews effectiveness, reports on overall CAPA programme health.
Type: Evidence Collection Strategy
Entry: Gathers specific evidence as requested by senior team members.
Mid: Identifies required evidence for specific controls, organises collection efforts, and follows up with control owners independently.
Senior: Develops evidence collection strategies, identifies opportunities for automation, trains junior staff on best practices.
Type: Risk Register Maintenance
Entry: Enters new risks or updates existing risk details as instructed.
Mid: Independently updates the Risk Register based on new information, ensuring accuracy and completeness. Escalates significant risk changes for review.
Senior: Conducts risk assessments, proposes new risk treatments, presents risk posture to management.

Save 15-25 hours weekly: Supercharge your ISO 27001 Admin with AI

Let's be real, a big chunk of ISO 27001 administration involves repetitive tasks, chasing evidence, and drafting documents. But what if you could offload a significant portion of that to AI? We're not talking about replacing you; we're talking about giving you a superpower. Imagine reclaiming hours every week to focus on the more interesting, impactful parts of your job.

ID:

Tool: Automated Evidence Collection

Benefit: Use AI-powered scripts to automatically query systems like AWS, Azure, or Splunk for evidence related to specific controls. Think 'pull logs showing all admin access for the last 90 days,' formatted and linked directly to your GRC tool. This frees you from the manual grind of screenshotting and data extraction.

ID:

Tool: Predictive Audit Analysis

Benefit: Imagine an AI model analysing past internal and external audit findings, trouble tickets, and security incidents to predict which controls are most likely to fail in the next audit cycle. This lets you proactively shore up weak spots, shifting from reactive firefighting to strategic prevention. It's like having a crystal ball for your audits.

ID:

Tool: Policy & Procedure Generation

Benefit: Feed a secure, internal Large Language Model (LLM) the relevant ISO 27001 control text and our company context, and watch it generate a solid first draft of information security policies and procedures. You'll spend your time reviewing and refining, not staring at a blank page. This is a game-changer for documentation.

ID:

Tool: Management Review Summarisation

Benefit: Got a mountain of ISMS performance data (incidents, CAPA status, risk scores)? Let AI condense it all into a concise executive summary and key talking points for your mandatory Management Review Meeting. You'll walk into that meeting prepared and confident, saving hours of manual report writing.

15-25 hours per month Weekly time savings potential

Access to 5+ AI tools and platforms Typical tool investment

Explore AI Productivity for International ISO 27001 Administrator →

12-15 specific tools & techniques with implementation guides

Competency Requirements

Foundation Skills (Transferable)

These are the bedrock skills that let you do your job effectively, no matter the specific task. We're looking for someone who can communicate clearly, solve problems methodically, and stay organised amidst the chaos.

Category: Communication & Collaboration
Skills: Clear Written Communication: You'll be drafting and reviewing policies, procedures, and audit reports. It needs to be unambiguous, easy to understand, and grammatically sound. No room for confusion when it comes to compliance.
Verbal Explanations: You'll often need to explain 'why' a control is important to non-technical colleagues. Being able to break down complex security concepts into simple, business-relevant language is key.
Active Listening: When someone explains a process or a problem, you need to genuinely listen to understand their perspective, not just wait for your turn to speak. This helps in gathering accurate evidence and identifying root causes.
Diplomacy & Persuasion: As we've said, you'll be chasing people. You need to be able to influence others to prioritise your requests without alienating them. It's a fine art, but essential.
Category: Problem-Solving & Critical Thinking
Skills: Root Cause Analysis: When a non-conformity is found, you won't just look at the symptom. You'll dig deeper to understand *why* it happened, which is crucial for effective corrective actions.
Issue Identification: You'll need to spot potential compliance gaps or inconsistencies in documentation or processes before they become problems. This means thinking critically about what you're seeing.
Practical Solution Orientation: While you'll escalate big problems, for routine issues, you're expected to propose practical, workable solutions that fit our business context.
Category: Organisation & Time Management
Skills: Prioritisation: You'll often have multiple evidence requests, document reviews, and CAPAs on your plate. You need to be able to figure out what's most important and tackle that first.
Systematic Approach: Building and maintaining an ISMS is all about systems. You need to be able to apply a structured, methodical approach to your work, keeping everything in its right place.
Attention to Detail (again!): This isn't just a personality trait; it's a skill. It means meticulously checking documents, cross-referencing information, and spotting the small things that others miss.
Category: Adaptability & Learning Agility
Skills: Learning New Standards: ISO 27001 gets updated, and other standards might become relevant. You need to be able to quickly pick up and understand new requirements.
Responding to Change: Business priorities shift, and so might the focus of an audit. You need to be able to adjust your plans and adapt to new information without getting flustered.
Feedback Integration: You'll get feedback on your work, especially during reviews. Being able to take that on board and apply it to improve your performance is crucial.

Functional Skills (Role-Specific Technical)

These are the specific skills and tools you'll use day-in, day-out to manage our ISO 27001 compliance. It's about knowing the standard inside out and being able to apply it practically.

Technical Competencies

Skill: ISO 27001/27002 Framework Implementation
Desc: You'll need a solid understanding of the ISO 27001 clauses (4-10) and the Annex A controls, including the key differences between the 2013 and 2022 versions. This isn't just theoretical; it's about knowing how to apply these in practice.
Level: Intermediate
Skill: Risk Assessment & Treatment Methodologies
Desc: You'll be working with our Risk Register, so you need a practical grasp of how we identify, analyse, and evaluate information security risks. You'll help ensure our Risk Treatment Plan (RTP) is up-to-date.
Level: Intermediate
Skill: Internal Auditing & Evidence Management
Desc: You'll support internal audits, which means knowing how to gather and organise objective evidence. You'll need to understand what auditors are looking for and how to present it clearly.
Level: Intermediate
Skill: Statement of Applicability (SoA) Development & Maintenance
Desc: You'll help maintain our SoA, which means understanding why each Annex A control is included or excluded. You'll need to ensure the rationale is clear and defensible.
Level: Intermediate
Skill: Corrective Action & Preventive Action (CAPA) Management
Desc: You'll be driving the CAPA process, so you need to understand how to track non-conformities, ensure corrective actions are implemented, and verify their effectiveness.
Level: Intermediate
Skill: Management Review Facilitation Support
Desc: You'll help prepare the materials for our formal Management Review Meetings, which means knowing what inputs are required and how to summarise performance data for senior leadership.
Level: Basic

Digital Tools

Tool: ServiceNow GRC / OneTrust / LogicGate / Archer (GRC Platform)
Level: Intermediate
Usage: You'll be regularly entering data, running pre-built reports, tracking findings, and uploading evidence. You'll need to be comfortable navigating the platform and using its core features for day-to-day ISMS management.
Tool: Confluence / SharePoint Online (Documentation & Collaboration)
Level: Advanced
Usage: You'll be creating and editing pages, managing permissions, and using templates for policies and procedures. You'll be the go-to person for ensuring our ISMS documentation is organised and accessible.
Tool: Jira / Asana (Task & Project Management)
Level: Intermediate
Usage: You'll be updating tickets for audit findings, tracking your personal tasks, and following established workflows for CAPA processes. You'll need to be comfortable managing your workload and collaborating through these tools.
Tool: Nessus / Qualys / Splunk / Microsoft Sentinel (Evidence Collection)
Level: Basic
Usage: You'll be pulling and formatting pre-defined reports from these systems as evidence for specific controls (e.g., vulnerability scans, access logs). You won't be configuring them, but you'll know how to get the data you need.
Tool: Excel / PowerPoint / Word (Office Suite)
Level: Advanced
Usage: You'll be managing complex spreadsheets (like the Risk Register or SoA) using functions like VLOOKUP/XLOOKUP, PivotTables, and conditional formatting. You'll also create clear, compelling reports and presentations for internal updates and management reviews.

Industry Knowledge

Area: Information Security Principles
Desc: A foundational understanding of core info security concepts like confidentiality, integrity, and availability (CIA triad), common threats, and basic security controls.
Area: Compliance Frameworks
Desc: While ISO 27001 is key, a general awareness of other compliance frameworks (e.g., GDPR, SOC 2) will be helpful, as our clients often operate under multiple regulations.
Area: IT Operations Basics
Desc: You don't need to be an IT engineer, but understanding basic IT concepts like network architecture, server management, and user access controls will help you communicate effectively with technical teams.

Regulatory Compliance Regulations

Reg: ISO/IEC 27001:2022 (Information Security Management)
Usage: You'll be applying the principles and controls of this standard daily to maintain our ISMS, manage documentation, and support audit readiness. This is the core of your job.
Reg: ISO/IEC 27002:2022 (Information Security Controls)
Usage: You'll use ISO 27002 as a guide for implementing the specific Annex A controls, understanding the best practices for each control objective.
Reg: General Data Protection Regulation (GDPR)
Usage: While not your primary focus, you'll need to understand how our ISO 27001 controls support our GDPR compliance, especially regarding data protection and privacy.

Essential Prerequisites

At least 2 years of experience in an information security, compliance, or quality management role, ideally with some exposure to ISO 27001.
Proven ability to manage and organise complex documentation sets, with a keen eye for detail.
Experience using GRC platforms, task management tools (like Jira), and strong proficiency in Microsoft Office Suite (especially Excel and Word).
A track record of successfully working with different teams to gather information or complete tasks, even when it requires a bit of polite persistence.
A genuine interest in information security and a desire to help an organisation maintain high standards.

Career Pathway Context

Think of these as the fundamental tools you need in your belt before you even walk through the door. We're not expecting you to be an expert in everything, but you should have a solid foundation to build upon. If you've got these, you're in a great starting position to really grow in this role.

Qualifications & Credentials

Emerging Foundation Skills

Skill: Prompt Engineering for Compliance
Why: AI tools, particularly Large Language Models (LLMs), are becoming incredibly good at drafting text, summarising data, and even generating code. Learning how to 'talk' to these AIs effectively will dramatically speed up your documentation and reporting tasks. Frankly, those who master this will be far more productive.
Concepts: [{'concept_name': 'Clear and concise prompting for specific outputs (', 'description': "Clear and concise prompting for specific outputs (e.g., 'Draft a policy for X based on ISO 27001 Annex A.12.1.2')"}, {'concept_name': 'Context windows and providing relevant background ', 'description': 'Context windows and providing relevant background information to the AI'}, {'concept_name': 'Iterative prompting to refine outputs and get exac', 'description': 'Iterative prompting to refine outputs and get exactly what you need'}, {'concept_name': "Understanding AI limitations and 'hallucinations' ", 'description': "Understanding AI limitations and 'hallucinations' – knowing when to trust and when to verify"}]
Prepare: This week: Start using ChatGPT or Claude to draft email summaries or simple policy sections. Just play with it.
This month: Experiment with generating first drafts of a new procedure based on an ISO control, then compare it to a human-written one.
Month 2: Try using AI to summarise a long audit report or a complex technical document into key bullet points.
Month 3: Document how much time you're saving and share your best prompts with your team.
QuickWin: Use AI to summarise long emails or meeting notes. It's an immediate time-saver and helps you get comfortable with the tech.

Advancing Technical Skills

Skill: Advanced GRC Platform Configuration & Reporting
Why: As you get more comfortable, you'll want to move beyond just running pre-built reports. Being able to configure custom dashboards, build more complex workflows for CAPAs, or even suggest minor system improvements will make your job (and everyone else's) much easier. We want you to help us get the most from our tools.
Concepts: [{'concept_name': 'Understanding data models within the GRC platform ', 'description': 'Understanding data models within the GRC platform (e.g., how risks link to controls, how findings link to CAPAs)'}, {'concept_name': 'Designing custom reports and dashboards to track s', 'description': 'Designing custom reports and dashboards to track specific metrics for management reviews or audits'}, {'concept_name': 'Basic workflow automation within the GRC tool (e.g', 'description': 'Basic workflow automation within the GRC tool (e.g., automatic notifications for overdue tasks)'}, {'concept_name': 'User access management and role-based permissions ', 'description': 'User access management and role-based permissions within the platform'}]
Prepare: This week: Explore all the reporting features in our GRC platform. What can it already do that you're not using?
This month: Work with a senior team member to build one custom report that addresses a specific need.
Month 2: Suggest one small improvement to a workflow in the GRC platform and work with IT to implement it.
Month 3: Take an online course or tutorial specifically on advanced reporting within our GRC tool.
QuickWin: Identify one piece of data you currently track manually and figure out if you can pull it directly from the GRC platform with a custom report.
Skill: Data Extraction & Basic Scripting for Evidence
Why: While AI can help, sometimes you'll need to get your hands dirty with data. Learning basic scripting (even just simple Excel macros or Python for data manipulation) will let you pull, clean, and format evidence much faster than manual methods. This is about making 'chasing evidence' less painful.
Concepts: [{'concept_name': 'Basic data manipulation in Excel (e.g., text-to-co', 'description': 'Basic data manipulation in Excel (e.g., text-to-columns, concatenation, conditional formatting for large datasets)'}, {'concept_name': 'Understanding how to export data from various syst', 'description': 'Understanding how to export data from various systems (e.g., HRIS, IT asset management) into a usable format'}, {'concept_name': 'Introduction to Python for simple data parsing and', 'description': 'Introduction to Python for simple data parsing and formatting (e.g., reading a CSV, filtering rows, writing to a new file)'}, {'concept_name': 'Developing repeatable processes for evidence colle', 'description': 'Developing repeatable processes for evidence collection that minimise manual effort'}]
Prepare: This week: Identify one recurring evidence request that involves manual data formatting. How could you automate part of it?
This month: Learn a new Excel function (like INDEX/MATCH) or build a simple macro to automate a repetitive task.
Month 2: Take an introductory online course on Python for data analysis (e.g., Codecademy, DataCamp).
Month 3: Write a small script to pull and format a piece of evidence that used to take you an hour, reducing it to minutes.
QuickWin: Find one Excel spreadsheet you use regularly and add a new formula or conditional formatting rule that saves you five minutes each time.

Future Skills Closing Note

The goal here isn't to turn you into a developer or a data scientist. It's about giving you the tools and knowledge to make your compliance work more efficient, more accurate, and frankly, more interesting. We want you to be the one who brings new ideas to the table about how we can work smarter.

Education Requirements

Level: Minimum
Req: A-Levels (or equivalent) in relevant subjects such as Business Studies, IT, or Administration.
Alts: We're flexible here. If you've got a strong vocational qualification (e.g., BTEC Level 3/4) in a related field, or demonstrable professional experience that shows you can do the job, we're very happy to consider that too. Experience often trumps formal qualifications.
Level: Preferred
Req: A Bachelor's degree (or equivalent) in Information Security, Computer Science, Business Administration, or a related field.
Alts: Again, if you've got a relevant professional certification (like ISO 27001 Lead Implementer/Auditor) and solid experience, that could easily be just as good, if not better, than a degree. We value practical knowledge.

Experience Requirements

You'll need roughly 2-5 years of experience in an administrative, compliance support, or information security role. This isn't an entry-level position where you're learning everything from scratch. We'd expect you to have spent time in a professional environment, ideally in a regulated industry, where you've had to follow processes, manage documentation, and interact with different departments. Experience with an ISMS or similar management system would be a real bonus.

Preferred Certifications

Cert: ISO 27001 Foundation Certificate
Prod: Various accredited bodies (e.g., BSI, PECB, APMG)
Usage: This shows you've got a solid grasp of the basics of the ISO 27001 standard, which is absolutely central to this role. It means less ramp-up time for us.
Cert: ISO 27001 Internal Auditor Certificate
Prod: Various accredited bodies
Usage: Having this tells us you understand the audit process from the inside, which is incredibly helpful for preparing for external audits and managing evidence. It means you can think like an auditor.
Cert: CompTIA Security+
Prod: CompTIA
Usage: This certification demonstrates a good foundational knowledge of general information security concepts, which will help you understand the 'why' behind many of the ISO controls.

Recommended Activities

Attending webinars or online courses on new versions of ISO 27001 or related standards.
Joining professional compliance or information security communities (e.g., ISACA, (ISC)² local chapters) to network and learn from peers.
Reading industry publications and blogs to stay up-to-date on emerging threats and best practices.
Taking advantage of internal training opportunities on our GRC platforms or other relevant tools.

Career Progression Pathways

Entry Paths to This Role

Path: Junior ISO 27001 Coordinator / Administrator
Time: 1-2 years
Path: IT Support / Operations with Security Focus
Time: 2-3 years
Path: General Administrative Role in a Regulated Industry
Time: 3-4 years

Career Progression From This Role

Pathway: Senior International ISO 27001 Analyst (Level 003)
Time: 2-3 years from this role

Long Term Vision Potential Roles

Title: Lead ISO 27001 Specialist (Level 004)
Time: 5-8 years
Title: ISMS Program Manager (Level 005)
Time: 8-12 years
Title: Director, Information Security Compliance (Level 006)
Time: 12-16 years

Sector Mobility

The skills you'll gain in this role—understanding of information security, risk management, audit processes, and GRC tools—are highly transferable. You could move into broader compliance roles, risk management, internal audit, or even specialise further within information security across almost any industry, from finance to tech to healthcare. ISO 27001 is a globally recognised standard, so your expertise will be in demand.

How Zavmo Delivers This Role's Development

DISCOVER Phase: Skills Gap Analysis

Zavmo maps your current competencies against all requirements in this job description through conversational assessment. We evaluate your foundation skills (communication, strategic thinking), functional skills (CRM expertise, negotiation), and readiness for career progression.

Output: Personalised skills gap heat map showing strengths and priorities, estimated time to competency, neurodiversity accommodations.

DISCUSS Phase: Personalised Learning Pathway

Based on your DISCOVER results, Zavmo creates a personalised learning plan prioritised by impact: foundation skills first, then functional skills. We adapt to your learning style, pace, and neurodiversity needs (ADHD, dyslexia, autism).

Output: Week-by-week schedule, each module linked to specific job responsibilities, checkpoints and milestones.

DELIVER Phase: Conversational Learning

Learn through conversation, not boring modules. Zavmo uses 10 conversation types (Socratic dialogue, role-play, coaching, case studies) to build competence. Practice difficult QBR presentations, negotiate tough renewals, and handle churn conversations in a safe AI environment before facing real clients.

Example: "For 'Stakeholder Mapping', Zavmo will guide you through analysing a complex enterprise account, identifying key decision-makers, and building an engagement strategy."

DEMONSTRATE Phase: Competency Assessment

Zavmo automatically builds your evidence portfolio as you learn. Every conversation, practice scenario, and application example is captured and mapped to NOS performance criteria. When ready, your portfolio supports OFQUAL qualification claims and demonstrates competence to employers.

Output: Competency matrix, evidence portfolio (downloadable), qualification readiness, career progression score.

Discover Your Skills Gap Explore Learning Paths