Home / Jobs / International ISO 27001 Information Security Director Manager
Principal/Manager (12-16 years)

International ISO 27001 Information Security Director Manager

This isn't just about ticking boxes; it's about leading a team that truly builds and maintains a robust information security management system (ISMS) across our international operations. You'll be the one setting the strategic direction for ISO 27001 compliance within a significant part of our business, making sure we're not just compliant, but genuinely secure. Think of yourself as the chief architect and builder of our security posture for your assigned business unit or region.

Job ID
JD-CQHS-MGRISec-005
Department
Compliance Quality Health Safety
NOS Level
Level 7-8 (Strategic Management)
OFQUAL Level
Level 7-8
Experience
Principal/Manager (12-16 years)

Role Purpose & Context

Role Summary

The International ISO 27001 Information Security Director Manager is here to own and drive our ISO 27001 compliance strategy and operations for a major business unit or geographical region. You'll lead a team of security professionals, making sure our Information Security Management System (ISMS) isn't just certified, but actually works, protecting our data and systems globally. This role sits right at the heart of our risk management efforts, translating complex security requirements into practical, business-aligned solutions. When you do this well, we'll maintain our international certifications with zero major non-conformities, our enterprise risk score will drop, and our business units will trust security as a partner, not a blocker. If it's not done right, we're looking at failed audits, potential regulatory fines, reputational damage, and, frankly, a lot of sleepless nights. The challenge? Balancing strict compliance with the fast pace of business, often with legacy systems and diverse international requirements. The reward? Knowing you're directly responsible for protecting our entire organisation from significant threats, building a high-performing team, and shaping our global security culture.

Reporting Structure

Key Stakeholders

Internal:

External:

Organisational Impact

Scope: This role directly shapes the information security posture and compliance standing of a significant portion of our global operations. You'll be accountable for maintaining critical certifications, reducing enterprise-level risks, and building a security-aware culture that protects our assets, reputation, and customer trust. Honestly, your decisions here can directly affect our ability to operate in certain markets and win major client contracts.

Performance Metrics

Quantitative Metrics

  1. Metric: ISO 27001 Certification Status
  2. Desc: Achieving and maintaining ISO 27001 certification across all designated international scopes with minimal issues.
  3. Target: Zero Major Non-conformities annually; less than 3 Minor Non-conformities per audit cycle.
  4. Freq: Annually (during external audits) and continuously (via internal audits).
  5. Example: Successfully passed the annual ISO 27001 surveillance audit for the EMEA region with no Major NCs and only one Minor NC, which was remediated within 30 days.
  6. Metric: Enterprise Risk Reduction Score
  7. Desc: The measurable reduction in our overall information security risk score for your business unit/region, as defined by our internal risk framework.
  8. Target: 10% reduction in overall enterprise risk score year-over-year.
  9. Freq: Quarterly (via risk register reviews) and Annually (formal assessment).
  10. Example: Reduced the aggregate risk score for the APAC business unit by 12% in Q4 by implementing new cloud security controls and improving third-party risk management.
  11. Metric: Security Budget Adherence
  12. Desc: Managing the allocated security budget effectively, ensuring critical initiatives are funded without overspending.
  13. Target: Within ±5% of the approved annual budget for your functional area.
  14. Freq: Monthly (budget review) and Quarterly (forecasts).
  15. Example: Managed the security operations budget of £1.2M for the year, coming in at £1.18M, while delivering all key security projects on time.
  16. Metric: Control Effectiveness & Maturity
  17. Desc: The measured effectiveness and maturity of key security controls within your scope, often assessed against frameworks like NIST CSF or CIS Controls.
  18. Target: Increase average control maturity score by 0.5 points (on a 1-5 scale) annually.
  19. Freq: Bi-annually (internal assessments) and Annually (external audits).
  20. Example: Improved the maturity of our incident response control from 'Defined' to 'Managed' by implementing a new SOAR platform and conducting regular tabletop exercises.

Qualitative Metrics

  1. Metric: Executive & Stakeholder Trust
  2. Desc: How much confidence senior leadership and business unit heads have in your team's ability to manage information security risks and support business objectives.
  3. Evidence: You'll know you're doing well when senior leaders proactively involve you in strategic planning discussions, seek your counsel on new business initiatives, and openly support your security recommendations. They won't just see you as a 'no' person, but as a trusted advisor. This also means receiving positive feedback from internal audit and external certification bodies on your programme's robustness.
  4. Metric: Team Leadership & Development
  5. Desc: Your ability to build, mentor, and retain a high-performing team of security professionals, fostering a culture of continuous improvement and accountability.
  6. Evidence: This looks like low team turnover, positive feedback in 360-degree reviews, and a clear progression path for your direct reports. You'll see your team members taking on more responsibility, growing their skills, and contributing innovative ideas. Frankly, they'll be proud to work for you, and that's a huge indicator of success.
  7. Metric: Proactive Risk Identification & Mitigation
  8. Desc: Your team's ability to identify emerging security risks before they become incidents and implement effective mitigation strategies.
  9. Evidence: We'll see this in your regular risk committee reports, where you're not just reacting to issues but presenting forward-looking threat intelligence and proposing preventative measures. It also means fewer surprises—no 'shadow IT' popping up that you weren't aware of, and a clear understanding of our threat landscape. You're anticipating problems, not just fixing them.
  10. Metric: Cross-Functional Collaboration & Influence
  11. Desc: How effectively you work with other departments (e.g., Product, Engineering, Legal) to embed security into their processes and gain their buy-in.
  12. Evidence: Success here means security requirements are integrated early into product development cycles, engineering teams see security as a shared responsibility, and legal teams involve you in contract negotiations. You're not just sending out policies; you're building relationships that make security a natural part of everyone's job. This is about being seen as an enabler, not just a gatekeeper.

Primary Traits

Supporting Traits

Primary Motivators

  1. Motivator: Driving Organisational Impact
  2. Daily: You'll get a real kick out of seeing your team's work directly protect the company, whether it's preventing a breach, securing a new client contract because of our strong compliance, or improving our overall risk posture. You're motivated by tangible results that safeguard the business.
  3. Motivator: Building & Mentoring High-Performing Teams
  4. Daily: You enjoy developing people, seeing your team members grow, and creating a collaborative environment where everyone feels empowered to contribute to security. You'll spend significant time coaching, guiding, and removing roadblocks for your managers and individual contributors.
  5. Motivator: Solving Complex, Multi-faceted Problems
  6. Daily: You're energised by the challenge of figuring out how to secure a new, complex cloud architecture, or how to harmonise security controls across multiple international entities with different regulatory landscapes. These aren't simple problems, and that's precisely what excites you.

Potential Demotivators

Honestly, this isn't a role for someone who needs constant, immediate gratification or who struggles with ambiguity. You'll spend a fair bit of time in meetings, often discussing things that feel abstract until a crisis hits. You'll inherit legacy systems that are a nightmare to secure and even harder to get budget to fix. You'll also have to deal with the 'GRC Tax' – the constant operational overhead of compliance and evidence-gathering that can feel like it's taking away from 'real' security work. If you need to see every piece of work make it to production or get a clear 'win' every week, you'll struggle here.

Common Frustrations

  1. The 'Security vs. Speed' Battle: Constantly negotiating with Product and Engineering teams who see security controls as a bottleneck to innovation and feature delivery, rather than an enabler.
  2. Budgeting for a 'Non-Event': Trying to secure a seven-figure budget to prevent something (a breach) that hasn't happened yet, making ROI calculations feel abstract and hard to justify to the CFO.
  3. Shadow IT Liability: Being held responsible for securing applications and data stores that you only discover after they've been deployed by business units without your knowledge, creating massive blind spots.
  4. Translating Technical Risk to Business Impact: The constant challenge of explaining why a 'CVSS 9.8 vulnerability in a Log4j library' is a business-critical threat to an executive who just wants to know if the quarterly numbers are at risk.
  5. Audit Fatigue: Your team (and other business units) will experience exhaustion from a constant stream of audits from clients, regulators, and internal teams, often asking for the same evidence in slightly different formats.

What Role Doesn't Offer

  1. A purely technical, hands-on coding role – you'll be leading and strategising more than doing deep technical work.
  2. A 'set it and forget it' environment – security is constantly evolving, and so will your programme.
  3. An escape from bureaucracy – managing compliance at this scale involves a fair amount of process and documentation.
  4. Freedom from difficult conversations – you'll often be the bearer of bad news or the enforcer of unpopular policies.

ADHD Positives

  1. The fast-paced, crisis-driven nature of security can be highly engaging, providing the novelty and urgency that can help with focus.
  2. The need for innovative problem-solving and 'thinking outside the box' (in a good way!) to address complex security challenges can be a strength.
  3. Leading multiple workstreams and managing diverse projects can provide variety and prevent boredom, which is often helpful.

ADHD Challenges and Accommodations

  1. The extensive documentation, policy writing, and meticulous audit evidence collection might be challenging; we can support with tools for structured note-taking and dedicated time blocks for deep work.
  2. Maintaining focus during long, strategic meetings can be tough; we encourage short breaks, active participation, and providing agendas with clear objectives beforehand.
  3. Managing a large team requires consistent follow-ups and administrative tasks; we can offer executive assistant support for scheduling and task tracking, and encourage the use of project management tools.

Dyslexia Positives

  1. Strong conceptual thinking and ability to see the 'big picture' of security architecture and risk management, often a strength for dyslexic individuals.
  2. Excellent verbal communication skills, especially in explaining complex security concepts to non-technical stakeholders, can shine.
  3. Problem-solving through creative and non-linear approaches is highly valued in incident response and strategic planning.

Dyslexia Challenges and Accommodations

  1. Extensive reading and writing of policies, reports, and audit responses can be demanding; we use screen readers, dictation software, and offer proofreading support for critical documents.
  2. Attention to detail in written documentation (e.g., SoA, risk registers) is crucial; we encourage the use of grammar and spell-checking tools and provide templates with clear structures.
  3. Presentations to the board require clear, concise written materials; we can provide design support and focus on visual aids to complement verbal delivery.

Autism Positives

  1. A deep, focused expertise in ISO 27001, security frameworks, and technical controls can be a significant asset, leading to unparalleled mastery.
  2. A preference for logical, structured processes and adherence to standards (like ISO 27001) is a natural fit for compliance management.
  3. Direct, honest communication, especially in conveying security risks, can be highly effective with senior leadership when framed appropriately.

Autism Challenges and Accommodations

  1. Navigating complex organisational politics and unspoken social cues in stakeholder negotiations can be tricky; we offer mentoring on navigating corporate dynamics and clear communication guidelines.
  2. The need for adaptability in a constantly evolving threat landscape and shifting priorities might be challenging; we provide clear strategic direction and structured frameworks for decision-making.
  3. Extensive networking and informal social interactions can be draining; we support focused, agenda-driven meetings and provide quiet spaces for concentration.

Sensory Considerations

Our main office environment is typically a modern, open-plan space, which can sometimes be bustling. However, we also offer dedicated quiet zones, focus rooms, and the flexibility for hybrid working (typically 2-3 days in the office, the rest remote) to manage sensory input. Social interactions are a core part of this leadership role, but we aim for purposeful, structured engagement over constant informal chatter. We're happy to discuss specific needs to ensure a comfortable and productive environment.

Flexibility Notes

We believe in output over presence. While this is a leadership role requiring significant collaboration, we offer flexibility around working hours and location where possible, especially for focused work like documentation or strategic planning. We're open to discussing what works best to help you thrive.

Key Responsibilities

Experience Levels Responsibilities

  1. Level: Principal/Manager (12-16 years)
  2. Responsibilities: Set the strategic vision and roadmap for ISO 27001 compliance and information security for a major business unit or geographical region. This isn't just about maintaining; it's about evolving and improving our posture.
  3. Own the P&L (profit and loss) for your security function, typically managing a budget between £500K and £2M. You'll justify investments, manage costs, and ensure efficient use of resources.
  4. Build, lead, and mentor a high-performing team of 10-25 security professionals, including other managers. This means hiring, developing talent, setting clear objectives, and fostering a culture of accountability and continuous improvement.
  5. Define and manage the enterprise information security risk register for your scope, translating technical risks into clear business impacts for executive peers and the Director, International Information Security.
  6. Lead all engagements with external ISO 27001 certification bodies and regulatory auditors. You'll be the primary point of contact, defending our ISMS and negotiating findings.
  7. Drive the adoption of security best practices and controls across relevant business functions, often requiring significant influence and collaboration with Product, Engineering, and Legal teams.
  8. Make strategic decisions on security tooling, architecture, and control implementation within your domain, ensuring alignment with global security strategy and business needs.
  9. Develop and test comprehensive Business Continuity and Disaster Recovery (BCDR) plans, ensuring the business unit can recover from significant disruptive incidents.
  10. Supervision: You'll operate with a high degree of autonomy, setting your own priorities and managing your team's workload. Your supervision will primarily involve quarterly objective setting and strategic alignment discussions with the Director, International Information Security. You're expected to be self-directed and proactive.
  11. Decision: You'll have full authority for your functional area, including: budget allocation up to £2M, hiring and firing decisions for your team, organisational design within your function, and vendor selection up to £100K. Strategic decisions impacting other departments or requiring significant capital expenditure will need alignment with executive peers or the Director, International Information Security. Board-level decisions require CEO alignment.
  12. Success: Success looks like maintaining ISO 27001 certification with zero Major Non-conformities, demonstrably reducing the enterprise risk score for your business unit, and building a highly effective, engaged security team. You'll be seen as a trusted strategic partner by business unit leadership, not just a compliance enforcer. Ultimately, it's about protecting the business and enabling growth securely.

Decision-Making Authority

Save 15-25 hours weekly with AI-powered security management

Let's be real, managing international ISO 27001 compliance and a large security team is demanding. There's a mountain of documentation, endless audit requests, and constant risk assessments. But what if you could offload some of that heavy lifting to AI, freeing your team (and yourself) to focus on strategic, high-impact work? That's exactly what we're doing here.

ID:

Tool: Audit Evidence Automation

Benefit: Imagine AI-powered GRC platforms automatically collecting evidence from your cloud services (AWS, Azure, GCP) and SaaS tools, then mapping it directly to ISO 27001 controls. It means your team spends less time on manual screenshotting and report pulling, and more time validating and strategising. This isn't science fiction; it's happening now.

ID:

Tool: Predictive Risk Analysis

Benefit: Use AI/ML models within our SIEM or GRC platforms to analyse vast datasets of security events and control failures. This helps identify patterns and predict future high-risk areas before they even become an incident. You'll shift from reactive analysis to proactive strategy, spotting trends that humans might miss in the noise.

ID:

Tool: Policy & Procedure Generation

Benefit: Leverage a secure, enterprise-grade Large Language Model (LLM) to generate first drafts of security policies, standards, and procedures based on ISO 27001 requirements and internal best practices. This eliminates the dreaded 'blank page' problem for documentation, allowing your team to focus on refining and customising, not starting from scratch.

ID:

Tool: Executive Summary Synthesizer

Benefit: Feed lengthy, technical audit reports or incident post-mortems into an AI tool. It can then generate a concise, non-technical executive summary, highlighting key business impacts, root causes, and strategic recommendations. This massively accelerates your board reporting and ensures your message hits home with senior leadership, without you having to spend hours distilling complex information.

Roughly 15-25 hours weekly for you and your team combined Weekly time savings potential
We're actively integrating 5-7 core AI-powered tools across our security and compliance stack. Typical tool investment
Explore AI Productivity for International ISO 27001 Information Security Director Manager →

12-15 specific tools & techniques with implementation guides

Competency Requirements

Foundation Skills (Transferable)

At this level, we expect you to have a rock-solid foundation in leadership, strategic thinking, and complex problem-solving. These aren't just buzzwords; they're the bedrock of managing a critical international security function.

Functional Skills (Role-Specific Technical)

You'll need deep, demonstrable expertise in information security management systems, risk frameworks, and the practical application of controls. This isn't theoretical; it's about making it work in the real world.

Technical Competencies

Digital Tools

Industry Knowledge

Regulatory Compliance Regulations

Essential Prerequisites

Career Pathway Context

We're looking for someone who has already 'done the hard yards' at the Senior and Lead levels, building and running security programmes. You'll have a clear understanding of what it takes to get an ISO 27001 certification and, more importantly, how to maintain it and make it genuinely effective. This isn't your first rodeo when it comes to managing audits or building a security team.

Qualifications & Credentials

Emerging Foundation Skills

Advancing Technical Skills

Future Skills Closing Note

The reality is, the 'technical' skills at this level are less about hands-on keyboard and more about strategic vision, architectural oversight, and guiding your team. You'll need to understand the capabilities of these emerging technologies to make informed decisions, but your primary job is to direct and govern, not to implement every single one.

Education Requirements

Experience Requirements

You'll need roughly 12-16 years of progressive experience in information security, with a significant portion (at least 5-7 years) in a leadership or management role. This means you've successfully managed teams of 10 or more security professionals, including other managers, and have been directly responsible for the strategic direction and operational performance of an ISO 27001-certified ISMS across a major business unit or region. We're looking for someone who has genuinely owned the outcome, not just contributed to it.

Preferred Certifications

Recommended Activities

Career Progression Pathways

Entry Paths to This Role

Career Progression From This Role

Long Term Vision Potential Roles

Sector Mobility

The skills you'll develop here—international compliance, risk management, executive influence, and team leadership—are highly transferable. You could move into similar senior security or risk leadership roles in almost any industry, particularly those with complex regulatory environments like financial services, healthcare, or technology.

How Zavmo Delivers This Role's Development

DISCOVER Phase: Skills Gap Analysis

Zavmo maps your current competencies against all requirements in this job description through conversational assessment. We evaluate your foundation skills (communication, strategic thinking), functional skills (CRM expertise, negotiation), and readiness for career progression.

Output: Personalised skills gap heat map showing strengths and priorities, estimated time to competency, neurodiversity accommodations.

DISCUSS Phase: Personalised Learning Pathway

Based on your DISCOVER results, Zavmo creates a personalised learning plan prioritised by impact: foundation skills first, then functional skills. We adapt to your learning style, pace, and neurodiversity needs (ADHD, dyslexia, autism).

Output: Week-by-week schedule, each module linked to specific job responsibilities, checkpoints and milestones.

DELIVER Phase: Conversational Learning

Learn through conversation, not boring modules. Zavmo uses 10 conversation types (Socratic dialogue, role-play, coaching, case studies) to build competence. Practice difficult QBR presentations, negotiate tough renewals, and handle churn conversations in a safe AI environment before facing real clients.

Example: "For 'Stakeholder Mapping', Zavmo will guide you through analysing a complex enterprise account, identifying key decision-makers, and building an engagement strategy."

DEMONSTRATE Phase: Competency Assessment

Zavmo automatically builds your evidence portfolio as you learn. Every conversation, practice scenario, and application example is captured and mapped to NOS performance criteria. When ready, your portfolio supports OFQUAL qualification claims and demonstrates competence to employers.

Output: Competency matrix, evidence portfolio (downloadable), qualification readiness, career progression score.

Discover Your Skills Gap Explore Learning Paths