Home / Jobs / International ISO 27001 Information Security Manager
Mid-Level (2-5 years)

International ISO 27001 Information Security Manager

This isn't just about ticking boxes; it's about making sure our information is safe, full stop. You'll be the person who gets into the weeds of our ISO 27001 Information Security Management System (ISMS), making sure it actually works day-to-day. You're not just reading policies; you're helping people live them. It's a hands-on role where you'll own specific controls, making sure we're always ready for an audit, not just scrambling when one's announced.

Job ID
JD-CQHS-ISM-002
Department
Compliance Quality Health Safety
NOS Level
OFQUAL Level
Level 5-6
Experience
Mid-Level (2-5 years)

Role Purpose & Context

Role Summary

The International ISO 27001 Information Security Manager is here to make sure our information security controls are actually working and that we're ready for audits, always. You'll take ownership of specific parts of our Information Security Management System (ISMS), which means you're responsible for keeping those particular areas compliant and secure. This directly impacts our ability to win new clients, protect our reputation, and avoid hefty fines. Day-to-day, you'll be the one checking that our policies aren't just words on paper, but real actions people take. You'll work closely with various teams, translating complex ISO requirements into practical steps for them. When you do this well, we pass our audits smoothly, our customers trust us more, and our data stays safe. If things go wrong, we could face compliance failures, reputational damage, and even lose business. The tricky part is getting busy people across the business to prioritise security tasks when they have their own deadlines. The reward, though, is knowing you're a key part of keeping the company secure and building a robust, credible security posture that genuinely protects us.

Reporting Structure

Key Stakeholders

Internal:

External:

Organisational Impact

Scope: This role is crucial for maintaining our ISO 27001 certification, which is often a non-negotiable requirement for many of our larger clients. You'll directly contribute to reducing our information security risk, protecting sensitive company and customer data, and upholding our reputation as a trustworthy partner. Get this right, and you help us grow. Get it wrong, and we could lose business or face regulatory action.

Performance Metrics

Quantitative Metrics

  1. Metric: Control Evidence Documentation Accuracy
  2. Desc: The percentage of control evidence items you're responsible for that are accurately documented and readily available.
  3. Target: 98%+
  4. Freq: Monthly, reviewed pre-audit
  5. Example: If you're responsible for 50 pieces of evidence, you'll need 49 or more to be perfectly in order. A missing screenshot or an outdated log would count against this.
  6. Metric: Assigned Evidence Request Completion Rate
  7. Desc: The percentage of evidence requests assigned to you that are completed by their internal deadline.
  8. Target: 100%
  9. Freq: Weekly, reviewed pre-audit
  10. Example: If the Senior Manager asks for 10 specific logs by Friday, you'll need to deliver all 10 on time. No excuses, really.
  11. Metric: Low-Priority Finding Closure Time
  12. Desc: The average time it takes you to close out low-priority non-conformities or observations identified during internal audits.
  13. Target: < 5 business days
  14. Freq: Quarterly
  15. Example: An internal audit finds a minor documentation error. You'd be expected to correct it and get it signed off within five working days, typically.
  16. Metric: Security Awareness Training Completion Rate
  17. Desc: The percentage of employees completing mandatory security awareness training modules you've helped coordinate.
  18. Target: 95%+
  19. Freq: Quarterly
  20. Example: If 200 employees need to complete a module, you'll aim for at least 190 to have finished it by the deadline. This means chasing people, honestly.

Qualitative Metrics

  1. Metric: Proactive Control Monitoring
  2. Desc: You're not just reacting to issues; you're actively looking for potential control weaknesses before they become problems.
  3. Evidence: You'll be bringing up potential issues in team meetings, suggesting improvements to existing controls, and flagging risks that haven't been formally identified yet. It's about spotting the cracks before they become chasms.
  4. Metric: Stakeholder Engagement & Education
  5. Desc: How effectively you work with other teams to help them understand and implement security requirements, without just dictating to them.
  6. Evidence: Other department leads will tell your manager that you're helpful and clear, not just a 'compliance cop'. You'll get invited to their team meetings to explain things, and people will come to you with questions before problems arise. It's about being a trusted advisor, not just an enforcer.
  7. Metric: Quality of Audit Preparedness
  8. Desc: The overall readiness of your assigned control areas for both internal and external audits.
  9. Evidence: When an auditor asks for evidence in your area, you'll have it ready, organised, and accurate, usually without a last-minute scramble. Your Senior Manager won't need to double-check your work constantly, and you'll be able to confidently speak to your controls during an audit.
  10. Metric: Contribution to ISMS Improvement
  11. Desc: Your ideas and efforts in making our Information Security Management System better, more efficient, or more robust.
  12. Evidence: You'll be proposing specific changes to policies or procedures, suggesting new ways to collect evidence, or identifying areas where we can automate some of the more tedious compliance tasks. It's about making things smoother for everyone, not just maintaining the status quo.

Primary Traits

Supporting Traits

Primary Motivators

  1. Motivator: The Satisfaction of Order and Structure
  2. Daily: You'll enjoy the process of organising evidence, updating registers, and seeing a control move from 'open' to 'closed'. There's a real joy for you in a well-structured document or a clean audit trail.
  3. Motivator: Being a Protector and Enabler
  4. Daily: You're motivated by the idea that your work genuinely protects the company from cyber threats and compliance failures, allowing the business to operate securely and confidently.
  5. Motivator: Continuous Improvement and Learning
  6. Daily: You're keen to find better ways of doing things, whether it's optimising an evidence collection process or learning about the latest ISO 27001 updates. You want to make the ISMS better, not just maintain it.

Potential Demotivators

Honestly, this role isn't for everyone. You'll spend a fair bit of time chasing people for things they've forgotten, explaining the same concept multiple times, and dealing with the perception that you're just there to slow things down. If you need constant visible impact or get easily frustrated by bureaucracy, you might struggle here.

Common Frustrations

  1. The 'Compliance Cop' Stereotype: Constantly battling the idea that you're just a bureaucratic obstacle, rather than a partner.
  2. Chasing Evidence: Spending a significant chunk of time reminding busy colleagues to provide evidence for controls they implemented ages ago.
  3. The 'Paper ISMS': Discovering that a beautifully written policy has little connection to what people actually do day-to-day.
  4. Audit Subjectivity: An auditor sometimes focusing on a minor, low-risk issue while overlooking a more significant systemic risk you've been trying to get resources for.
  5. The Annual Panic Cycle: Watching security practices get a bit lax for 11 months, followed by a frantic, high-stress scramble in the month before the surveillance audit.

What Role Doesn't Offer

  1. High-level strategic decision-making (that's more for Senior or Lead roles).
  2. Constant greenfield project work (much of this is about maintaining and improving existing systems).
  3. Direct people management responsibilities (you'll guide, but not manage, others).
  4. A quiet, solitary work environment (you'll be interacting with lots of different people).

ADHD Positives

  1. The varied nature of tasks, from evidence gathering to stakeholder discussions, can keep things interesting and prevent monotony.
  2. The need for quick problem-solving during internal audits can be engaging and stimulating.
  3. The focus on continuous improvement means there are always new challenges to tackle and processes to refine.

ADHD Challenges and Accommodations

  1. The meticulous documentation and repetitive evidence collection can be challenging; using tools with automated reminders and structured templates can help.
  2. Staying focused on long, detailed policy reviews might require breaking tasks into smaller chunks or using focus techniques.
  3. We can offer flexible work arrangements, noise-cancelling headphones, and visual aids for tracking progress to help manage distractions and maintain focus.

Dyslexia Positives

  1. The role requires strong conceptual understanding of security frameworks, which can be a strength for dyslexic thinkers.
  2. Problem-solving and identifying patterns in compliance gaps can be areas where a different perspective shines.
  3. Verbal communication and explaining complex ideas simply are key, and often strengths for dyslexic individuals.

Dyslexia Challenges and Accommodations

  1. Extensive reading and writing of policies, procedures, and audit reports can be demanding; we encourage the use of text-to-speech software and provide templates.
  2. Proofreading detailed documentation is critical; we can support with dedicated proofreading tools or peer review processes.
  3. We offer flexible document formats, ample time for written tasks, and encourage verbal communication where appropriate to minimise barriers.

Autism Positives

  1. The clear, structured nature of ISO 27001 and its processes can be very appealing and provide a sense of predictability.
  2. A strong focus on logic, detail, and adherence to rules is essential, aligning well with autistic strengths.
  3. The ability to dive deep into specific controls and master technical details is highly valued.

Autism Challenges and Accommodations

  1. Navigating complex social dynamics with various stakeholders and managing unexpected changes can be challenging; clear communication protocols and predictable meeting structures help.
  2. Interpreting unwritten social rules or subtle cues during discussions might be difficult; we encourage direct, explicit communication.
  3. We can provide a quiet workspace, clear expectations for social interactions, and allow for written communication over verbal where preferred to support comfort and effectiveness.

Sensory Considerations

Our office environment is typically open-plan, which means there can be moderate background noise and visual activity. However, we do have quiet zones, focus pods, and meeting rooms available for focused work or calls. Most of your time will be spent at your desk, but there will be regular meetings (both in-person and virtual) and interactions with various teams. We're pretty flexible if you need specific adjustments like noise-cancelling headphones or a particular lighting setup.

Flexibility Notes

We're big believers in getting the work done, not just clocking hours. We offer hybrid working, usually 2-3 days in the office, but we can be flexible depending on your needs and project cycles. If you need specific accommodations, let's talk about them – we want you to thrive here.

Key Responsibilities

Experience Levels Responsibilities

  1. Level: Mid-Level Professional (2-5 years)
  2. Responsibilities: Take ownership of a specific set of Annex A controls (e.g., A.5 Information Security Policies, A.9 Access Control, A.11 Physical Security). This means you're the go-to person for those controls, making sure they're implemented and working.
  3. Independently gather and document evidence for your assigned controls, making sure it's accurate, up-to-date, and readily available for audits. This usually involves chasing people, honestly.
  4. Help conduct internal audits by following established checklists and procedures, identifying minor non-conformities or areas for improvement. You'll be looking for where we're not quite hitting the mark.
  5. Manage the Corrective and Preventive Action (CAPA) process for minor findings, tracking progress and making sure actions are completed on time. This is about fixing things and making sure they don't happen again.
  6. Support the Senior Manager in managing external ISO 27001 audits, which means you'll be presenting evidence for your controls and answering auditor questions directly.
  7. Deliver security awareness training sessions to new starters and existing teams, making sure everyone understands their role in keeping our information secure. You'll need to make it engaging, not just a lecture.
  8. Maintain and update ISMS documentation, like policies, procedures, and the Statement of Applicability (SoA), under the guidance of the Senior Manager. Yes, it's tedious, but absolutely essential.
  9. Supervision: You'll have weekly check-ins with your Senior Manager to discuss progress, challenges, and priorities. For routine tasks, you'll work independently, but for anything new or complex, you'll consult your manager. We trust you to get on with things, but we're always there if you get stuck.
  10. Decision: You can make routine operational decisions within your assigned control areas, like how best to collect a specific piece of evidence or how to track a minor CAPA. Any changes to policies, procedures, or significant deviations from the ISMS require approval from your Senior Manager. You'll recommend solutions for identified issues but won't approve major changes or budget spend.
  11. Success: You'll know you're doing well when your assigned control areas are consistently audit-ready, you're proactively identifying improvements, and other teams see you as a helpful resource for security questions. Basically, you're making your Senior Manager's life easier by owning your patch.

Decision-Making Authority

Save 10-15 hours weekly with AI-powered Compliance Tools

Let's be real, managing ISO 27001 compliance can be a mountain of paperwork and repetitive tasks. But what if you could cut down on the grunt work and focus on the really interesting stuff? AI isn't just for tech gurus; it's rapidly becoming an essential co-pilot for compliance professionals. Imagine getting back hours every week that you currently spend on manual evidence collection or drafting basic policies.

ID:

Tool: Automated Evidence Collection

Benefit: Imagine AI agents connecting to our systems (like Jira, SharePoint, or even cloud platforms) to automatically pull configuration settings, user access lists, or change logs. This means less manual screenshotting and more time verifying the *quality* of the evidence, especially during pre-audit season.

ID:

Tool: Intelligent Gap Analysis

Benefit: Use AI tools to quickly scan existing company policies, procedures, and contracts. It can then map these against ISO 27001 clauses and controls, instantly highlighting documentation gaps or inconsistencies that would take you days to find manually. It's like having a super-fast, tireless research assistant.

ID: ✍️

Tool: Draft Policy & Procedure Generation

Benefit: Need to update an 'Acceptable Use Policy' or draft a new procedure for incident response? AI can generate a solid first draft based on ISO 27001 requirements and best practices. You then tailor it to our specific context, saving hours of staring at a blank page. It's a fantastic starting point, not a final solution.

ID:

Tool: AI-Assisted Stakeholder Communication

Benefit: Use AI to draft clear, concise emails for evidence requests, summarise complex audit findings for non-technical teams, or even generate FAQs for common security awareness questions. This helps you communicate more effectively and get the information you need faster.

10-15 hours/week (during busy periods) Weekly time savings potential
You'll typically use 2-3 core AI tools, plus AI features built into existing platforms. Typical tool investment
Explore AI Productivity for International ISO 27001 Information Security Manager →

12-15 specific tools & techniques with implementation guides

Competency Requirements

Foundation Skills (Transferable)

Beyond the technical know-how, we're looking for someone who can genuinely operate within a team, solve problems, and communicate effectively. These are the bedrock skills that let you apply your security knowledge in a real-world setting.

Functional Skills (Role-Specific Technical)

These are the specific skills and tools you'll need to hit the ground running in an ISO 27001 compliance role. We're looking for practical experience, not just theoretical knowledge.

Technical Competencies

Digital Tools

Industry Knowledge

Regulatory Compliance Regulations

Essential Prerequisites

Career Pathway Context

We're not expecting you to be an ISO 27001 guru yet, but you should have a solid foundation. This role is about taking that existing knowledge and applying it more independently, owning specific parts of the ISMS, and growing your expertise. If you've been an 'analyst' or 'coordinator' in a similar field, this could be your next step.

Qualifications & Credentials

Emerging Foundation Skills

Advancing Technical Skills

Future Skills Closing Note

The goal isn't to turn you into a full-stack engineer, but to give you enough technical understanding to effectively audit and manage security controls in modern environments. This will make you a much more credible and effective Information Security Manager.

Education Requirements

Experience Requirements

You'll need at least 2-5 years of dedicated experience in an information security or compliance role, with a significant focus on ISO 27001. This isn't an entry-level position; we're looking for someone who has already been hands-on with control management, evidence gathering, and supporting audits. Experience in a regulated industry or a fast-paced tech environment would be a bonus.

Preferred Certifications

Recommended Activities

Career Progression Pathways

Entry Paths to This Role

Career Progression From This Role

Long Term Vision Potential Roles

Sector Mobility

The skills you'll gain here in ISO 27001 management, audit, and risk are highly transferable across almost any industry. Every company needs to protect its information, so you'll find opportunities in finance, tech, healthcare, manufacturing, and more. Your expertise will be in demand.

How Zavmo Delivers This Role's Development

DISCOVER Phase: Skills Gap Analysis

Zavmo maps your current competencies against all requirements in this job description through conversational assessment. We evaluate your foundation skills (communication, strategic thinking), functional skills (CRM expertise, negotiation), and readiness for career progression.

Output: Personalised skills gap heat map showing strengths and priorities, estimated time to competency, neurodiversity accommodations.

DISCUSS Phase: Personalised Learning Pathway

Based on your DISCOVER results, Zavmo creates a personalised learning plan prioritised by impact: foundation skills first, then functional skills. We adapt to your learning style, pace, and neurodiversity needs (ADHD, dyslexia, autism).

Output: Week-by-week schedule, each module linked to specific job responsibilities, checkpoints and milestones.

DELIVER Phase: Conversational Learning

Learn through conversation, not boring modules. Zavmo uses 10 conversation types (Socratic dialogue, role-play, coaching, case studies) to build competence. Practice difficult QBR presentations, negotiate tough renewals, and handle churn conversations in a safe AI environment before facing real clients.

Example: "For 'Stakeholder Mapping', Zavmo will guide you through analysing a complex enterprise account, identifying key decision-makers, and building an engagement strategy."

DEMONSTRATE Phase: Competency Assessment

Zavmo automatically builds your evidence portfolio as you learn. Every conversation, practice scenario, and application example is captured and mapped to NOS performance criteria. When ready, your portfolio supports OFQUAL qualification claims and demonstrates competence to employers.

Output: Competency matrix, evidence portfolio (downloadable), qualification readiness, career progression score.

Discover Your Skills Gap Explore Learning Paths