Home / Jobs / Senior International ISO 27001 Information Security Director
Senior (5-8 years)

Senior International ISO 27001 Information Security Director

This role is all about being the go-to technical expert for our Information Security Management System (ISMS), particularly when it comes to ISO 27001. You'll be the one leading internal audits, designing new security controls, and making sure everything aligns perfectly with our international standards. Frankly, you're the person who ensures we don't just 'say' we're secure, but actually 'are' secure, especially when an external auditor comes knocking. It's a critical role for keeping our global certifications intact and our data safe.

Job ID
JD-CQHS-SRISEC-003
Department
Compliance Quality Health Safety
NOS Level
Level 6-7
OFQUAL Level
Level 6-7
Experience
Senior (5-8 years)

Role Purpose & Context

Role Summary

The Senior International ISO 27001 Information Security Director is responsible for making sure our global information security system (ISMS) isn't just a tick-box exercise, but genuinely protects our business. You'll lead internal audits, design new security controls, and generally be the person who knows our ISO 27001 certification inside out. This directly impacts our ability to win and keep clients, as well as protecting our reputation and commercial secrets. Day-to-day, you'll be working closely with our IT, Product, and Legal teams, translating complex security requirements into practical actions. You'll help them understand why a certain control matters and how to implement it without slowing them down too much. When you do this job well, we sail through our external ISO 27001 audits, our client security questionnaires are a breeze, and our leadership sleeps a little easier knowing our data is well-protected. If it's not done well, we risk losing certifications, facing regulatory fines, and potentially suffering a data breach that could really hurt the business. The tricky part is often getting everyone on the same page about security priorities, especially when they're busy building new features. The reward, though, is seeing your work directly contribute to the company's integrity and knowing you're protecting something truly valuable.

Reporting Structure

Key Stakeholders

Internal:

External:

Organisational Impact

Scope: You're the engine room for our ISO 27001 compliance. Your work directly underpins our ability to maintain critical certifications, which in turn opens doors to new business and keeps our existing client base happy. Get it right, and you'll significantly reduce our exposure to information security risks, protecting our assets and reputation. Get it wrong, and we could face significant financial penalties, reputational damage, and lost business opportunities.

Performance Metrics

Quantitative Metrics

  1. Metric: Internal Audit Non-Conformity Rate
  2. Desc: The number of non-conformities (issues) identified during internal ISO 27001 audits.
  3. Target: Reduce Major Non-Conformities to 0, Minor Non-Conformities by 20% year-on-year.
  4. Freq: Quarterly, post-internal audit.
  5. Example: After your Q2 internal audit, you found 2 minor non-conformities, down from 3 in Q1, and zero majors. That's progress.
  6. Metric: Control Effectiveness Score
  7. Desc: A score reflecting how well our security controls are designed and operating, based on internal assessments.
  8. Target: Maintain an average control effectiveness score of 90% across all critical ISO 27001 Annex A controls.
  9. Freq: Bi-annually, during control reviews.
  10. Example: You've reviewed our access control process (A.9.2.1) and identified improvements that boosted its effectiveness score from 85% to 92%.
  11. Metric: Mean Time to Remediate (MTTR) for Audit Findings
  12. Desc: The average time it takes to fix issues identified during internal or external audits.
  13. Target: Reduce MTTR for critical audit findings to under 45 days.
  14. Freq: Monthly, tracked in Jira/GRC platform.
  15. Example: An audit finding about unpatched servers (critical) was closed in 38 days, beating the target and showing quick action.
  16. Metric: Third-Party Security Assessment Completion Rate
  17. Desc: The percentage of critical third-party vendors who have completed our security assessment process.
  18. Target: Achieve 95% completion for all new critical vendors within 30 days of onboarding.
  19. Freq: Monthly, tracked in GRC platform.
  20. Example: You've chased down the last two outstanding security questionnaires, bringing our critical vendor completion rate to 98% for the month.

Qualitative Metrics

  1. Metric: Stakeholder Engagement and Trust
  2. Desc: How effectively you build relationships and influence teams to adopt security best practices, and how much they trust your advice.
  3. Evidence: Teams proactively come to you for security advice before starting new projects. Your recommendations are usually adopted without significant pushback. You're seen as a helpful partner, not just a 'no' person. Feedback from internal clients (e.g., Product, Engineering) indicates you're easy to work with and provide clear guidance.
  4. Metric: Quality of ISMS Documentation
  5. Desc: The clarity, accuracy, and completeness of our ISO 27001 documentation (policies, procedures, SoA).
  6. Evidence: External auditors consistently commend the quality and organisation of our documentation. New team members can easily understand and follow security procedures. Fewer questions arise during internal audits due to unclear documentation. Your Statement of Applicability (SoA) is always up-to-date and reflects our current control environment.
  7. Metric: Proactive Risk Identification
  8. Desc: Your ability to spot potential security risks before they become incidents or audit findings.
  9. Evidence: You regularly bring new, relevant risks to the attention of leadership with proposed mitigations. You identify gaps in our control framework before external parties do. Your input helps us avoid issues that might have otherwise caused problems during audits or incidents.
  10. Metric: Mentorship Effectiveness
  11. Desc: How well you guide and develop junior team members in their understanding and application of information security principles.
  12. Evidence: Junior team members report feeling supported and learning a lot from you. They show noticeable improvement in their work quality and autonomy after working with you. You're consistently providing constructive feedback and helping them navigate complex tasks.

Primary Traits

Supporting Traits

Primary Motivators

  1. Motivator: Protecting the Business
  2. Daily: You get a real kick out of knowing your work directly contributes to safeguarding our company's data, reputation, and client trust. It's not just about compliance; it's about genuine security.
  3. Motivator: Solving Complex Puzzles
  4. Daily: You enjoy the challenge of mapping intricate security requirements to messy real-world systems, finding elegant solutions that balance security with business needs. It's like a constant game of chess.
  5. Motivator: Driving Continuous Improvement
  6. Daily: You're always looking for ways to make things better, whether it's optimising an audit process, improving a control, or streamlining documentation. Stagnation isn't in your vocabulary.

Potential Demotivators

Honestly, this role isn't for everyone. You'll spend a fair bit of time chasing people for evidence, which can feel like herding cats. You'll sometimes be the bearer of bad news, telling teams they can't do something they really want to, or that they need to re-do work because it doesn't meet security standards. You'll also build beautiful, comprehensive plans that sometimes get deprioritised because something else 'more urgent' comes up. If you need constant visible wins and hate administrative tasks, you might struggle.

Common Frustrations

  1. The 'Security vs. Speed' Battle: You'll constantly be negotiating with Product and Engineering teams who see security controls as a bottleneck to innovation and feature delivery. It's a never-ending push and pull.
  2. Chasing Evidence: A significant chunk of your time will be spent following up with various teams to get the documentation and proof needed for audits. It's not glamorous, but it's essential.
  3. Translating Technical Risk: Explaining why a 'CVSS 9.8 vulnerability in a Log4j library' is a business-critical threat to an executive who just wants to know if the quarterly numbers are at risk can be incredibly frustrating.
  4. Audit Fatigue (for others): You'll be asking teams for evidence they've probably already provided for another audit, leading to some eye-rolls and grumbling. You'll have to manage that perception.

What Role Doesn't Offer

  1. A quiet, predictable 9-to-5: Security incidents don't stick to office hours, and audit deadlines can be brutal. Expect some late nights and urgent requests.
  2. Uninterrupted deep work: You'll be pulled into meetings, asked for quick advice, and constantly interrupted by requests for information. Focus time is something you'll have to fight for.
  3. Universal popularity: Sometimes, you'll have to say 'no' or enforce unpopular policies. You won't always be everyone's favourite person, and you'll need to be okay with that.

ADHD Positives

  1. The varied nature of tasks, from auditing to control design to incident response, can be engaging and prevent boredom.
  2. High-pressure situations, like incident response, can tap into hyperfocus, leading to rapid problem-solving.
  3. The need for quick, decisive action in security can be a good fit for those who thrive under urgency.

ADHD Challenges and Accommodations

  1. The meticulous documentation requirements for ISO 27001 can be challenging; using structured templates and AI tools for first drafts can help.
  2. Managing multiple ongoing audit findings and remediation plans requires strong organisation; visual tracking tools (Jira dashboards, GRC platforms) are key.
  3. Frequent interruptions from various stakeholders might break focus; dedicated 'deep work' blocks and clear communication boundaries can be useful.

Dyslexia Positives

  1. Strong conceptual thinking and pattern recognition are highly valued in identifying security risks and designing robust controls.
  2. Excellent verbal communication skills (often seen in dyslexic individuals) are crucial for influencing stakeholders and explaining complex security concepts.
  3. The ability to see the 'big picture' of an ISMS and how different controls fit together can be a significant strength.

Dyslexia Challenges and Accommodations

  1. Extensive reading and writing of policies, procedures, and audit reports can be demanding; using text-to-speech software and leveraging AI for summarisation can assist.
  2. Proofreading detailed documentation is critical for ISO 27001; pairing with a colleague for reviews or using advanced grammar/spelling checkers is recommended.
  3. Structured templates for all documentation (SoA, risk assessments) can reduce cognitive load and ensure consistency.

Autism Positives

  1. A strong adherence to rules and logical frameworks (like ISO 27001) is a significant asset in compliance roles.
  2. Exceptional attention to detail, especially in identifying discrepancies in evidence or control weaknesses, is highly valued.
  3. The preference for clear, direct communication can be effective in security discussions, cutting through ambiguity.

Autism Challenges and Accommodations

  1. Navigating complex social dynamics and influencing non-technical stakeholders can be challenging; clear communication guidelines and structured meeting formats can help.
  2. Unexpected changes or urgent incidents can be disruptive; clear incident response playbooks and predictable communication channels are important.
  3. Sensory overload in open-plan offices or during intense meetings might occur; access to quiet spaces or noise-cancelling headphones can be provided.

Sensory Considerations

Our office environment is typically a modern, open-plan space, which can sometimes be a bit noisy. We do offer quiet zones and meeting rooms for focused work or calls. Visual stimuli are generally moderate, with standard office lighting. Social interaction is frequent, but we aim for clear, direct communication. If you need specific adaptations, we're always open to discussing what works best for you.

Flexibility Notes

We understand that everyone works differently. We offer flexibility around working hours where possible, and a hybrid working model (typically 2-3 days in the office) to help you manage your environment. We're keen to make sure you have what you need to thrive.

Key Responsibilities

Experience Levels Responsibilities

  1. Level: Senior Professional (5-8 years)
  2. Responsibilities: Lead internal ISO 27001 audits from planning through to reporting, making sure we're always ready for the external auditors. (This means deep dives into processes, interviewing teams, and spotting where we might fall short.)
  3. Design and implement new security controls or improve existing ones, translating ISO 27001 requirements into practical, workable solutions for our global operations. (You'll often be the bridge between what the standard says and what our engineers can actually build.)
  4. Own the Statement of Applicability (SoA) and the risk register, ensuring they're always up-to-date and accurately reflect our current security posture and any accepted risks. (This is the auditor's first stop, so it needs to be spot on.)
  5. Mentor 0-2 junior information security analysts, providing technical guidance, reviewing their work, and generally helping them grow their compliance and security expertise. (You'll be sharing your hard-won knowledge and helping them get unstuck.)
  6. Represent the Information Security team in cross-functional project meetings, providing expert advice on security requirements for new systems or services. (You'll be the voice of security, making sure it's considered from the start.)
  7. Manage the remediation of audit findings and control gaps, working with relevant teams to make sure issues are fixed properly and on time. (It's not just about finding problems, but making sure they actually get solved.)
  8. Conduct detailed third-party security assessments for critical vendors, reviewing their security posture and contractual agreements to identify and manage supply chain risks. (You're protecting us from risks introduced by others.)
  9. Supervision: You'll typically have bi-weekly check-ins with your Lead or Manager, mostly for strategic alignment and to discuss any major roadblocks. For day-to-day work, you're expected to be pretty autonomous. You'll lead your own workstreams and projects, only pulling in your manager for truly novel or high-stakes issues.
  10. Decision: You'll have full technical decision-making authority within your project scopes (e.g., choosing a specific control implementation, selecting a methodology for a risk assessment). For anything with a budget impact above, say, £10K, or changes to strategic direction, you'll need to consult with your Lead/Manager. You can make recommendations on hiring junior staff, but the final decision isn't yours yet. You're expected to make independent judgments on control effectiveness and risk ratings, escalating only when the risk appetite is exceeded or there's a significant business impact.
  11. Success: Success looks like consistently passing internal audits with minimal findings, seeing your control designs effectively implemented, and junior team members developing well under your guidance. It also means being the person other teams naturally turn to for security advice because they trust your expertise and pragmatic approach.

Decision-Making Authority

Save 15-25 hours weekly with AI-powered Compliance Tools

Let's be real, a big part of information security and compliance can feel like a mountain of paperwork and repetitive tasks. But what if you could offload a significant chunk of that to smart AI tools? We're not talking about replacing your expertise, but supercharging it.

ID:

Tool: Audit Evidence Automation

Benefit: Use AI-powered GRC tools (think Vanta or Drata) to automatically pull evidence from our cloud services (AWS, Azure) and SaaS tools. It maps directly to ISO 27001 controls, saving you from endless screenshotting and report pulling. Honestly, it's a game-changer for audit prep.

ID:

Tool: Predictive Risk Analysis

Benefit: Leverage AI/ML models within our SIEM or GRC platforms to chew through vast amounts of security event data and control failures. This helps you spot patterns and predict where our next big risk might emerge, shifting your focus from reacting to proactively strategising. It's like having a crystal ball for security.

ID:

Tool: Policy & Procedure Generation

Benefit: Ever stared at a blank page trying to draft a new security policy? Use a secure, enterprise-grade LLM to generate solid first drafts of policies, standards, and procedures based on ISO 27001 requirements. You'll then refine it with your expertise, cutting down that initial drafting time significantly.

ID:

Tool: Executive Summary Synthesizer

Benefit: After a lengthy audit or incident, you need to tell leadership what happened, quickly. Feed those dense, technical reports into an AI tool to get a concise, non-technical executive summary focusing on business impact, root cause, and strategic recommendations. Perfect for board-level communication without the headache.

Expect to save roughly 15-25 hours every week by intelligently using these tools. Weekly time savings potential
You'll be working with a suite of 3-5 core AI-enabled tools, plus access to general LLMs. Typical tool investment
Explore AI Productivity for Senior International ISO 27001 Information Security Director →

12-15 specific tools & techniques with implementation guides

Competency Requirements

Foundation Skills (Transferable)

Beyond the technical stuff, there are some fundamental skills that are absolutely essential for thriving in this role. These are the bedrock that allows you to apply your expertise effectively and work well with everyone.

Functional Skills (Role-Specific Technical)

These are the specific methodologies, tools, and industry knowledge you'll need to hit the ground running and really make an impact in this role.

Technical Competencies

Digital Tools

Industry Knowledge

Regulatory Compliance Regulations

Essential Prerequisites

Career Pathway Context

We're looking for someone who has genuinely 'done the doing' when it comes to ISO 27001. You're not just familiar with the standard; you've lived and breathed it, from scoping to certification. This isn't a role for someone who's only been involved in a small part of the process; we need someone who understands the whole lifecycle and can lead others through it.

Qualifications & Credentials

Emerging Foundation Skills

Advancing Technical Skills

Future Skills Closing Note

Staying relevant means continuous learning. We're not expecting you to be an expert in everything overnight, but a genuine curiosity and commitment to developing these skills will be key to your long-term success here. We'll support you with training and resources, but the drive has to come from you.

Education Requirements

Experience Requirements

You'll need a solid 5-8 years of dedicated experience within information security, with a significant chunk of that focused on ISO 27001 implementation, auditing, and management. We're looking for someone who has genuinely led internal audits, designed controls, and managed the ISMS lifecycle. This isn't your first rodeo with ISO 27001; you've been in the trenches and know what it takes to get and stay certified.

Preferred Certifications

Recommended Activities

Career Progression Pathways

Entry Paths to This Role

Career Progression From This Role

Long Term Vision Potential Roles

Sector Mobility

Your deep expertise in ISO 27001 and broader information security principles is highly transferable across almost any industry. Financial services, tech, healthcare, government – they all need robust information security. You could move into consulting, work for a major enterprise, or even specialise in a niche area like critical infrastructure security. The world is your oyster, security-wise.

How Zavmo Delivers This Role's Development

DISCOVER Phase: Skills Gap Analysis

Zavmo maps your current competencies against all requirements in this job description through conversational assessment. We evaluate your foundation skills (communication, strategic thinking), functional skills (CRM expertise, negotiation), and readiness for career progression.

Output: Personalised skills gap heat map showing strengths and priorities, estimated time to competency, neurodiversity accommodations.

DISCUSS Phase: Personalised Learning Pathway

Based on your DISCOVER results, Zavmo creates a personalised learning plan prioritised by impact: foundation skills first, then functional skills. We adapt to your learning style, pace, and neurodiversity needs (ADHD, dyslexia, autism).

Output: Week-by-week schedule, each module linked to specific job responsibilities, checkpoints and milestones.

DELIVER Phase: Conversational Learning

Learn through conversation, not boring modules. Zavmo uses 10 conversation types (Socratic dialogue, role-play, coaching, case studies) to build competence. Practice difficult QBR presentations, negotiate tough renewals, and handle churn conversations in a safe AI environment before facing real clients.

Example: "For 'Stakeholder Mapping', Zavmo will guide you through analysing a complex enterprise account, identifying key decision-makers, and building an engagement strategy."

DEMONSTRATE Phase: Competency Assessment

Zavmo automatically builds your evidence portfolio as you learn. Every conversation, practice scenario, and application example is captured and mapped to NOS performance criteria. When ready, your portfolio supports OFQUAL qualification claims and demonstrates competence to employers.

Output: Competency matrix, evidence portfolio (downloadable), qualification readiness, career progression score.

Discover Your Skills Gap Explore Learning Paths