Information Security Risk Manager

Posted 17 June 2024
Salary + benefits
Job type Permanent
Discipline Data & AnalyticsCyber Security
ContactJamie Hine

Job description

Conexus has partnered with a Global Pharmaceutical Company to source an Information Security Risk Manager who will be responsible for assessing, reporting, and managing information security risks identified in our systems and data, business processes, and third-party service providers. You will work closely with IT colleagues and business stakeholders based at multiple locations in Europe, USA, and Japan. As this is a remote role, we are seeking a candidate with exceptional time management skills and the ability to work independently.

The Team: You will be delivering your services supporting a recently created Information Security, Risk and Compliance Management (ISRM) Team. This team is accountable for the design and implementation of our information security, risk management, and compliance strategy and program globally.


  • Support the design and improvement of the information security framework (ISF): policies, controls, and procedures using the NIST Cyber Security Framework, including third-party risk management.
  • Assess new and existing systems, data flows, business processes, and third-party provider engagements to implement and verify compliance with the ISF, reporting identified risks and issues.
  • Perform information security risk assessments, including security business impact analysis (BIA), business dependency analysis, security controls plan, controls maturity assessments, and third-party provider risk profiling, assessments, and audits.
  • Maintain the information security risks and issues registers, deliver high-quality reports, and run information security committee meetings with business and IT management to manage risks.
  • Support the design and improvement of third-party information risk management policies, controls, and procedures. Assist or lead assessment of information security risks arising from engagements with third-party providers and drive remediation efforts.
  • Drive the design and implementation of a GRC platform, including functional requirements, reviewing process designs, rolling out new processes to the business and IT teams, and supporting the administration and maintenance of the GRC tool.
  • Design, improve, and periodically report security key risk indicators and metrics to IT and business management to support continuous improvements and increase security maturity.
  • Design and deliver the security education training awareness program (SETA) across all business functions. Manage external resources supporting the security awareness activities.

Desirable Experience:

  • Implementing controls and managing compliance risks regarding GXP regulated systems, data protection regulations such as EU and UK GDPR, CCPA, and cybersecurity regulations such as the EU NIS2 and USA SEC Disclosure Requirements.

Education, Certifications, and Skills Required:

  • Minimum of 10 years of professional experience in information technology, with at least 3 years as an information security risk manager, preferably in pharmaceutical, biotechnology, or other manufacturing organizations.
  • Bachelor's or master's degree in information security or Information Technology.
  • Relevant information security professional certifications, e.g., CISSP, CISM, CRISC, CISA, GSEC-GIAC, ISO 27001 auditor/practitioner.
  • Desirable: Training and/or certifications in GRC platforms such as ServiceNow GRC, Archer, Metricstream; and the NIST Cyber Security Framework.

If this position is of interest, apply here or contact me directly for more details.