Aquila Heywood Redhill, Surrey, UK
ROLE AND RESPONSIBILITIES The ISO at Aquila Heywood is responsible for the security posture of our software products, internal operations, staff security education, maintaining the ISO27001 certification, ensuring continued compliance with GDPR and the implementation and ongoing management of SOC2 reports and compliance with data regulations of our datacentres. This role covers Data Protection Officer requirements under GDPR. This is a senior position within the company reporting to the CTO. This position complements our existing quality practices and will work closely with Aquila Heywood's Quality Manager within existing management systems and making recommendations accordingly. RESPONSIBILITY - Lead in the development and drive adoption and compliance of Aquila Heywood's Information Security policies, procedures and standards. - Conduct continuous assessments of current IT security practices and systems and identifying areas for improvement. - Accountable for the company's ISO27001 compliance in certification and any other certifications that may be appropriate. Ensure all required documentation and processes are in place for the audit. Manage our relationship with the external Quality Auditor in relation to ISO27001 and SOC2 and assist with facilitating the certification process. - As part of the significant change in data security in general, we plan to implement SOC2 reporting and ensure our GDPR obligations are fully in place and continually maintained - this role will be accountable for achieving this. - Conduct and sign off regular penetration tests and vulnerability scans of Aquila Heywood systems and infrastructure and manage external penetration tests from 3rd parties that we engage on our systems. - Work with our customers to facilitate penetration tests and vulnerability scans of customer systems being carried out by 3rd parties. - Manage the remediation of any defects that are found in conjunction with the CTO. - The ISO signs off the InfoSec quality gate for all production applications. This includes assessing our software against the key security criteria required by our Acceptance-into-Service core process. - Provide security oversight and assist with the development and implementation of business continuity plans to ensure service is continuous when a change programme is introduced or a security breach occurs or in the event that the disaster recovery plan needs to be triggered. - Manage and conduct internal security training and awareness for staff. - Provide a monthly report to the CTO and relevant senior management meetings that documents the results of the scans and information security health status. This includes an Information Security Dashboard that reports cyber-attacks and defences during the month, lists our InfoSec risk register, and tracks issues and actions from month to month. THE POSITION AND TEAMWORK - The ISO reports directly to the CTO. - The ISO has an active role within our Support and Professional Services teams, joining in team meetings and advising our project delivery teams on security practices where appropriate. - The ISO works closely with our Technology & Product teams to help ensure our products are built using a best-practice security framework, and that our secure software development lifecycle is robust and fit-for-purpose. - The ISO works with the People team to ensure personnel are adequately vetted for required security clearance, that our induction security training for all employees is delivered, and that ongoing training in information security best-practice is effective. - The ISO works with the management team to ensure that data security is understood and is always considered when key decisions are being made. - The ISO works with the Quality Manager to embed security principles and practices within the Quality Management System KNOWLEDGE AND SKILLS - Understanding and practical experience of applying data regulations in a software & infrastructure environment. - A good working knowledge of ISO27001, SOC2 principles and understands what GDPR means for companies. - Awareness of European data security practices and relevant regulations - Ability to adapt to a fast-moving IT landscape and keep pace with the latest thinking and new security technologies. - Strong customer focus - able to meet the demands of internal and external customers. - Can ask technical questions in an easy manner. - Information Risk Management practices. PERSONAL CHARACTERISTICS - Good listener, facilitator and meeting manager. - Disciplined in following process and convinces others to do the same. - Able to deliver training that is engaging and interesting. - Holds people accountable for meeting their commitments. - Good communicator who influences our people - from development to product, the management team and our shareholders. To apply please click the APPLY button.