Senior Information Security Auditor

Key Responsibilities:

• Lead planning, scoping, and execution of internal audits for information security, privacy, and business resilience using risk-based audit methodologies.

• Perform detailed control testing across technical, process, and third-party outsourcing controls aligned to ISO/IEC 27001, ISO/IEC 27701, SOC 2 TSC, ISO/IEC 22301, and other applicable standards.

• Produce clear, concise, and detailed audit reports including findings, risk ratings, root-cause analysis, practical remediation recommendations, and risk acceptance considerations.

• Act as primary liaison with external audit bodies, regulators, and assurance partners: prepare evidence packages, coordinate on-site/remote audit activities, and respond to follow-up queries.

• Provide advice and guidance to business units, IT, legal, privacy, and risk teams on information security and privacy frameworks, control design, and compliance requirements (e.g., GDPR, DORA).

• Mentor, coach, and develop junior auditors — review their work, provide feedback, and support career development and skills building.

• Maintain and enhance the internal audit methodology, templates, and assurance tooling; champion use of automation and AI to improve efficiency of testing, pattern detection, and reporting.

• Track remediation actions: maintain issues/risk register, liaise with control owners, validate remediation, and escalate where necessary.

• Contribute to continuous improvement initiatives for the Information Security & Privacy Management System (ISPMS) and cross-functional risk programs.

• Support management reporting and audit committee deliverables, prepare executive summaries, and present findings to senior stakeholders.

Knowledge and Attributes:

• Strong working knowledge of ISO/IEC 27001, ISO/IEC 27701, ISO/IEC 22301, and SOC 2 TSC frameworks: controls mapping, gap analysis, and audit interpretation.

• Deep understanding of GDPR principles and practical privacy controls; familiarity with EU/UK data protection obligations.

• Knowledge of financial / operational regulatory frameworks such as DORA (or readiness to apply its requirements to ICT risk and operational resilience).

• Experience liaising with external auditors and regulators, preparing evidence packs, and responding to assurance queries.

• Strong technical literacy: understanding of network security, identity/access management, cloud security, application security, encryption, logging/monitoring, and third-party risk controls.

• Proficiency in audit tools, GRC platforms, and common productivity suites; willingness to evaluate and adopt AI tools for data analysis, testing, and reporting.

Academic Qualifications and Certifications:

• Certified Lead Auditor (or equivalent) in:

• • ISO/IEC 27001 Lead Auditor

  • ISO/IEC 27701 Lead Auditor (or demonstrable privacy audit experience)

  • ISO/IEC 22301 Lead Auditor (desirable)

• Professional certifications preferred: CISA, CISSP, CRISC, CIPM or equivalent.

• Experience working within regulated industries (financial services, critical infrastructure, healthcare, or large-scale technology services) is highly desirable.

Required experience:

• Minimum 5–8+ years of experience in information security, privacy, compliance, or IT/internal audit roles with demonstrated audit delivery.

• Prior experience leading information security or privacy internal audits and coordinating external audit engagements.

Competencies & Behaviours

• Demonstrates strong analytical thinking, attention to detail, and the ability to translate technical findings into business risk terms.

• Excellent written and verbal communication skills — able to produce executive-level summaries and detailed technical reports.

• Strong stakeholder management skills: builds credibility with technical teams, business leaders, and external assurance parties.

• Coaching mindset: motivated to develop junior team members and contribute to a high-performance audit team culture.

• Proactive, pragmatic, and commercially aware — offers pragmatic remediation guidance that balances security, business continuity, and cost.

• Curiosity and drive to innovate: explores automation and AI opportunities to enhance audit effectiveness and efficiency.

Deliverables & Success Measures

• Timely completion of assigned audits according to the annual audit plan and risk priorities.

• High-quality audit reports with actionable recommendations and appropriate risk ratings.

• Demonstrable reduction in repeat findings and timely remediation closure rates.

• Positive feedback from auditees, external auditors, and senior stakeholders on professionalism and clarity of reporting.

• Implementation or pilot of AI-enabled techniques or automation in audit processes where appropriate.

Working Relationships

• Reports to: Manager, Information Security Audit

• Regular interaction with: CISO, Data Protection Officer, IT leadership, Business Unit Managers, Legal, Risk, External Audit Firms, and Regulators.