InfoSec and Compliance Manager

InfoSec and Compliance Manager | London, Hybrid | £60,000 - £65,000

The company

The Key is the country’s most trusted provider of knowledge and know-how to education leaders determined to make a difference. We provide authoritative, up-to-the-minute sector intelligence, tools, services and resources that give leaders the knowledge to act. We are a fast-growing company with big ambitions, but at the heart of everything we do is a passionate commitment to supporting schools in delivering better outcomes for children and young people.

The role

We are seeking an experienced InfoSec and Compliance Manager to take ownership of The Key's Information Security Management System (ISMS) and cultivate an environment that balances robust security with effective user enablement.  This means ensuring:

• Engaged and enabled employees consider security as an integral part of their daily activities.    
• A demonstrable risk-based, user-centric approach to security is consistently applied.    
• A culture of continuous improvement and, where beneficial, automation is fostered, with a focus on leveraging AI where appropriate.

The InfoSec and Compliance Manager will report to the Group Head of IT, InfoSec and Compliance (Jim Fenner). The role requires significant collaboration with colleagues across The Key and Central teams, particularly with Platform Engineering, DevSecOps, ITOps Security, and the leadership team.

In more detail, you will:

• Own, maintain, and continuously improve The Key’s ISMS, encompassing InfoSec, Risk Management, and Compliance frameworks.
• Ensure excellent execution of the basic security controls.
• Maintain existing certifications such as ISO27001 and CyberEssentials.
• Develop, implement, and maintain the policies, procedures, audits, and improvement plans necessary to meet The Key's compliance obligations.    
• Own the processes that underpin effective policy implementation and adherence.    
• Evaluate emerging standards and technologies for their potential impact and application, including security assessments of prospective new vendors
• Lead The Key’s end-to-end Security Incident Response capability, coordinating with other Incident Commanders across the organisation.    
• Develop and deliver training programs to promote security awareness and support the balance between security and user enablement.    
• Develop and maintain The Key’s Disaster Recovery and Business Continuity plans.    
• Identify and drive improvements to The Key’s ISMS, based on risk assessments and a user-centric approach.    
• Curate and maintain the documentation and resources required to support the ISMS.

Key Relationships

This role requires significant collaboration with various stakeholders, including:

• Senior stakeholders, such as The Key's senior leadership team, the Group’s leadership, and Governance teams.    
• The Key’s DevSecOps and Platform Engineering teams, to support their contributions to The Key’s ISMS.    
• The Key Group’s IT Security team, to ensure alignment with technical security controls, specifically the Microsoft security stack (Intune, Defender, EntraID), patch management, and Privileged Access Management (StrongDM).    
• The Key’s Data Protection Officer, and The Key’s Legal Officer.

Essentials

• Understanding of modern security principles and knows what “good enough” looks like.
• 5+ years of experience in a hands-on InfoSec SME role.
• 3+ years of experience in a hands-on Compliance role, including maintaining ISO27001 or similar.
• Demonstrable knowledge and experience in delivering end-to-end Governance and Risk Management alongside core InfoSec and Compliance requirements.
• Experience with data protection regulations (e.g., GDPR, DPA) and their implementation.
• Experience with conducting internal and external audits.
• Ability to communicate risk and compliance issues to technical and non-technical stakeholders.
• Knowledge and experience with the Microsoft security stack (EntraID, Intune, Defender)
• Experience with business continuity planning and disaster recovery.
• Strong problem-solving and troubleshooting skills.
• Excellent communication and collaboration skills.
• Ability to work effectively in a fast-paced environment.   

Beneficial Experience

• Knowledge and experience with Privileged Access Management (PAM) tooling such as StrongDM.
• Experience with security compliance automation platforms (e.g., Drata) to streamline audit and compliance processes.
• Security configuration of Google workspace
• Experience with cloud environment security in AWS or GCP (preferred) else others such as Azure
• Experience with security information and event management (SIEM) systems.
• Industry-recognized security certifications (e.g., CISSP, CISM, CISA).
• Scripting and automation skills (e.g., PowerShell, Python).
• Experience in the EdTech sector and of working in companies of a similar size (500-1000 employees)
• Knowledge of risk management frameworks (e.g. COSO).

If you don’t have all of the skills or experience listed above, but think you’d be a great fit for our team, we’d love to hear from you or chat about the role in more detail.

Why work for us

We place huge importance on caring for and developing our people. If you join us you can expect a good work-life balance and the training and support you need to succeed in your role and continue to progress. We are a socially conscious company, but one that also likes to have fun. We offer flexible working, a generous holiday allowance, flexible hours, buying and selling holiday, enhanced maternity pay, free breakfast, fruit, and drinks, regular socials and much more.

This role is based in London, and the team work on a hybrid basis, of 2-3 days in the office and the rest from home.

How to apply

Please upload your CV and covering letter to highlight why your experience is a good fit for the role. We are also interested in hearing what interests you about this opportunity.

We are an equal opportunities employer. Please let us know if you require any reasonable adjustments to be made at any step of the recruitment process, including telephone/video interviews, written tasks and face-to-face interviews.