Information Security Project Manager

Information Security Project Manager

Role purpose

The Information Security Project Manager is responsible for coordinating and driving the company’s information security activities in a pragmatic, commercially aware way.
This role exists to manage security-related projects, audits, and customer security interactions, ensuring we remain compliant and credible without blocking sensible business decisions or over-engineering controls.  This role reports into the Director of Technical Operations.

Scope and context

This role sits within the technology function and partners closely with Technical Operations, Engineering, Product, Legal, and Sales.
The focus is on governance, coordination, and communication, not on dictating policy in isolation or acting as the final decision-maker on security matters.
Final risk and tooling decisions sit with the Director of Technical Operations and the broader leadership team; the Information Security Project Manager’s job is to provide clear input, well-reasoned recommendations, and organised execution.

We are a growing SaaS business without PCI, PHI, or highly sensitive PII in scope, and we are not subject to HIPAA or classified/secret information regime – our security approach should be proportionate: strong, credible, and well-documented, but not theatrical or unnecessarily restrictive.

Key responsibilities

ISO 27001 and internal audits

• Plan, coordinate, and execute internal audits and control reviews against ISO 27001 (and related frameworks where relevant).

• Maintain audit schedules, evidence repositories, and action logs so that we are consistently “audit ready” rather than scrambling before assessments.

• Work with control owners across the business to ensure that required processes are in place, understood, and operating in a pragmatic way.

• Track findings and remediation actions, ensuring owners are clear on what needs to be done and by when, and following up to completion.

• Support external ISO 27001 surveillance and recertification audits, including planning, evidence collation, and managing auditor queries.

Security projects and initiatives

• Coordinate discrete security improvement projects (for example, rolling out new security tooling, tightening access controls, or updating key policies).

• Break down security initiatives into clear tasks, owners, and timelines, and keep stakeholders informed on progress and risks.

• Work with Technical Operations and Engineering to ensure technical changes are understood, documented, and reflected in our security posture.

• Help prioritise security work by articulating risk, impact, and effort, while understanding the wider commercial and delivery context.

Customer security, RFPs and RFQs

• Partner with Sales, Pre-Sales, and Customer Success to respond to customer security questionnaires, RFPs, RFQs, and due diligence requests.

• Maintain and continuously improve a central library of standard security responses and artifacts (for example, summaries of our controls, certifications, and processes).

• Coordinate input from Technical Operations, Engineering, and Legal where deeper technical or contractual responses are required.

• Attend customer calls when needed to explain our security posture in clear, non-alarmist language and build confidence in our approach.

Security information and communication

• Develop and maintain a clear, concise view of our security posture that can be communicated internally and to customers (for example, at a high level, how we handle data, access, monitoring, and incident response).

• Ensure that key facts (such as use of encryption at rest and in transit, SSO capabilities, backup approaches, and incident processes) are understood and kept up to date, even if technical details are owned by others.

• Translate technical explanations from engineers into language suitable for non-technical audiences, including customers and internal stakeholders.

• Help ensure that security-related messages are proportionate, avoiding both complacency and unnecessary drama.

Policies, standards, and pragmatic governance

• Maintain a focused, manageable set of security policies and procedures that reflect how we actually operate.

• Work with policy owners to keep documents current, usable, and aligned to ISO 27001 and customer expectations, avoiding policy sprawl and unnecessary complexity.

• Coordinate periodic reviews of key policies and standards, ensuring changes are communicated and understood.

• Provide recommendations to the Director of Technical Operations on improvements to policies, controls, or tooling, with clear reasoning and trade-offs.

What this role is not

• This is not a “head of security” or ultimate decision-maker role; final go/no-go and tooling decisions sit with the Director of Technical Operations and leadership.

• This is not a role for writing endless policies or blocking change; it is about enabling sensible decisions with good information and structured follow-through.

• This is not a hands-on security engineering or development role, though you will need enough technical understanding to ask good questions and interpret answers.

• This is not an internal “police” function; success is based on collaboration, influence, and clarity, not on authority.

We’re looking for someone who brings most of the following:

• Experience in information security, compliance, risk, or IT audit within a SaaS or technology environment.

• Practical exposure to ISO 27001 (or similar frameworks), including audits, evidence gathering, and remediation follow-up.

• Strong project management skills: planning, tracking, stakeholder management, and clear communication.

• Ability to understand and discuss topics such as encryption at rest/in transit, access control, SSO/identity providers, backup and recovery, logging, and incident response, with the option to lean on specialists for deep detail.

• Comfortable working directly with customers and auditors, answering questions calmly and confidently.

• Strong written skills for policies, reports, and customer responses; clear verbal communication with both technical and non-technical audiences.

Personal qualities

• Pragmatic and commercially aware: able to distinguish between theoretical risk and real-world impact.

• Collaborative, working with teams to find workable solutions rather than simply saying “no”.

• Organised and methodical, keeping track of multiple audits, projects, and requests without dropping details.

• Calm and credible under pressure, especially during audits, customer escalations, or security-related incidents.

• Comfortable asking questions, challenging assumptions, and highlighting risk while still respecting broader business priorities.

Why this role matters

Done well, this role gives the business confidence that our security posture is robust, evidenced, and well-articulated, without turning security into a blocker for growth.
It ensures we meet our obligations to customers and auditors, support sales with clear and honest answers, and make security improvements in a deliberate, organised, and commercially sensible way.

Perks & Benefits

• Remote & flexible working – with hybrid options in London or Chichester
• Fantastic team culture based on trust and belonging.
• Laptop & home office budget – £500 to set up your ideal workspace.
• Private Medical Insurance with Aviva, including Dental & Optical.
• Group Life Insurance & Yulife Wellbeing & Rewards.
• Mental well-being support – Access therapy, mental health sessions, and yoga through a free premium subscription to Headspace.
•  EAP confidential benefit – 24/7 access to compassionate guidance & expert advice
• 25 days holiday + bank holidays
• Training, support, and personal development