We are looking for an experienced Data and Security Compliance Manager to lead and maintain our compliance with ISO 9001, IS0 14001, ISO 27001, Cyber Essentials Plus, MOD-level SAQs, FSQS and GDPR regulations. The role is crucial in ensuring our agency adheres to best practices and legislation in data protection, information security, quality management, environmental compliance and industry-specific security standards.

The ideal candidate will have experience in compliance management, risk assessment, audits, security frameworks and policy implementation. They will need to work across teams such as IT, Operations, Finance, Delivery and Engineering to ensure robust governance, risk management and compliance strategies are in place, supporting both operational efficiency and regulatory requirements.

Key responsibilities

Compliance and certification management

• Ensure we have the processes and infrastructure in place to maintain and oversee compliance with:
• ISO 9001, 14001 and 27001
• Cyber Essentials Plus certification
• MOD-level SAQs
• FSQS (Financial Services Qualification System)
• GDPR and UK Data Protection Law
• PCI-DSS compliance
• New requirements as applicable
• Manage our internal and external audits, certifications and compliance renewals
• Ensure continuous monitoring and improvement of compliance frameworks
• Review client and supplier contracts/master service agreements and Statements of Work from a compliance perspective and act as the conduit between contracts and project teams to ensure we are meeting our commitments
• Supplier/vendor management including vendor specific assessments and flow down policy control and compliance
  

Information security and Cyber Essentials Plus

• Oversee Cyber Essentials Plus compliance ensuring security controls are in place
• Work closely with the IT team to assess vulnerabilities, manage risk and implement cyber security policies
• Work with the Head of IT to manage incident response planning and ensure security incidents are managed in line with best practices
  
  

Data protection and GDPR compliance

• Working closely with our DPO to ensure adherence to GDPR, UK Data Protection Act and other relevant privacy regulations
• Create and maintain any Records of Processing Activities (RoPA) and conduct Data Protection Impact Assessments (DPIAs)
• Implement processes around Data Subject Access Requests (DSARs) and breach management
• Ensure compliance with any client and third-party data processing agreements (DPAs) and data retention rules
  
  

Risk management and policy development

• Review, update, maintain and enforce policies and procedures related to:
• Information security
• Data protection
• Environmental sustainability
• Business continuity
• Incident response
• Supplier security assessment
• Maintain a risk register identifying compliance risks and implementing mitigation strategies
• Conduct internal security audits and ensure corrective actions are taken
  

FSQS and MOD compliance, JOSCAR, SOC and standard DevSecOps requirements

• Manage FSQS accreditation, ensuring all necessary documentation is up to date
• Support MOD SAQ (Supplier Assurance Questionnaire) compliance, working with internal teams to meet security requirements such as MOD Security Policy JSP440
• Ensure adherence to government and financial sector security regulations across the agency
  
  

Internal training

• Delivery compliance training to staff on GDPR, security awareness and best practices and ISO requirements
• Ensure teams are aware of best practices in cyber security, data protection and quality management
• Foster a culture of compliance and continuous improvement across the business
  
  

Skills and experience

Essential:

• Experience managing compliance frameworks include ISO 9001, 14001, 27001, Cyber Essentials Plus, GDPR, and PCI-DSS compliance
• Strong understanding of information security, cyber security frameworks and risk management
• Experience with internal and external audits, certification renewals and policy development
• Proven knowledge of data protection laws
• Ability to develop and deliver compliance training
• Excellent project management and stakeholder engagement skills
  
  

Desirable:

• Knowledge of cloud security frameworks (AWS, Azure, SaaS security)
• Experience in business continuity and disaster recovery planning
• Understanding of government and other regulatory body security frameworks (MOD, FSQS, NSCS)