ISMS Compliance Manager

Compliance Manager

The Compliance Manager is accountable for the design, operation, and continuous improvement of the organisation's Information Security Management System (ISMS) and its associated certification programme. This role is not a technical security engineering position. Instead, it demands a highly organised, process-oriented compliance professional who can orchestrate cross-functional teams, manage external auditors, close control gaps, and ensure that the control environment remains audit-ready at all times. The Compliance Manager serves as the primary interface between the organisation's day-to-day operations and its ISO 27001 certification obligations.

Major Areas of Responsibility:

• ISMS Program Ownership
  • Own, maintain, and continuously improve the ISO 27001-aligned Information Security Management System (ISMS), including its scope, Statement of Applicability (SoA), risk treatment plan, and all supporting documentation.
  • Serve as the internal subject-matter authority for ISO/IEC 27001 standard requirements and, where applicable, supplementary standards (ISO 27002, 27005, 27017, 27018, SOC 2 overlap).
  • Maintain the organisation's certification roadmap and annual audit calendar, coordinating with the external certification body and any internal audit function.
  • Ensure the ISMS programme remains aligned with organisational strategy, evolving business requirements, regulatory changes, and threat landscape shifts.
• Control Framework Management
  • Maintain a complete, current, and authoritative ISO 27001 control framework, mapping Annex A controls (and relevant supplementary controls) to business processes, asset owners, and accountable teams.
  • Conduct and manage periodic control effectiveness assessments to verify that controls are designed adequately and are operating as intended.
  • Drive gap remediation: identify control deficiencies, assign remediation owners, set target dates, track progress to closure, and escalate where timelines are at risk.
  • Ensure evidence artefacts (policies, procedures, records, logs, test results) are complete, current, well-organised, and retained in accordance with the ISMS evidence management framework.
  • Manage policy and procedure lifecycle—drafting, review, approval, version control, and annual attestation—in collaboration with policy owners.
• Audit Management & Readiness
  • Scope, plan, and manage both internal and external ISO 27001 audits (Stage 1, Stage 2 certification, and annual surveillance/recertification audits).
  • Serve as the primary liaison with the external certification body: coordinate logistics, manage the audit schedule, prepare opening and closing meetings, and facilitate auditor access to systems, evidence, and personnel.
  • Proactively assess control adequacy before external audits.
  • Manage all audit findings (minor nonconformities, major nonconformities, and observations): ensure timely root cause analysis, corrective action plans, evidence of closure, and follow-up verification.
  • Maintain a perpetual audit-readiness posture, ensuring the organisation can demonstrate an effective ISMS at any point during the certification cycle—not only at audit time.
• Risk Management Integration
  • Facilitate the information security risk assessment and risk treatment process working with technical and business stakeholders to identify, evaluate, and treat information security risks.
  • Maintain the risk register and risk treatment plan, tracking risk acceptance decisions, treatment progress, and residual risk posture.
  • Ensure risk assessment outputs are reflected in the SoA and control framework, and that significant residual risks are escalated appropriately to leadership.
• Cross-Functional Stakeholder Engagement
  • Identify and engage the correct accountable owners across product, engineering, infrastructure, IT, legal, HR, and business operations to obtain evidence, close gaps, and ensure control sustainability.
  • Facilitate Management Review meetings as required by the standard, preparing agenda materials, risk summaries, audit result summaries, and improvement recommendations.
  • Develop and maintain a stakeholder engagement model that clarifies each team's ISMS responsibilities without requiring them to become compliance specialists.
  • Act as a trusted advisor to leadership on the organisation's compliance posture, certification status, and material risks.
  • Support teams as they address questions regarding information security management, including responses to customer security questionnaires.
  • Manage and support incident response efforts, including containment, investigation, and recovery.
• Compliance Programme Governance
  • Maintain a compliance calendar covering ISMS obligations—control reviews, policy attestations, risk assessments, internal audits, and external audit milestones.
  • Produce regular compliance status reports and management dashboards that accurately reflect the state of the control environment, open gaps, and remediation progress.
  • Contribute to supplier assurance activities by assessing third-party compliance requirements relevant to the ISMS scope.

Key Stakeholders:

• VP of Information Technology and Data
• Group Privacy and Information Security Officer
• Group Governance, Risk, and Compliance
• SVP of Product
• SVP of Engineering
• Engineering Management
• Legal and Compliance

Knowledge and Experience - Required:

• Bachelor's degree in Information Security, Computer Science, Business Administration, or a related field; or equivalent professional experience.
• 5+ years of experience in information security compliance, GRC (Governance, Risk, and Compliance), or audit management roles.
• Demonstrated, hands-on experience managing an ISO 27001 ISMS through at least one full certification or recertification audit cycle—including scoping, internal audits, external audit management, and nonconformity remediation.
• Proven ability to manage cross-functional stakeholders without direct authority—influencing product, engineering, HR, legal, and operations teams to meet compliance obligations.
• Experience maintaining control frameworks, risk registers, and ISMS documentation libraries.
• Track record of writing and managing information security policies and procedures.

Knowledge and Experience - Desired:

• Deep knowledge of the ISO/IEC 27001:2022 standard, Annex A controls, and supporting guidance in ISO/IEC 27002:2022.
• Strong understanding of information security risk assessment methodologies.
• Ability to read, interpret, and apply compliance and audit requirements without needing to be a hands-on technical security practitioner.
• Excellent written and verbal communication skills; able to translate complex compliance requirements into clear, actionable guidance for non-security audiences.
• Strong project and programme management skills: ability to manage multiple workstreams, deadlines, and stakeholders simultaneously.
• CISM (Certified Information Security Manager) or CRISC (Certified in Risk and Information Systems Control).
• Working knowledge of complementary frameworks such as SOC 2 (Type I/II), NIST CSF, CIS Controls, GDPR, or CCPA—particularly where they overlap with or supplement the ISO 27001 control environment.
• Prior experience in a regulated industry (financial services, healthcare, or public sector) where certification drives contractual or regulatory obligations.

Travel:

• Travel is expected to complete job function - including potential significant periods of travel related to coordination of audit readiness and execution. Overall travel is not to exceed 50% of time.

Hexagon is an Equal Opportunity Employer. We prohibit discrimination against any job applicant based on protected characteristics.