Information Security Governance, Risk and Compliance (GRC) Analyst

Location: Surbiton

Salary: Competitive plus package

Working hours: 9:00am - 17:00pm 35 per week Monday - Friday

Benefits: Car Allowance, 25 Days Holiday + BH, Company Pension, Private Healthcare, Company Sick Pay, Flex Benefits (EMCOR UK discount scheme)

About EMCOR UK: 

At EMCOR UK, we revolutionise facilities management by combining our engineering heritage and innovation capability. We prioritise people in everything we do, collaborating closely with our customers to understand all their needs, from the big picture to day-to-day operations. Our purpose is to “create a better world at work”. Using our unique insight platform, "One Data World," we harness data-driven intelligence to make informed decisions, adapting our services to meet our customers’ evolving requirements. This allows us to cultivate an enhanced workplace experience for their teams whilst optimising efficiency, meticulously managing every asset, and minimising their impact on the planet. All supported by our commitment to safety, compliance, and assurance. Our partnering approach empowers our customers to shape a better future. Whether guiding their path to net zero or redeveloping their facilities for enhanced efficiency, we create better places for work whilst taking away the burden of facility operations, freeing up our customers to concentrate on their business.

As a member of the Information Security team, the Information Security GRC Analyst is responsible for supporting the operation, maintenance, and maturity of EMCOR UK’s Information Security Program, protecting EMCOR UK’s information assets and technologies. This includes enhancing the information security management system, supporting the risk management process, and monitoring external threats.

Production and maintenance of information security documentation and training, as well as monitoring the security toolsets employed form part of the daily undertakings.

• Monitor, maintain, and mature the information security management system (ISMS) and information security program to ensure the integrity, confidentiality & availability of all information assets.
• Day to day management and maturity of information security risk identification and remediation of identified information security concerns for the organisation and third-party suppliers.
• Contribute to the successful completion of external and independent information security related audits.
  • EMCOR UK is subject to ISO27001, ISO27017, ISO27701, ISO22301, Cyber Essential Plus, IASME Governance, and Sarbanes Oxley.
• Conduct and document internal audits to support the information security program.
• Assist with the completion of information security related enquiries and responses to current and potential clients.
• Contribute to information security incident response activities.
• Contribute to the Subject Access Request and eDiscovery process.
• Ensure adherence to legal and regulatory compliance, governing information security and industry best practices.
• Monitor security operations toolsets to include SIEM, vulnerability management, endpoint protection, endpoint detection and response, intrusion detection, and threat intelligence.
• Provide security reporting related to information security governance, risk, and compliance.

• Day to day management and maturity of the information security training and awareness programmes.
• Monitor the external environment for emerging information security threats, trends, legal and regulation changes and assist the Head of Information Security with any appropriate courses of action.
• Contribute to the identification and remediation of information security related corrective actions.
• Contribute to the information security objectives and roadmap.
• Identification, documentation, and monitoring of information assets including personal identifiable information.
• Actively monitor the EMCOR UK digital footprint and suggest remediation actions where appropriate.
• Ability to effectively work as part of a team and communicate with stakeholders across both technical and business teams.

Knowledge and Skills

• Demonstrable information security governance, risk, and compliance experience.
• Demonstrable information security operations experience.
• Demonstrable experience in working with and contributing to an information security management system (ISMS) certified to ISO27001 standard.
• Good knowledge of the Cyber Essentials Plus scheme.
• Good knowledge of UK and EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
• Good all-round information and cyber security knowledge and/or experience.
• Good customer facing skills and stakeholder management.
• Well organised, systematic, and rigorous approach to planning work and priorities.
• Strong communication and organisational skills.
• Experience in problem solving and an understanding of the wider business context (business acumen).

Desired Qualifications

• ISO/IEC 27001 Lead Implementer
• ISO/IEC 27001 Internal Auditor and/or ISO/IEC 27001 Lead Auditor

  Advantageous Qualifications

• Security+
• Certified Information Security Manager (CISM)
• Certified Information Systems Security Professional (CISSP)
•  Or similar recognised information security certifications or qualifications