Information Security Manager

Creative ITC is a leading infrastructure and global cloud service provider, renowned for designing and delivering exceptional managed services and cloud solutions across five continents. Our mission is to help customers realize the full potential of their investments and achieve business objectives faster. We specialize in developing financially-sound cloud roadmaps, simplifying adoption, minimizing disruption, and enhancing the performance of applications, data, and virtual desktops. Clients choose Creative ITC because we work tirelessly to fully understand their infrastructure needs, from current state to desired architecture. We excel in navigating the complexities of private, public, and hybrid cloud environments, ensuring seamless transitions and avoiding common pitfalls.

Our commitment to client success is evident in our ability to speed up and de‑risk the innovation process, align IT costs with actual usage, and master disruptive technologies. Founded in 2006, Creative ITC has grown from a small consultancy into a global player in the IT infrastructure and cloud services industry. Headquartered in London, United Kingdom, we have expanded our reach to 11 Data Centers across the globe, consistently delivering innovative solutions and exceptional service to our clients 24/7.

Creative are seeking an individual who is eager and hungry to step into a IS Manager position for the first time.

• Own and run an ISO/IEC 27001:2022‑aligned ISMS, including the Statement of Applicability and internal audit programme. The 2022 release consolidated the control set to 93 controls across four themes (Organisational, People, Physical, Technological), and demands a risk‑led justification for inclusions/exclusions in the SoA.
• Lead Cyber Essentials Plus readiness (evidence capture and technical verification against the five control themes) for our organisation and client engagements.
• Map and report security posture using NIST CSF 2.0, bringing the new Govern function into executive‑level conversations about risk, supply chain, and accountability.
• Drive a practical control baseline with CIS Controls v8.1, starting at Implementation Group 1 (IG1) (“essential cyber hygiene”) and maturing towards IG2/IG3 as risk and resources warrant.
• Run Third‑Party Risk Management (TPRM) with Procurement using Panorays for continuous supplier discovery, risk ratings, questionnaires, real‑time alerts, and remediation workflows.
• Ensure security/compliance alignment with UK GDPR and the Data Protection Act 2018.

• Audit performance: Reduction in ISO 27001/CE+ non‑conformities; timely closure of audit actions; clean certification outcomes.
• Risk transparency: Executive‑ready dashboards across ISO/NIST/CIS; clear SoA rationale; measurable control coverage and effectiveness.
• Supplier assurance: Increased supplier coverage in TPRM, faster onboarding cycle times, reduced high‑risk findings through Panorays‑guided remediation plans.
• Compliance alignment: Evidenced alignment to UK GDPR/DPA 2018 for security safeguards, retention, and supplier processing controls.

• ISO/IEC 27001:2022 – Operate and audit an ISMS using 93 Annex A controls across four themes; maintain the Statement of Applicability (SoA) to justify included/excluded controls based on risk.
• Cyber Essentials Plus (CE+) – Prepare for verified technical testing across the scheme’s five themes (Firewalls, Secure Configuration, User Access Control, Malware Protection, Security Update Management) and coordinate with IASME‑qualified assessors.
• NIST CSF 2.0 – Use the Govern function alongside Identify/Protect/Detect/Respond/Recover to elevate security governance, supply‑chain risk, and accountability in Board discussions.
• CIS Controls v8.1 – Start with IG1 (essential cyber hygiene) and evolve to IG2/IG3, prioritising safeguards that deliver the biggest risk‑reduction first.
• Panorays – Automate supplier discovery, risk rating (“Risk DNA”), questionnaires, continuous monitoring, and vendor remediation plans to maintain real‑time visibility of third‑to Nth‑party risk.

• Strong experience in an information security junior/senior analyst role, with demonstrable hands on delivery and stakeholder engagement.
• Certifications: Already has or is actively working towards CISM, CRISC, CGEIT; ISO 27001 Lead Implementer/Lead Auditor (or equivalent experience).
• Framework fluency: Confident operating an ISO/IEC 27001:2022 ISMS and preparing for Cyber Essentials Plus technical verification; familiarity with NIST CSF 2.0 and CIS Controls v8.1 (including Implementation Groups).
• TPRM know how: Practical experience running or contributing to a TPRM programme (ideally with Panorays or similar supplier rating platform).
• Communication: Exceptional English report writing; able to present confidently at executive level; sharp eye for detail; skilled at translating technical/security/compliance concepts for non-specialists.
• Mindset: Self-starter, hands on, outcome oriented, comfortable with ownership.
• Exposure to CIS Implementation Groups rollout and control mapping (e.g., ISO 27001 Annex A ↔ NIST CSF categories ↔ CE+ technical controls).
• Experience with cloud/SaaS risk (e.g., M365, Azure, AWS) and common enterprise tooling (e.g., SIEM, EDR, vulnerability scanners).
• Knowledge of UK specific assurance approaches (e.g., NCSC supply chain guidance; CAF A4).

• ISMS ownership: Establish, operate, and continuously improve our ISO/IEC 27001:2022 ISMS—maintaining scope, risk register, SoA, policies, metrics, corrective actions, and management reviews.
• Internal audit & certification readiness: Plan and deliver internal audits for ISO 27001, Cyber Essentials Plus, NIST CSF, and CIS Controls; coordinate external audits and assessor activities; maintain an auditable evidence trail.
• Control baselining: Define and maintain a control baseline that harmonises ISO 27001 Annex A with CE+, NIST CSF 2.0 categories/functions (including Govern) and CIS IGs (IG1→IG2), so we can evidence coverage and avoid duplication.
• Third Party Risk Management: Operate the Panorays enabled TPRM lifecycle (onboarding assessments, continuous monitoring, alerts, vendor remediation plans, and reporting), in partnership with Procurement, Legal, and business owners.
• Security reporting: Produce concise, high quality English reports and executive packs (KPIs/KRIs, audit status, risk heatmaps, supplier risk scores), and present at Senior Leadership/Board level.
• Policy & awareness: Draft, publish, and maintain clear policies/standards; translate complex risk and compliance topics into approachable guidance for executives and end users.
• Operational assurance: Support vulnerability management, incident response readiness, change control, and secure configuration baselines—aligning with the Cyber Essentials control themes for practical assurance.
• Privacy & regulatory alignment: Embed security controls supporting UK GDPR/DPA 2018; collaborate with Privacy/Legal on DPIAs, supplier DPAs, and retention/disposal standards.

• Articulate and confident
• Highly organised with a focus on high quality documentation and change management
• Good interpersonal skills, friendly and approachable.
• Can‑do approach and innovative by nature

We are an equal opportunity employer and value diversity in our workforce. All qualified applicants will receive consideration for employment without regard to race, colour, religion, gender, gender identity or expression, sexual orientation, national origin, age, disability, veteran status, or any other protected characteristic under applicable law. We are committed to creating an inclusive environment where everyone can thrive.