Information Security Manager

The InfoSec Manager owns and drives the SCS's Information Security Management System (ISMS), ensuring it stays certified, compliant, and continually improving. The role is accountable for maintaining compliance with ISO 27001, Cyber Essentials Plus, and the HS2 information security requirements set out in WI-835, including BPSS screening and UK-based data hosting. Their purpose is simple: achieve, maintain, and demonstrate full compliance for the duration of the project, while strengthening security governance, reducing risk, and always keeping the ISMS audit-ready.,

• Lead the implementation, maintenance, and continual improvement of the Information Security Management System (ISMS) in line with ISO 27001.
• Ensure the ISMS remains audit-ready, risk-driven, and aligned with organisational and contractual requirements.
• Own and maintain the full suite of ISMS documentation including policies, processes, procedures, standards, and records.
Certification & Compliance
• Achieve and maintain ISO 27001 certification, ensuring controls, evidence, and processes remain compliant year-round.
• Achieve and maintain Cyber Essentials Plus certification, leading the implementation of required technical and organisational controls.
• Ensure compliance with HS2 WI-835 requirements, including BPSS screening and UK-based data hosting.
• Lead a comprehensive audit programme (internal, external, CE+, penetration testing) to assess control effectiveness and drive corrective actions.
Risk Management
• Maintain and communicate an effective information security risk management framework that enables informed decision-making at senior levels.
• Drive proactive risk identification, assessment, treatment, and monitoring across the organisation.
• Recommend and deploy organisational and technical controls that are proportional, cost-effective, and aligned with risk appetite and available resources.
Security Culture & Awareness
• Champion a strong security culture across SCS JV, ensuring policies and expectations are understood and embedded.
• Lead the design and delivery of security training and awareness, ensuring all staff - from the board to delivery units - maintain good security behaviours.
Operational Security Leadership
• Influence and support process owners to improve their processes where security weaknesses are identified.
• Work within and improve existing processes to enhance security governance and operational efficiency.
• Ensure security requirements are considered in projects, procurement, supplier onboarding, and change initiatives.
Team Leadership & Capability
• Lead, mentor, and develop junior InfoSec team members, ensuring the team has the competence and capability to run an effective ISMS.
• Influence senior managers to secure the necessary resources to sustain and improve the security function.
Continuous Improvement
• Drive continual improvement of security controls, behaviours, and processes in line with ISO 27001, Cyber Essentials, and industry best practice.
• Track emerging risks, threats, and compliance changes, ensuring the ISMS evolves to remain effective and relevant., HS2 - working with Skanska, Costain and STRABAG, closely monitors job applications, to ensure an inclusive recruitment process. To ensure we are able to maintain this, and to recruit a diverse workforce, we require candidates to complete the diversity form as part of their application so we are able to monitor and improve our approach to diversity. Please note, all responses are anonymous and we will not share any of your data with other parties. All data will be held securely, (as stated within the Data Protection Act 2018 and UK GDPR) and will be reported to HS2.
  
  Essential:
• Demonstrable experience working with ISO27001 and / or an ISO27001 aligned ISMS.
• Demonstrable experience working with Cyber Essentials.
• Certified Information Security Manager (CISM) or equivalent qualification
• Demonstrable understanding of cloud technology.
• Demonstrable working understanding of security technology and how it's deployed to create effective technical controls for example; Firewalls, IDP, IAM, MFA, SSO, DLP, CASB, MDM, EDR etc.
• Demonstrable risk management knowledge and how to influence senior management to make informed decisions on risk treatment.
• Working knowledge of Microsoft 365 and its associated applications, for example; Windows, Word, Excel, PowerPoint etc.
• Working knowledge of the UK Data Protection Act (DPA) / GDPR
• Demonstrable good level of written and spoken English.
Desirable:
• A commonly identifiable security qualification i.e. CISA, CRISC, CDPSE, CGEIT, CCOA, CISSP etc.
• Experience of other InfoSec standards such as NIST, PCI-DSS, SOC etc.
• Working knowledge of Microsoft 365 / Azure security.
• Experience in leading audit processes for example internal, external and / or pen testing.
• Experience in recent cyber security incidents
• Expert knowledge of Microsoft 365 and its associated applications, for example; Word, Excel, PowerPoint etc.
• Good knowledge of the UK Data Protection Act (DPA) / GDPR, A physical or mental impairment, which has a substantial and long-term effect (over 12 months) adverse effect on your ability to carry out normal day-to-day activities
• Demonstrated in your application and pre-interview stage that you meet the minimum job criteria and person specification for the role
  
  The role will work on the HS2 project. HS2 is the UK's new high speed rail network. It will be a catalyst for economic growth across Britain, freeing up space on the existing railways and connecting 8 out of the UK's 10 biggest cities with fast, reliable and frequent high speed services
The Skanska | Costain | STRABAG (SCS JV) is delivering the HS2 London Tunnels Contract. Scope of works includes twin-bored tunnels (TBM), SCL tunnels, shaft sinking, bridge demolition and reconstruction, services diversions, earthworks and the construction of site compounds. You'll be a welcomed member of the wider team, with opportunities to take on additional responsibility, join our EDI Champions program or support the local community (e.g. as a STEM ambassador). Your personal and professional development is important to us. We welcome a discussion about how we can support you with further study, or professional membership or attainment for example.

Flexible working: We welcome you to ask about the flexibility you need. This might be part-time, remote working, or compressed hours for example. Anyone who applies for a role can ask about flexibility at interview. In return, we will explore what is possible for the role., Salary Competitive with excellent benefits package