Manager – Information Security & Data Privacy

Key Responsibilities :

1. ISMS Governance & Framework Management

• Own the sustenance and continual improvement of the ISMS aligned to ISO 27001 and NIST CSF.
• Lead policy, standard, and procedure lifecycle management (drafting, review, approvals, periodic updates).
• Drive ISMS lifecycle activities including risk assessments, SoA reviews, corrective action management, and management reviews.
• Define, monitor, and report ISMS KPIs, KRIs, and control effectiveness metrics.

2. Information Security Risk Management

• Own identification, assessment, tracking, and reporting of information security risks.
• Guide business and IT teams in executing risk treatment and mitigation plans.
• Lead periodic enterprise risk assessments, threat reviews, and control validation exercises.

3. Third Party Information Security Risk

• Own vendor information security risk governance and assessments.
• Review vendor risk ratings, gap remediation, and closure status.
• Coordinate with IT, Legal, Procurement, and Business Units to enforce security requirements.

4. Audit, Compliance & Regulatory Management (ISMS)

• Lead internal and external ISO 27001 /Stat Audits/ ITGC Audits end‑to‑end.
• Drive timely closure of audit observations and non‑conformances with clear ownership.
• Maintain ISMS documentation, audit trails, evidence, and audit readiness across business units.

5. Data Privacy Governance & DPDP Compliance

• Own organization‑wide Data Privacy governance framework aligned to DPDP Act & ISO 27701
• Ensure implementation and sustenance of privacy policies, notices, and internal guidelines.
• Act as primary liaison with Legal and Business teams on privacy compliance matters.

6. Privacy Risk, Assessments & Third‑Party Privacy

• Lead privacy risk assessments, DPIAs, and data flow reviews across business units.
• Oversee privacy due diligence of vendors handling personal data.
• Track remediation of privacy risks and contractual privacy obligations.

7. Information Security & Data Privacy Awareness and Culture

• Own the organization‑wide Information Security and Data Privacy awareness strategy, with a strong focus on building a sustainable security‑ and privacy‑first culture.
• Design and drive integrated awareness programs covering information security, privacy (DPDP), acceptable use, data handling, and cyber hygiene, aligned to business risk priorities.
• Move beyond compliance training to behavioral change, embedding security and privacy considerations into everyday decision‑making and business processes.
• Lead enterprise initiatives such as phishing simulations, targeted campaigns, leadership messaging, policy awareness, and risk‑based communications.
• Act as a custodian of security and privacy culture, influencing leadership and employees to treat information protection as a shared responsibility.

8. Reporting, Automation & Leadership Engagement

• Own ISMS and Privacy dashboards for leadership and governance forums.
• Track VA/PT findings and closure status.
• Identify and drive automation opportunities across GRC, access reviews, evidence collection, vendor assessments, and reporting.
• Lead governance review meetings, track action items, and drive accountability.

Must‑Have / Strongly Preferred :

• ISO 27001

ISO 27001 Lead Implementer or

ISO 27001 Lead Auditor

(At least one is strongly preferred)

• Information Security / GRC Certification

CISA (Certified Information Systems Auditor) or

CRISC (Risk-focused roles) or

Equivalent governance / audit‑centric certification

• Privacy certifications such as:

CIPP/E, CIPP/Asia, or equivalent

DPO / Privacy Practitioner programs (India‑focused preferred)

Formal training on DPDP Act or structured privacy implementation programs

Qualification:

Bachelor’s degree in:

• Information Security
• Computer Science / IT
• Engineering

Or equivalent relevant discipline

• Post‑graduate qualification in Risk / Compliance / Information Security is a plus.

Experience :

8–10 years total experience, with:

• At least 4-6 years in Information Security, ISMS, GRC, Risk, or Compliance roles
• Hands‑on experience in:
• ISO 27001 ISMS implementation/sustenance
• Audit handling (internal & external)
• Risk assessments and remediation tracking
• Stakeholder coordination across functions