Business Information Risk Analyst (LONDON)

Ideas | People | Trust

Were BDO. An accountancy and business advisory firm, providing the advice and solutions entrepreneurial organisations need to navigate todays changing world.

We work with the companies that are Britains economic engine ambitious, entrepreneurially-spirited and highgrowth businesses that fuel the economy - and directly advise the owners and management teams that lead them.

Well broaden your horizons

The Quality and Risk Management Team (QRMT) at BDO comprises several sub-teams including the Legal Team, Enterprise Risk Management, Economic Crime, Quality Management, Ethics and Independence and Advisory and Compliance. It provides Partners and staff with the guidance, tools and support to enable them to identify and manage quality and risk issues. The QRMT is led by the Head of Quality and Risk Management Team, who is a partner who reports into the Head of Quality and Risk for the firm and sits on the BDO Leadership Team.

Well help you succeed

Leading organisations trust us because of the quality of our advice. That quality grows from a thorough understanding of their business, and that understanding comes from working closely with them and building long-lasting relationships.

Youll be someone who is both comfortable working proactively and managing your own tasks, as well as confident collaborating with others and communicating regularly with senior managers, directors, and BDOs partners to help businesses effectively. Youll be encouraged to identify and draw attention to opportunities for enhancing our delivery and providing additional services to organisations we work with.

Role Purpose

The Business Information Risk Analysts (BIRA) role is responsible for supporting the Chief Information Security Office (CISO) service to BDOs business streams to effectively manage information security risk. This role will play a key part in ensuring the effectiveness of BDOs information security risk management framework, procedures, and information security controls.

The BIRA role is a focal point for effective engagement between business streams and the CISO team. This role will be a trusted adviser to business stakeholders and provide broad knowledge of the firms security strategies, policies, standards, processes, and road maps to enable streams to understand and meet information security requirements.

The BIRA will take responsibility for assessing information security risk with the business and ensure that those risks are being managed by the risk owners. Where decisions are made to ac cept, reduce, share or avoid, the BIRA will ensure appropriate visibility and governance committees are informed.

This role reports to a Business Information Risk Officer (BIRO).

In this busy and rewarding role your principal accountabilities will be:

• Utilising BDOs information security risk management tools, procedures and control framework to ensure an accurate risk & control posture is understood and managed for each business stream.
• Maintain the Risk Register and monitor it to ensure that actions are appropriate for the risk and completed by the agreed target dates by engaging regularly with stakeholders.
• Support the business streams to identify , and maintain registers of information assets including infrastructure, systems, software, devices and data.
• Build and maintain effective relationships with the risk owners, risk managers and other stream stakeholders.
• Develop collateral and appropriate materials to support engagement with business stakeholders, to explain key information security concepts and build awareness of information security risk and BDOs control framework.
• Proactively identify and support risk owners and managers to manage and regularly review IS risks and issues for streams.
• Support the business to assess criticality of assets and services.
• Ensure that BDO policy and contractual obligations, and in turn compliance, is understood for each business stream.
• Identify and communicate metrics and reporting requirements to stakeholders that demonstrate security controls are effective.
• S upport creation of corrective action s and plans to manage improvement or change where necessary.
• Creation and maintenance of a security toolkit with templates of key processes and controls, communicated in language that is relevant and understandable to all audiences.
• P rovid e targeted security awareness, education, and risk briefings.
• Support the delivery of supplier security and client security due diligence activities.
• Assist with maintenance of the knowledge base of common information security questions and responses to ensure responses to the business are timely and accurate.
• Manage workload via AzureDevOps (ADO) ensuring that tasks allocated to you are completed withing agreed timeframes and progress/completion is reported to the owners of the outcomes.
• Proactively identify and escalate any factors that may impact the time, cost, or quality of allocated outcome before the impact is experienced by ensuring communication is clear and effective at all stages of the deliverable to the outcome owners.

Youll be someone with:

Knowledge & experience

• k nowledge and experience of information security risk management frameworks and procedures
• Experience of applying formal risk identification, assessment, and quantification methods
• Experience of stakeholder engagement and management to achieve defined outcomes
• Highly self-motivated with keen attention to detail
• The ability to build good relationships at all levels and influence stakeholders
• Excellent verbal, written and interpersonal communication skills. Listens and communicates technical subjects to both technical and nontechnical audiences, flexes style to suit the needs of the audience
• Ability to work with others effectively, with 3rd parties, internal teams, promoting knowledge sharing within and across teams
• A good understanding of security frameworks including ISO27001/2, Cyber Essentials Plus, CIS Top 20, Data Protection Act 2018, OWASP Top 10
• Have or be working towards relevant industry certification such as CISSP, CISM, CRISC or similar
• Good understanding of governance and decision making in complex organisations
• Knowledge and experience of continuous improvement processes and approaches
• Experience of documenting, developing and improving information security processes and procedures

Personal characteristics

• Strong team player able to collaborate effectively with colleagues and ]]>