About

• The Lead Governance, Risk & Compliance (GRC) Manager is responsible for establishing, operating, and continuously improving the organisation’s enterprise-wide compliance, risk, and security governance frameworks. This senior leadership role requires deep expertise across regulatory, industry, and cybersecurity standards— specifically the UK Telecom Security Act, PCI DSS, ISO/IEC 27001, and NIS 2. You will act as the organisation’s authoritative subject-matter expert, ensuring end to end
• compliance, overseeing risk posture, and enabling secure and resilient operations through structured governance and proactive risk management.

Responsibilities

• Governance & Compliance Leadership
• · Lead the design and operation of the organisation’s GRC strategy, ensuring alignment with business objectives and regulatory obligations.

· Serve as the principal authority on

• o Telecoms Security Act (TSA) & Code of Practice
• o Payment Card Industry Data Security Standard (PCI DSS)
• o ISO/IEC 27001 Information Security Management System (ISMS)
• o NIS 2 Directive requirements & associated national legislation
• · Maintain and continuously improve compliance roadmaps, policies, and controls across the enterprise.
• · Oversee the governance framework, ensuring effective risk ownership,reporting, and leadership engagement.

• Risk Management
• · Lead the enterprise risk management (ERM) programme, ensuring risks are identified, assessed, prioritised, and treated effectively.
• · Own the corporate risk register and report regularly to senior leadership, audit committees, and regulatory stakeholders.
• · Design and implement risk assessment methodologies to support security, operational, and regulatory decision making.

• Security Assurance & Control Oversight
• · Drive internal and external audit cycles (TSA compliance, PCI assessments, ISO 27001 audits, NIS 2 evaluations).
• · Oversee testing of security controls, including assurance reviews, control maturity assessments, and continuous compliance monitoring.
• · Ensure remediation actions are managed through to completion and embedded into business processes.

• Regulatory Engagement & Reporting
• · Support business units during their contact with regulatory bodies and national CSIRTs/competent authorities for NIS 2
• · Prepare and deliver accurate regulatory submissions, compliance evidence, incident notifications, and executive reporting

• Policy, Standards & Framework Development
• · Develop, own, and maintain enterprise information security policies and standards
• · Ensure policies reflect current legal, regulatory, and industry practices, and are adopted consistently across the organisation · Foster a strong risk-aware culture through training, awareness, and stakeholder engagement

• Cross-Functional Leadership
• · Lead a high-performing GRC team and influence stakeholders across engineering, operations, legal, procurement, and product functions
• · Provide expert guidance on secure-by-design initiatives, and supplier risk management.
• · Support major programmes and transformation initiatives ensuring compliance and risk considerations are integrated from inception

Skills

· Extensive experience working with

• o UK Telecom Security Act & Code of Practice (TSA/SRF)
• o PCI DSS v4.0 including SAQ/ROC, segmentation, and control validation
• o ISO/IEC 27001:2022 and associated 27000-series standards
• o NIS 2 Directive, cybersecurity measures, governance requirements, and incident reporting obligations
• o NCSC Cyber Assessment Framework

• · Strong understanding of risk management frameworks (NIST, ISO 27005, ISO 31000, COSO)
• · Experience managing audits, external assessors, and regulatory reviews
• · Solid knowledge of threat landscapes requirements and operational security best practices.
• · Solid grounding in information security principles, controls, and assurance practices.
• · Experience overseeing technical and non-technical security controls
• · Ability to shape long-term GRC strategy aligned to business objectives
• · Strong understanding of network security, telecoms architecture and cloud platforms
• · Experience with security tooling and GRC platforms such as Onetrust
• · Proven ability to lead, coach, and develop a high-performing GRC team.
• · Skilled at influencing cross-functional stakeholders without direct authority