Governance, Risk & Compliance (GRC) Lead

The Opportunity National enterprise scale business is seeking a highly capable Governance, Risk & Compliance (GRC) Lead to drive the evolution of their security and risk landscape during a period of significant transformation and investment.  This is a rare chance to step into a senior, influential position—shaping the GRC strategy, building capability, and ensuring regulatory excellence across a complex and high-profile environment.The Role Working as the Right-hand to the Head of Information Security, you will:Leadership & Ownership

• Lead the entire GRC portfolio and shape a function that is still maturing.
• Manage a small but growing team, across multiple sites

Governance & ISMS

• Own the ISMS and drive the organisation’s journey to ISO 27001 certification.
• Ensure ongoing Cyber Essentials and Cyber Essentials Plus compliance across the business.
• Develop, maintain and embed policies, processes and governance structures.

Risk Management

• Stand up and mature the IT risk management framework across the business.
• Produce risk registers, KRIs, governance packs and executive-ready reporting.
• Oversee and enhance third-party risk assurance.

Regulatory & Framework Compliance

• Support delivery of obligations under the Security & Resilience Bill and CAF.
• Provide guidance on NIS2 for international operations.
• Anticipate evolving regulatory requirements and prepare the organisation accordingly.

Incident Response Governance

• Lead scenario planning, readiness and policy work on the GRC side of incident response.
• Work closely with the Security Operations Lead, who owns technical response.

The Person With a strong background in GRC and ideally possessing an information security certification such as CISSP, CISM or CRISC, you will have:

• The ability to interpret and challenge technical controls
• Experience managing or maturing an ISMS and delivering ISO 27001 compliance.
• Solid IT risk management experience.
• Strong communication skills with senior stakeholders, including exec-level reporting.

Most importantly you will be:

• Practical, hands-on, comfortable shaping a function that is still developing.
• Able to influence, challenge and communicate with technical stakeholders.
• Detailed in documentation, audit readiness and governance reporting.

Exposure to public-sector aligned frameworks (CAF, NIS/NIS2), will be beneficial, though not essential.