Assistant Manager

The Information Assurance team is the 2nd Linde of Defence, ensuring KPMG manages information security and data privacy risk and compliance in line with legislative, regulatory & client obligations, enabling the trust and growth agenda. 

As an Information Assurance Assistant Manager, you will be responsible for supporting the delivery of the supply chain risk and assurance compliance programme. You will collaborate with teams across the firm to navigate complexities of the supply chain and ensure suppliers are compliant with KPMG security and data protection and privacy requirements, helping to minimise risk to our employees, clients and audited entities. 

The Information Assurance Assistant Manager will apply their supply chain risk and assurance skills to perform all relevant duties as part of the Information Assurance team. 

• Act as a trusted advisor to stakeholders, supporting the provision of accurate, appropriate, timely assurance information regarding the KPMG supply chain across capabilities and firmwide. 
• Support the identification of emerging trends and issues with the KPMG supply chain to shape and inform the KPMG risk posture. 
• Tactically deliver allocated activity from the annual service roadmap to defined standards and service levels.  
• Support the delivery of the annualised audit schedule, with a strong understanding of a risk based approach. 
• Be proactive in identification of continuousimprovements to foster positive change within the Information Assurance team, seeking innovative solutions to enhance practices.
• Deliver the 2nd LoD Supply Chain audit activity to monitor supply chain compliance against regulatory, client, global and local policy & standard requirements, including ISO27001. 
• Support the ongoing need to ensure that all supplier contracts include standardised Information Security and Data Privacy statements. 
• Provide support to report on Supply Chain Assurance metrics, providing insights into compliance and risk, highlighting areas for improvement. 
• Log all findings in the GRC tooling, track, review and monitor remediation results and associated evidence, supporting sign off where appropriate.
• Work with finding owners to ensure remediation actions plans are defined and delivered in a timely manner. 
• Support the analysis and thematic reviews and consolidation of findings and to recommend risk treatment plans to reduce risk for the firm. 
• Ensure audit work is documented in accordance with business standard and fully supports conclusions and overall opinion through 1st / 2nd level reviews
• Ensure that all work is delivered to a high standard
• Conduct other Information Security & Privacy audit activity on behalf of KPMG (i.e. SOC2) where appropriate.

• Strong stakeholder management skills, the ability to collaborate and develop relationships internally and externally 
• Experience advising on supply chain matters, with appropriate background in developing and implementing supply chain risk and assurance frameworks 
• Excellent ability to conduct audits in an effective and efficient manner y 
• Working knowledge of ISO27001, Cyber Essentials/ Cyber Essentials Plus, NIST Cybersecurity Framework, CIS, SOC2, Data Protection (UK GDPR, DPA, PECR) and experience of operational implementation
• An understanding of ancillary frameworks (EU AI Act, UK AI Frameworks)
• Experience of developing processes to deliver service improvements 
• Excellent analytical and reporting skills, using presentation tools to present complex information with exceptional attention to detail
• Excellent communication skills, both written and verbal
• Well organised and able to maintain a high workload efficiently at a consistently high standard 
• Strong knowledge of information security controls 
• Experience of working with GRC tools (ServiceNow) and supplier management tools (Coupa, Bitsight). 
• Understanding of a 3 lines of defence model (risk & assurance)
• Be highly motivated and able to work on own initiative, ability to seek support when required.  

Additional Requirements:

• Significant experience in information security and supply chain risk and assurance.
• Certifications in information security, such as CISM, CISMP, CISSP.
• Auditor qualifications, CISA, ISO27001 Lead Auditor, GIAC or equivalent.
• ITIL foundation certificate or above desirable