The Information Security Analyst supports the governance, risk, and compliance (GRC) aspects of information security, including risks associated with artificial intelligence (AI), ensuring alignment with regulatory requirements, internal policies, and established governance frameworks.

The role contributes to the continuous improvement and operation of information security risk management, control assurance, and compliance processes, leveraging data analytics and AI‑enabled techniques where appropriate, and aligning with international best practices such as NIST and ISO standards, as well as national regulations and guidance including TCRMG.

The position provides accurate risk analysis, compliance insights, and reporting to support effective oversight, assurance, and informed decision‑making by Information Security leadership and key internal stakeholders.

Performance

• Support the effective operation of the Bank’s information security governance, risk, and compliance (GRC) activities, including governance of artificial intelligence (AI) and data‑driven technologies, in line with approved frameworks and policies.
• Contribute to the ongoing enhancement and maintenance of information security and AI‑related GRC processes to ensure alignment with regulatory requirements, internal governance standards, and recognised international best practices (e.g. NIST, ISO).
• Perform and support assigned GRC activities, including reviews, assessments, and analysis of information security and AI‑related controls, and assist with the documentation, tracking, and follow‑up of identified issues.
• Maintain accurate, complete, and up‑to‑date information security and AI governance artefacts, including registers, assessments, policies, standards, and supporting documentation.
• Provide GRC input for projects, significant changes, new technologies, third‑party engagements, and AI initiatives to ensure governance, risk, and compliance considerations are addressed.
• Prepare clear, timely, and reliable information security and AI‑related GRC reporting and analysis to support management oversight and informed decision‑making.

KPIs

• Complete assigned information security GRC activities (e.g. risk, policy, compliance, assurance tasks) within agreed timelines and service expectations.
• Ensure information security documentation, registers, assessments, policies, and compliance artefacts assigned to the role are accurate, current, and complete, with no material quality issues identified.
• Support ongoing alignment of information security practices with internal policies, governance frameworks, and applicable regulatory or supervisory requirements.
• Track, follow up, and support resolution of assigned information security issues, findings, or action items, achieving a high rate of on‑time completion or appropriate escalation.
• Provide timely GRC input into projects, changes, new technologies, and initiatives assigned to the role, ensuring governance and compliance considerations are addressed.
• Support internal audits, external audits, and regulatory reviews by delivering requested information, evidence, and analysis accurately and within required timeframes.
• Maintain effective working relationships with internal stakeholders, demonstrated through timely responses, constructive engagement, and positive feedback.
• Prepare clear, concise, and reliable reports, summaries, and analysis to support Information Security and management decision‑making.
• Identify and contribute to improvements in information security GRC processes, tools, controls, or ways of working, aligned with regulatory expectations and industry best practices.
• Complete agreed learning and development objectives annually and apply new knowledge or skills to improve role effectiveness.
• Support governance, risk, and compliance activities related to AI or data‑driven technologies within assigned scope, in line with internal policies and emerging regulatory guidance.

Customer Service

• Support the business in achieving its objectives securely by providing timely, accurate, and practical GRC advice and support.
• Deliver high‑quality, professional services to internal stakeholders by adhering to internal policies, procedures, and agreed service level expectations.
• Build and maintain effective working relationships with business units, technology teams, and control functions to support information security risk and compliance activities.
• Communicate clearly and constructively with internal stakeholders to enable consistent, efficient, and positive engagement.
• Contribute to a collaborative team environment, demonstrating professionalism, accountability, and a strong commitment to supporting internal customers and shared objectives.

Management and Compliance

• Operate as part of the second line of defence, supporting independent oversight and effective challenge of information security and AI‑related risks, controls, and risk treatment activities across the Bank.
• Support alignment of information security risk management practices with the Bank’s Total Corporate Risk Management Governance (TCRMG) framework and recognised standards, including NIST and ISO/IEC 27001/27005.
• Assist with the identification, assessment, documentation, reporting, and escalation of information security risks, ensuring consistency with the Bank’s risk appetite and regulatory expectations.
• Contribute to the preparation and coordination of information security‑related audits, regulatory reviews, and assurance activities, ensuring timely, accurate, and complete responses.
• Prepare information security and GRC reports, analyses, and documentation promptly and to a high standard, as required by management and stakeholders.

Learning and Growth

• Proactively develop and maintain a personal development plan, aligned with role requirements and discussed regularly with the line manager.
• Seek and provide constructive feedback to support continuous improvement in ways of working, service quality, and professional conduct.
• Commit to continuous learning by staying up to date with the Bank’s policies, procedures, risk frameworks, regulatory requirements, and relevant information security and AI governance practices.
• Apply acquired knowledge and skills to enhance individual performance, contribute effectively to team objectives, and support the ongoing maturity of the Information Security GRC function.

Qualifications

• Bachelor’s or Master’s degree in Information Technology, Computer Science, Information Security, or a related technical or risk management discipline.
• One or more of CISSP, CISM, ISO27001, CRISC, CGRC, COBIT, COSO

Experience

• Minimum of 5 years’ professional experience in Information Technology, Information Security, or related fields, with demonstrable exposure to governance, risk, and compliance activities.
• Good working knowledge of information security and risk management frameworks and standards, such as NIST, ISO/IEC 27001/27005, COBIT, COSO, ISACA, and ISC².
• Hands‑on experience supporting the development, implementation, or maintenance of information security GRC processes, including risk assessments, compliance activities, policy management, or assurance support.
• Experience developing, reviewing, or maintaining information security documentation, such as policies, standards, procedures, risk registers, and assessment artefacts.
• Strong analytical skills with the ability to assess information, identify issues, and clearly summarise findings for reporting and follow‑up actions.
• Effective written and verbal communication skills, with the ability to engage constructively with technical and non‑technical stakeholders.
• High level of integrity, professionalism, and accountability, with a strong attention to accuracy and detail.
• Experience supporting audits, regulatory reviews, or internal assurance activities.
• Exposure to AI, data‑driven technologies, or technology risk governance is an advantage.