Security Engineer – Governance, Risk and Compliance (GRC), London

Your impact 

As a Senior Security Engineer – GRC, you will play a crucial role in establishing and maintaining a robust security governance framework at Isomorphic Labs. Your work will be instrumental in ensuring the organisation’s compliance with industry standards and regulations, enabling research programs and building trust with key partners. You will contribute to fostering a culture of security awareness and operational excellence, directly impacting the company’s ability to achieve its ambitious goals.

What you will do 

• Spearhead the development of IsoLabs’ Information Security Management System (ISMS) and guide the organisation through ISO 27001 certifications.
• Implement and continuously improve security policies and technical controls, ensuring alignment with industry best practices and operational excellence.
• Monitor and maintain compliance with regulations, third-party requirements, and internal security policies, identifying and proactively addressing potential gaps.
• Partner with TechOps, Data Engineering, Legal and Product teams to implement robust data governance solutions, encompassing data labelling, access control, audit trails, de-identification, and data lifecycle management.
• Lead Infosec projects in collaboration with Machine Learning and Drug Discovery teams.
• Develop and execute internal audit programs, and effectively respond to external audits and due diligence requests.
• Leverage your technical knowledge to define risk management plans, secure vendor solutions and meet third party requirements.
• Actively contribute to IsoLabs’ security awareness program, fostering a strong security culture throughout the organisation.
• Manage Vendor Security Assessment operations and drive continuous improvement of these processes.
• Support the implementation and enhancement of Incident Management and Vulnerability Management policies.
• Partner with Legal and Privacy teams to ensure security practices align with legal and regulatory requirements, particularly concerning data privacy and protection.
• Establish and report on Key Performance Indicators (KPIs) to demonstrate the effectiveness of security operations on business outcomes.

Skills and qualifications 

Essential:

• Strong IT and cybersecurity technical background, including experiences with major cloud platforms.
• Demonstrated experience developing and implementing security policies, standards, and procedures.
• Solid understanding of risk management frameworks, and industry-specific compliance requirements (e.g., ISO/IEC 27001, GDPR, HITRUST).
• Excellent communication and interpersonal skills, with the ability to explain complex security concepts to diverse audiences.
• Practical experience with data governance and privacy controls, including data classification, audit trail, de-identification and data lifecycle management.
• Strong analytical and problem-solving skills, with the ability to differentiate true risks from over-compliance, develop creative solutions to balance business needs with risk mitigation.
• Extensive experience with external audits and leading certification processes.
• Proven ability to act as a project manager and collaborate effectively with cross-functional teams.
• Demonstrated ability to effectively manage and prioritise multiple projects simultaneously, meeting deadlines and delivering results.

Nice to have:

• Experience building and operating a Trusted Research Environment and/or Trusted ML Environments.
• Experience in the BioTech and Pharma industry.
• Experience streamlining Vendor Security Assessments (VSAs).
• Familiarity with the unique challenges of a fast-paced, high-growth environment.
• Solid understanding of security in a computational- and AI-first environment.
• Experience protecting sensitive scientific and personal data.
• Relevant certifications (e.g., CISM, CISA, CISSP, ISO 27001 Lead Implementer/Auditor).
• Experience with security automation tools and technologies.
• Contribution to open-source security projects or participation in security communities.