Head of Information Security & Compliance

Colombo - Sri Lanka

Monthly Salary: Not Disclosed

Posted on: 9 hours ago

Vacancies: 1 Vacancy

Job Summary

Develop maintain and continuously improve the Banks information security governance framework
Define and manage the hierarchy of security policies standards procedures baselines and guidelines
Ensure governance documentation is aligned with regulatory legal business and technology requirements
Manage policy approval review cycles exceptions communication and compliance tracking processes
Support CISO in preparing governance reports dashboards papers and updates for committees and Board-level forums
Design and operate the enterprise cyber risk management framework aligned with overall risk management practices
Maintain the cyber risk register and ensure risks are tracked treated escalated and reported appropriately
Assess information security risks across projects digital initiatives cloud adoption outsourcing and third-party engagements
Define key risk indicators and reporting metrics to support executive and Board-level oversight
Manage risk acceptance and exception processes ensuring proper escalation and governance approval
Lead and operate the Information Security Management System aligned with ISO/IEC 27001:2022
Maintain ISMS scope risk methodology control mapping and Statement of Applicability
Coordinate internal reviews external audits certification activities and corrective action tracking
Ensure ISMS is effectively embedded into operational processes and not limited to documentation compliance
Maintain a register of regulatory legal contractual and standards-based security obligations
Translate compliance requirements into actionable control expectations and implementation guidance
Coordinate PCI DSS compliance activities including scope management vendor oversight and evidence readiness
Manage responses to regulatory audits inspections supervisory reviews and compliance inquiries
Establish and maintain third-party security governance frameworks for vendors cloud providers and outsourced partners
Define security requirements for vendor contracts including audit rights incident reporting and data protection clauses
Oversee third-party security assessments and ensure remediation of identified risks and gaps
Coordinate with procurement legal and business units on third-party risk governance
Lead coordination of internal and external audits regulatory assessments and certification exercises
Maintain audit findings register and track remediation progress to closure
Validate adequacy and quality of remediation actions and supporting evidence from control owners
Escalate unresolved or overdue audit and compliance issues to governance forums
Lead enterprise-wide security awareness and culture programs across all employee levels
Design awareness initiatives for general staff technical teams privileged users and senior management
Track participation effectiveness and behavioral improvement in security awareness programs
Promote strong security culture and policy adherence across the organization
Prepare executive-level reporting on cyber risk compliance posture audit status third-party risk and remediation progress
Support CISO reporting to Board committees including ISC BIRMC and other governance forums

Requirements

Bachelors degree in Information Security Computer Science Information Systems Engineering or related field
Postgraduate qualification is preferred
Professional certifications such as CISSP CISM CRISC ISO 27001
Lead Implementer or Lead Auditor are preferred
PCI DSS-related or compliance-focused certifications are an advantage
1520 years of experience in information security IT risk governance compliance audit or enterprise risk roles
At least 810 years of experience in banking or highly regulated industries
Strong experience in cyber risk management ISMS implementation audit coordination and security governance
Strong exposure to regulatory engagement compliance frameworks and third-party risk management
Strong ability to work with auditors regulators senior management and technical teams
Strong governance mindset with structured thinking and attention to detail
Strong communication and report writing skills for executive and Board-level audiences
Strong stakeholder management and ability to influence without direct authority
High professional judgment credibility and integrity in decision-making

Develop maintain and continuously improve the Banks information security governance frameworkDefine and manage the hierarchy of security policies standards procedures baselines and guidelinesEnsure governance documentation is aligned with regulatory legal business and technology requirementsManage p...

Develop maintain and continuously improve the Banks information security governance framework
Define and manage the hierarchy of security policies standards procedures baselines and guidelines
Ensure governance documentation is aligned with regulatory legal business and technology requirements
Manage policy approval review cycles exceptions communication and compliance tracking processes
Support CISO in preparing governance reports dashboards papers and updates for committees and Board-level forums
Design and operate the enterprise cyber risk management framework aligned with overall risk management practices
Maintain the cyber risk register and ensure risks are tracked treated escalated and reported appropriately
Assess information security risks across projects digital initiatives cloud adoption outsourcing and third-party engagements
Define key risk indicators and reporting metrics to support executive and Board-level oversight
Manage risk acceptance and exception processes ensuring proper escalation and governance approval
Lead and operate the Information Security Management System aligned with ISO/IEC 27001:2022
Maintain ISMS scope risk methodology control mapping and Statement of Applicability
Coordinate internal reviews external audits certification activities and corrective action tracking
Ensure ISMS is effectively embedded into operational processes and not limited to documentation compliance
Maintain a register of regulatory legal contractual and standards-based security obligations
Translate compliance requirements into actionable control expectations and implementation guidance
Coordinate PCI DSS compliance activities including scope management vendor oversight and evidence readiness
Manage responses to regulatory audits inspections supervisory reviews and compliance inquiries
Establish and maintain third-party security governance frameworks for vendors cloud providers and outsourced partners
Define security requirements for vendor contracts including audit rights incident reporting and data protection clauses
Oversee third-party security assessments and ensure remediation of identified risks and gaps
Coordinate with procurement legal and business units on third-party risk governance
Lead coordination of internal and external audits regulatory assessments and certification exercises
Maintain audit findings register and track remediation progress to closure
Validate adequacy and quality of remediation actions and supporting evidence from control owners
Escalate unresolved or overdue audit and compliance issues to governance forums
Lead enterprise-wide security awareness and culture programs across all employee levels
Design awareness initiatives for general staff technical teams privileged users and senior management
Track participation effectiveness and behavioral improvement in security awareness programs
Promote strong security culture and policy adherence across the organization
Prepare executive-level reporting on cyber risk compliance posture audit status third-party risk and remediation progress
Support CISO reporting to Board committees including ISC BIRMC and other governance forums

Requirements

Bachelors degree in Information Security Computer Science Information Systems Engineering or related field
Postgraduate qualification is preferred
Professional certifications such as CISSP CISM CRISC ISO 27001
Lead Implementer or Lead Auditor are preferred
PCI DSS-related or compliance-focused certifications are an advantage
1520 years of experience in information security IT risk governance compliance audit or enterprise risk roles
At least 810 years of experience in banking or highly regulated industries
Strong experience in cyber risk management ISMS implementation audit coordination and security governance
Strong exposure to regulatory engagement compliance frameworks and third-party risk management
Strong ability to work with auditors regulators senior management and technical teams
Strong governance mindset with structured thinking and attention to detail
Strong communication and report writing skills for executive and Board-level audiences
Strong stakeholder management and ability to influence without direct authority
High professional judgment credibility and integrity in decision-making