Information Security & Compliance Manager

Blue Matter


Job Location:

London - UK

Monthly Salary: Not Disclosed
Posted on: Yesterday
Vacancies: 1 Vacancy

Job Summary

Blue Matter is a rapidly growing strategic consulting firm serving clients in the life sciences industry. We partner with our clients to help them achieve commercial success across the lifecycle of their products portfolios and organisations. Our project types include new product planning launch strategy & planning brand & life cycle planning and corporate & portfolio strategy across a variety of specialty therapeutic areas.

We have a unique entrepreneurial culture and invest in building Blue Matter to be one of the best places to work. We have a strong global presence with offices in the US (San Francisco New York Boston) Europe (London Zurich Netherlands) and India (Mumbai Gurgaon Pune).

Why this role exists
Our clients are among the most security- and privacy-conscious organizations in the world and they trust us with highly sensitive commercial and scientific information. At the same time our internal AI platform BlueCortex is becoming central to how we serve them which raises both the stakes and the opportunity around how we govern data and technology.

As we grow we need a dedicated owner for information security and compliance. This role sits in our Technology & Operations team and is based in the UK giving us strong coverage of GDPR and UK GDPR obligations alignment with European clients and subsidiaries and time-zone support for our global team.

This is a hands-on high-ownership role not a tick-box function. Youll build and run the firms security and compliance program end-to-end and youll be the trusted point of contact when clients ask how we protect their data. Its ideal for someone who wants to shape a program in a fast-moving AI-forward consultancy rather than maintain one that already exists.
What youll do
Security governance and strategy
  • Own and run Blue Matters information security program end-to-end including for BlueCortex.
  • Define maintain and operationalize security policies standards and procedures and keep them current as the firm scales.
  • Maintain the risk register run regular risk assessments and drive remediation to closure.
  • Report on security and compliance posture to leadership in clear business-oriented terms.

Compliance and certifications
  • Drive certification and attestation efforts (e.g. ISO 27001 and/or SOC 2): design and maintain the control framework own the documentation and evidence and lead internal and external audits.
  • Build a sustainable always-audit-ready approach rather than a once-a-year scramble.
  • Track relevant regulatory and framework developments and translate them into practical action.

Data protection and privacy
  • Lead data protection under GDPR and UK GDPR; act as or closely support our Data Protection function.
  • Maintain records of processing (RoPA) conduct Data Protection Impact Assessments (DPIAs) and own data-handling retention and minimization policies.
  • Manage data subject requests and any personal-data incidents including regulator and individual notifications where required.
  • Oversee data transfer mechanisms and data residency considerations across our global footprint and subsidiaries.

Client security assurance
  • Own the response to client security due-diligence: complete security questionnaires and assessments from biopharma and medtech clients accurately and on time.
  • Support commercial and contractual discussions on security privacy and data processing terms (e.g. DPAs).
  • Maintain a library of reusable security documentation certifications and answers to accelerate client reviews.

Microsoft 365 security operations
  • Secure and govern our Microsoft 365 environment Entra ID Microsoft Defender Microsoft Purview and Intune.
  • Own identity and access management: conditional access MFA privileged access joiner/mover/leaver processes and least-privilege enforcement.
  • Implement and tune data loss prevention (DLP) information protection/labelling and device compliance.
  • Partner with IT on secure configuration patching and endpoint hardening.

Third-party and vendor risk
  • Run third-party and vendor risk management across our supply chain including security review of new tools and AI/SaaS vendors.
  • Maintain an inventory of vendors and their data access and reassess risk on a regular cadence.

Incident response and investigations
  • Own the incident response plan; lead detection triage investigation containment and post-incident review.
  • Investigate security events (for example analysing Entra ID sign-in and audit logs) and produce clear actionable incident reports.
  • Run tabletop exercises so the firm is prepared before an incident happens.

Security awareness and culture
  • Build and deliver security awareness training and phishing simulations.
  • Make security approachable and practical so the whole firm becomes a partner in protecting client data.

What success looks like
  • First 90 days: Youve assessed our current posture identified the highest-priority risks and gaps and built a clear prioritized roadmap. Youre already the point person for client security questionnaires.
  • First 6 months: Core policies are in place and adopted the M365 security stack is meaningfully hardened vendor risk and incident response processes are operating and certification/attestation work is underway with a credible plan.
  • First year: The firm has a mature sustainable security and compliance program; a defensible data-protection posture under GDPR/UK GDPR; and a smoother faster client security-review process.

What youll bring
  • 5 years of experience in information security and/or GRC ideally in an environment that handles sensitive client data (regulated industries professional services SaaS or similar).
  • Strong practical knowledge of GDPR and UK GDPR and day-to-day data protection.
  • Hands-on experience with ISO 27001 and/or SOC 2 implementation and audits.
  • Working familiarity with the Microsoft security stack (Entra ID Defender Purview Intune).
  • Experience responding to client/customer security assessments and questionnaires.
  • One or more relevant certifications for example CISSP CISM CISA CRISC ISO 27001 Lead Implementer/Auditor CIPP/E or CIPM or equivalent demonstrable experience.
  • Based in the UK with the right to work and comfortable supporting a globally distributed team across time zones.
  • Excellent written and verbal communication: you can translate security and risk into plain business language for leadership clients and colleagues.

Strongly preferred
  • Experience standing up or maturing a security/compliance program (not only operating an established one).
  • Familiarity with EU and UK regulatory developments such as NIS2 and DORA.
  • Experience managing third-party/vendor risk for SaaS and AI tooling.

Nice to have
  • Exposure to life sciences or pharma and awareness of GxP GDP or healthcare data considerations (e.g. HIPAA for US-facing work).
  • Experience establishing data-protection or data-risk practices.
  • Experience supporting M&A or subsidiary integration from a security and compliance perspective.

Who thrives here
  • Builders who want to own a program and shape it not just keep the lights on.
  • Pragmatic risk managers who right-size controls to the business instead of defaulting to maximum friction.
  • Clear communicators who can earn trust with clients leadership and engineers alike.
  • People genuinely interested in the security and governance challenges of a modern AI-forward firm.

How we work
A small capable Technology & Operations team with real ownership and direct access to leadership. Youll have the autonomy to build the program the right way and the visibility that comes with being the firms security and compliance lead. This is a remote/hybrid role based in the UK with occasional travel for team collaboration.

Required Experience:

Manager

Blue Matter is a rapidly growing strategic consulting firm serving clients in the life sciences industry. We partner with our clients to help them achieve commercial success across the lifecycle of their products portfolios and organisations. Our project types include new product planning launch str...

About Company

Company Logo

Blue Matter is a group of management consultants passionate about adding value at every stage of the product and company lifecycle.

View Profile View Profile