Wpp
Wpp6h ago
New

ISMS and Risk Officer

OtherRisk Officer
0 views0 saves0 applied

Quick Summary

Overview

WPP is the trusted growth partner for the world’s leading brands. We unite cutting-edge media intelligence and data solutions, world-class creativity, next-generation production,

Technical Tools
OtherRisk Officer

 

  • Department: Data & Technology Solutions (DTS)
  • Reports To: SVP Security and Compliance
  • Location: [London/Hybrid]
  • Position Type: Full-Time

The ISMS and Risk Officer (DTS) is responsible for managing and continuously improving the Information Security Management System (ISMS) across Data & Technology Solutions. You will ensure that security policies, controls, risks, exceptions, and governance processes are properly maintained, evidenced, reviewed, and acted upon.

Reporting to the SVP Security and Compliance, you will provide the operational backbone for security governance across DTS. This is a hands-on Governance, Risk, and Compliance (GRC) role. You will collaborate across security, product, engineering, infrastructure, architecture, legal, risk, compliance, and delivery teams to transform security governance into a dynamic, working management system rather than a static documentation exercise.


Responsibilities

~1 min read
  • Manage the day-to-day operation and continuous improvement of the DTS ISMS.
  • Maintain the ISMS framework, documentation, control library, policies, standards, and procedures.
  • Ensure the ISMS accurately reflects how DTS operates across products, platforms, infrastructure, data, and engineering.
  • Support alignment with frameworks such as ISO 27001, SOC 2, GDPR, HIPAA (where applicable), and wider WPP security requirements.
  • Ensure ISMS artefacts are version-controlled, approved, reviewed, and communicated appropriately.
  • Maintain clear evidence of security governance activity, control operation, risk treatment, and management reviews.
  • Own the lifecycle of DTS security and compliance policies, standards, procedures, and control documentation.
  • Coordinate policy reviews with Security, Architecture, Infrastructure, Engineering, Product, Legal, Risk, and Enterprise Technology stakeholders.
  • Ensure policies are practical, clear, enforceable, and aligned with DTS's operating reality.
  • Track policy exceptions, waivers, compensating controls, and review dates.
  • Ensure policy changes are communicated and seamlessly embedded into operational processes.
  • Establish and continuously run the DTS Risk Review Board.
  • Define the Board’s cadence, agenda, inputs, outputs, attendees, and escalation routes.
  • Prepare comprehensive risk packs, dashboards, decision logs, and action trackers.
  • Ensure risks are presented clearly, consistently, and with appropriate supporting evidence.
  • Track decisions, owners, due dates, mitigations, exceptions, and residual risks.
  • Escalate risks exceeding agreed thresholds to the SVP Security and Compliance, DTS leadership, the CISO office, or other appropriate forums.
  • Own and maintain the central DTS security and compliance risk register.
  • Capture, assess, categorise, and maintain security, compliance, privacy, operational resilience, third-party, and technology risks.
  • Ensure all risks have clear descriptions, owners, likelihood/impact ratings, inherent risk scores, mitigations, residual risk scores, treatment plans, and target dates.
  • Partner with risk owners to ensure mitigations are realistic, funded, and actively progressed.
  • Track overdue risk actions and escalate insufficient progress.
  • Produce regular risk reporting for DTS leadership and wider WPP governance forums.
  • Support ongoing assurance activity by ensuring controls are consistently evidenced, tested, and reviewed.
  • Maintain control evidence for ISO 27001, SOC 2, client assurance, internal audits, and other compliance needs.
  • Coordinate evidence collection from Engineering, Infrastructure, Security, Product, HR, Legal, and Enterprise Technology.
  • Identify gaps between documented controls and actual operating practices, tracking remediation plans.
  • Support DTS compliance obligations (ISO 27001, SOC 2, HIPAA, GDPR-related controls, and client-specific requirements).
  • Help prepare for internal/external audits, client reviews, security questionnaires, and due diligence exercises.
  • Maintain an organized, always-ready evidence library and audit trail.
  • Support management reviews required by ISO 27001 and other governance frameworks.
  • Manage the formal process for security exceptions, policy waivers, risk acceptances, and remediation plans.
  • Ensure exceptions are documented, reviewed, approved, time-bound, and assigned to accountable owners.
  • Track compensating controls, monitor residual risk, and manage the renewal/escalation of expired exceptions.
  • Help assess security and compliance risks associated with vendors, partners, tools, platforms, and managed services.
  • Maintain supplier risk records and coordinate with Procurement, Legal, CISO, Enterprise Technology, and Product teams.
  • Ensure third-party risk is appropriately integrated into the DTS risk register and Risk Review Board.
  • Produce clear, reliable, and actionable governance dashboards and reports for the SVP Security and Compliance and DTS leadership.
  • Translate complex governance and technical data into clear business language, highlighting trends, overdue actions, and material risks.
  • Foster a collaborative and practical security governance culture across DTS.
  • Coach risk owners on how to describe, assess, treat, and monitor risks.
  • Ensure risk processes support business delivery rather than becoming bureaucratic overhead.

The ISMS and Risk Officer will be directly accountable for:

  • Effective operation, accuracy, and maintenance of the DTS ISMS and Risk Register.
  • Continuous, disciplined operation of the DTS Risk Review Board.
  • Up-to-date, approved, and realistic security policies, standards, and control documentation.
  • Structured tracking of risks, exceptions, waivers, and remediation plans.
  • Audit-ready evidence management and reliable governance reporting to leadership.

  • Proven experience in information security governance, risk management, compliance, audit, or ISMS operation.
  • Strong working knowledge of ISO 27001 and practical ISMS management.
  • Familiarity with SOC 2, GDPR, HIPAA, cloud security, SaaS platforms, and enterprise security controls.
  • Experience maintaining risk registers, policy frameworks, control libraries, and audit evidence repositories.
  • Experience running or supporting risk committees, governance forums, or control review boards.
  • Excellent technical writing skills (policies, standards, risk statements, and governance reports).
  • Ability to collaborate with technical teams and translate technical issues into business risk/compliance language.
  • Strong organizational skills, high attention to detail, and a constructive yet persistent approach to driving action.

Nice to Have

~1 min read
  • Experience operating within a complex, matrixed, enterprise environment is highly valued.

  • Disciplined & Reliable: Bring structure, order, and high standards of documentation to risk and compliance processes.
  • Pragmatic & Delivery-Aware: Build trust with technical teams by making governance useful, proportionate, and aligned with delivery.
  • Proactive: Follow through persistently on actions, dates, and evidence, and escalate bottlenecks clearly.
  • Collaborative: Support the SVP Security and Compliance in building a mature, transparent, and well-governed security function.

  • A current, well-maintained DTS ISMS with zero "reactive" compliance rushes.
  • Security policies and standards reviewed, updated, and communicated on schedule.
  • The Risk Review Board operating systematically with clear actions and high leadership engagement.
  • DTS risk register actively used by leadership to drive risk-based decisions.
  • Audit and certification evidence organized so there are "fewer surprises" during external audits and client reviews.
  • Security governance fully embedded as a natural part of daily DTS operations.

 

 

 

 

Who you are:

What We Offer

~1 min read

Location & Eligibility

Where is the job
United Kingdom
On-site within the country
Who can apply
GB

Listing Details

Posted
July 6, 2026
First seen
July 6, 2026
Last seen
July 6, 2026

Posting Health

Days active
0
Repost count
0
Trust Level
67%
Scored at
July 6, 2026

Signal breakdown

freshnesssource trustcontent trustemployer trust
Wpp
Wpp
greenhouse
Employees
10,000+
Founded
1985
Domain
wpp.com
View company profile
Newsletter

Stay ahead of the market

Get the latest job openings, salary trends, and hiring insights delivered to your inbox every week.

A
B
C
D
Join 12,000+ marketers

No spam. Unsubscribe at any time.

WppISMS and Risk Officer