Location
Westminster Bridge Rd, London

Hours
Full Time

Salary
£65,000 per annum

About the Role
As a Business Information Security Officer (BISO) at Peabody, you will work closely with teams across the organisation to identify risks, strengthen controls, and embed a culture of security and resilience. Acting as the primary link between business, technology, information security, and resilience, you will ensure risks are understood and managed to protect colleagues, residents, data, and Peabody’s reputation.

Your expertise, collaboration, and influence will make a significant impact daily. You will partner with stakeholders, shape security controls, support audits, manage supplier risks, and help Peabody stay ahead of emerging threats.

Key Responsibilities
Business Partnering & Advisory
- Conduct risk assessments and identify priority threats with business partners
- Recommend security controls to reduce business, financial, reputational, and customer harm
- Collaborate to implement, monitor, and improve security policies, procedures, and standards
- Plan and deliver testing and ongoing monitoring of security controls
- Identify emerging threats and regulatory changes and propose mitigations

Governance & Reporting
- Co-chair or chair the Information Security Working Group
- Produce and manage KRIs, KPIs, and reports for stakeholders and committees
- Manage security exceptions, waivers, and time-bound risk acceptances
- Escalate breaches of security policies or standards
- Work closely with Data Protection on GDPR compliance, DPIAs, and risk reviews
- Support preparation for internal/external audits including NHS Data Toolkit and Cyber Essentials

Policies, Standards & Frameworks
- Support or lead development and improvement of security policies, procedures, and standards
- Align security frameworks to ISO27001, NIST CSF, NCSC CAF, or other relevant guidance

Supplier & Third-Party Risk Management
- Conduct tiered due diligence before contract awards
- Ensure appropriate security and resilience clauses in contracts
- Coordinate external assurance such as penetration testing and audit reports
- Manage supplier security findings with business owners

Awareness & Culture
- Develop and deliver targeted training and awareness campaigns
- Use multiple channels including blogs, training modules, and in-person sessions to build a positive security culture
- Measure awareness success and adjust programmes based on behaviours and outcomes
- Build and maintain a security champion network

Incident Readiness & Response
- Maintain incident response playbooks and coordinate responses to security incidents
- Support post-incident reviews and track remedial actions across departments

Resilience & Continuity
- Partner with Business Continuity & Resilience to assess risks to critical services
- Validate cyber recovery objectives and support exercising of response scenarios

Horizon Scanning
- Track emerging threats, technologies, and regulatory changes
- Recommend improvements to security controls and investment priorities
- Contribute to multi-year maturity roadmaps

Experience
- Experience in information security, risk management, technology, or related disciplines
- Experience implementing or aligning to frameworks such as NIST CSF, ISO27001, NCSC CAF, NHS Data Security Toolkit
- Proven ability to build strong partnerships across technical and non-technical teams
- Experience designing or delivering security awareness and training

About you
- Persuasive and articulate communicator able to explain security concepts to any audience
- Collaborative, positive, and skilled at building trust with stakeholders
- Confident using a range of communication channels including blogs, online training, and social media
- Proactive and forward-thinking about future risks and opportunities
- Detail-oriented and able to work within a fast-paced, agile environment
- Flexible, solution-focused, and able to plan and organise your own workload
- Strong problem solver with excellent written and verbal communication skills
- Able to negotiate and influence to resolve conflicting requirements
- Committed to supporting a secure, resilient, and customer-focused organisation

Qualifications
- Professional security qualifications such as CISSP, CRISC, or equivalent experience
- Strong understanding of GDPR and the Data Protection Act 2018
- Understanding of cloud security concepts, shared responsibility models, and cloud-native threats