Information Security & Compliance Manager

ROLE OVERVIEW

We are looking for a hands-on Information Security & Compliance Manager who will own FirstHive’s entire certification and compliance portfolio, drive two strategic new certifications, serve as the primary security point of contact for enterprise customers, and continuously test and strengthen our internal controls. This is a high-visibility, high-impact individual contributor role that sits at the intersection of governance, technical security, and customer trust.

KEY RESPONSIBILITIES

1. Certification & ISMS Ownership

• Own and maintain the ISMS under ISO 27001:2022 and ISO 27018, including all policies, risk registers, Statement of Applicability (SoA), and management reviews.
• Maintain SOC 2 Type II compliance — coordinate evidence collection, manage auditor relationships, and drive remediation of observations across engineering and ops teams.
• Maintain and strengthen compliance posture for DPDPA (India), GDPR (EU), PDPA (Singapore/Thailand), and CCPA (California) — including DPIAs, RoPAs, consent frameworks, and breach notification procedures.
• Lead end-to-end certification programs to achieve ISO 42001 (AI Management System) and ISO 27701 (Privacy Information Management / PIMS) within agreed timelines.

2. Customer-Facing Security Leadership

• Serve as the primary security and compliance representative in enterprise sales cycles, customer onboarding reviews, and ongoing trust conversations.
• Respond to and own customer security questionnaires (RFPs, RFIs, DDQs), vendor assessments, and penetration test summary reviews.
• Build and maintain a Security Trust Center / shared evidence pack (NDA-gated) to accelerate deal cycles.
• Partner with Sales and Customer Success to proactively address customer security concerns and translate technical controls into business assurances.

3. Security Controls Testing & Validation

• Plan, scope, and oversee periodic Vulnerability Assessment & Penetration Testing (VAPT) programs — including external black-box tests, grey-box tests (authenticated), and internal network assessments.
• Manage relationships with third-party VAPT vendors; validate findings, triage severity, and track remediation to closure.
• Conduct internal process audits against ISO 27001 controls and SOC 2 criteria; issue findings, assign owners, and track remediation timelines.
• Run tabletop exercises and incident response drills; maintain and iterate the Incident Response Plan.
• Maintain a continuous controls monitoring programme — including cloud security posture reviews (AWS/GCP), access reviews, and change management audits.

4. Policy, Risk & Governance

• Own the Information Security Policy Framework — draft, version, and review all policies and procedures on schedule.
• Maintain the organisational risk register; conduct annual risk assessments and present findings to leadership.
• Manage supplier/vendor risk assessments (third-party due diligence) in line with ISO 27001 Annex A.15 / A.5.22.
• Drive security awareness training for all staff; measure effectiveness and iterate.
• Coordinate with legal and DPO (internal or external) on privacy-related obligations under applicable regulations.

REQUIRED QUALIFICATIONS & SKILLS

Technical & Domain Skills

• Deep, working knowledge of ISO 27001:2022 — can author controls, conduct internal audits, and lead Stage 1 / Stage 2 audits without external support.
• Proven hands-on experience running SOC 2 Type II audit cycles (not just participating — owning the programme).
• Solid understanding of GDPR, DPDPA, CCPA, and PDPA data protection obligations, with experience drafting DPIAs and Data Processing Agreements (DPAs).
• Practical understanding of VAPT methodologies: OWASP Top 10, SANS Top 20, black-box and grey-box testing scopes.
• Experience with cloud-native security controls: AWS Security Hub, GCP Security Command Center, IAM policy reviews, S3/GCS bucket hardening, network segmentation.
• Familiarity with tools: vulnerability scanners (Nessus, Qualys, or equivalent), SIEM platforms, DLP tools, endpoint security.

Customer-Facing & Communication Skills

• Confident, polished communicator who can lead customer security reviews, present to CISOs and procurement committees, and hold their own in technical conversations with security architects.
• Experience writing and responding to detailed security questionnaires (CAIQ, SIG, VSA, or custom).
• Ability to translate complex compliance requirements into concise, business-friendly language for non-technical stakeholders.

Certifications (Required — at least two of the following)

PREFERRED QUALIFICATIONS

• Prior experience at a B2B SaaS company or data platform handling PII at scale.
• Exposure to ISO 42001 (AI Management Systems) — even conceptual familiarity is a strong differentiator.
• Experience structuring a Privacy Information Management System (ISO 27701) from scratch.
• Background in conducting or commissioning grey-box penetration tests for web applications and APIs.
• Familiarity with CSA STAR, PCI-DSS, or HIPAA
• Experience building or scaling an information security function at a growth-stage company.

RECOMMENDED EXPERIENCE LEVEL

This role requires genuine depth across three disciplines — standards-based compliance, technical security testing, and executive-level customer conversations — simultaneously. We recommend the following experience profile:

This is an individual contributor role with high visibility, not a team management role.