Head of Information Security Governance, Risk and Compliance

Arriva is a leading European passenger transport partner, operating in 11 countries across the UK and Europe.  The company employs around 35,000 people, delivering more than 1.5 billion passenger journeys connecting people and communities safely, reliably and sustainably. We have strong roots dating back to 1938, an ambitious growth and sustainability agenda, and a continuously developing relationship with I Squared Capital – a global infrastructure investment fund manager - who acquired Arriva in We are looking for a Head of Information Security Governance, Risk, Compliance (GRC) & Awareness to join our Information Security Team on a full time, permanent basis, based from either our Doxford office, Sunderland or Lacon House, London. Reporting to the Group Chief Information Security Officer, the Head of InfoSec GRC & Awareness is responsible for leading the governance, risk, and compliance functions within the Information Security domain. This role ensures that the organisation maintains a robust security posture through the development and enforcement of policies, standards, and awareness initiatives. The role is pivotal in aligning security practices with business objectives and regulatory requirements. This position oversees the continuous improvement of security policies and standards, including technical standards, ensuring adherence across the enterprise. The role is accountable for measuring cyber maturity and driving compliance with internal and external requirements. It also includes oversight of the development and implementation of a comprehensive Operational Technology (OT) compliance framework, ensuring alignment with broader Arriva and industry recognised cyber security standards. The Head of InfoSec GRC & Awareness manages the enterprise-wide information security risk management process, including the maintenance of the InfoSec Risk Register, oversight of residual risk declarations, and escalation of serious risks in accordance with the Arriva Risk Management framework. The role also includes risk reporting and the execution of risk assessments across business units and third-party engagements.  The role also supports internal and external audit activities and contributes to audit readiness and response efforts across IT functions. The role is responsible for leading assurance activities across key security domains such as HR security, physical security, system security, malware protection, network security, end-user device security, cloud security, and secure applications. The Head of InfoSec GRC & Awareness also owns the organisation's security awareness programme, including designing and executing awareness campaigns, planning tailored training for high-risk users, and coordinating education roadshows. Direct responsibilities:

• Leads the improvement and enforcement of enterprise-wide Information Security Policies and Standards, including technical standards.
• Manages the UK Business Information Security Officer to support GRC and awareness activities across the UK businesses, as well as the governance of the wider European teams in the Netherlands and Mainland Europe business units.
• Maintains and develops Information Security Management System in line with ISO27001.
• Drives organisation-wide security governance and cyber maturity through standards compliance, assurance reviews, and gap analysis, be that Arriva policies and standards or industry recognised certifications such as ISO/IEC 27001, Cyber Essentials, NIS CAF, NIST CSF, CIS Controls.
• Oversees the development of a scalable Operational Technology (OT) Security Assurance Framework, including the management of day to day activities of the Operational Technology Compliance Manager.
• Develops and implements the enterprise Information Security Risk Methodology, including owning the Information Security, ensuring residual risk declarations are completed, prioritised, reviewed, and remediated with accountable stakeholders.
• Manages the third party due diligence process, including subject matter expertise in technical security requirements, supporting the on boarding of new suppliers, as well as the ongoing assessment of existing suppliers, including contract reviews with support from the data protection team.
• Leads key technical assurance activities such as the Arriva UK annual penetration test and red teaming exercises, working with Technology and Systems and the business, where appropriate, to ensure critical, high and medium risk findings are remediated.
• Provides IT audit support, including evidence coordination, control validation, and remediation planning.
• Leads assurance and compliance monitoring across information technology systems to include system security, malware Protection, network and endpoint security, cloud security and identity and access management activities.
• Improves and manages the Group-level Information Security Awareness Programme, including training strategy, annual compliance training content, communications plan, roadshows, and ongoing engagement.

Knowledge, skills & experience:

• Practitioner qualifications e.g. CISSP certification, CESG Listed Advisor (CLAS), ISO27001 Lead Auditor, Certified Information Security Manager (CISM) Knowledge of all areas of Cyber Security
• Evidencable extensive experience in information security or IT governance roles, including proven experience working in large, federated, and complex enterprise environments.
• Experience developing and maintaining security policies, standards, and risk management frameworks, including experience in managing third-party risk.
• Track record of successful security awareness campaigns, measurable cultural change, and increased risk literacy across organisations.
• Familiarity with audit lifecycles, regulatory compliance, control assurance, and data protection including a deep understanding of security control frameworks (e.g., ISO/IEC 27001, Cyber Essentials, NIS CAF, NIST CSF, CIS Controls, PCI-DSS).
• Knowledge of all areas of IT Security, including cyber security for digital technologies, identity and access management, authentication and single sign-on, authorisation, logging and monitoring, audit, secure communications and cryptographic services, network and endpoint protection, hosting and cloud, vulnerability management, platform security, and systems development lifecycle.
• Provides clear vision and direction, inspiring and engaging individuals and the wider team to deliver excellence.
• Written and verbal communication and presentation skills. Influencing and negotiating skills.
• Possesses a proactive and solution-focused attitude, being capable of analysing business problems and delivering real solutions.
• Experience supporting IT audits and regulatory inspections.

Success criteria & indicators: Delivery and enforcement of updated information security policies and standards across all business units, with measurable adherence tracked through assurance reviews and compliance audits. Maintenance of a comprehensive InfoSec Risk Register, with timely execution of risk assessments, accurate residual risk declarations, and escalation of high-impact risks in line with the Arriva Risk Management framework. Implementation of a scalable OT security assurance framework, with demonstrable alignment to industry standards and effective oversight of OT compliance activities. Successful coordination of internal and external audit activities, including evidence gathering, control validation, and remediation planning, with reduced audit findings and improved audit readiness scores. Execution of a Group-wide security awareness programme, including tailored training, annual campaigns, and engagement initiatives, with measurable improvements in user risk literacy and training completion rates. Stakeholder relationships:

• Group, divisional, and country business colleagues in Arriva
• Group, divisional, and country technology colleagues in Arriva
• External industry and security experts
• External consultants and suppliers
• Data Protection Authorities (UK and Europe)
• Internal and external risk, compliance, and audit teams
• Third party training providers and internal communications teams

This job description sets out the main duties and responsibilities of the job-holder. It does not constitute an exhaustive or comprehensive description of duties and the job holder will be required to carry out any additional tasks as and when requested to do so by their manager.  Responsibilities and duties may also change in light of future business needs and personal development. The closing date for applications is Tuesday 28th  October 2025. Arriva Group reserves the right to close this vacancy early.

---