WHAT DOES AN INFORMATION SECURITY RISK MANAGER DO?

Published: Sep 11, 2025 - The Information Security Risk Manager develops and manages the corporate information security framework, policies, and standards to ensure compliance with international regulations such as ISO27001, PCI DSS, and GDPR. This role involves defining and implementing risk management strategies, conducting vulnerability assessments, managing incident response, and coordinating data protection programs to safeguard organizational assets. The Manager also collaborates with legal, technical, and leadership teams to advise on emerging threats, oversee security initiatives, and ensure risks are effectively communicated and mitigated at all management levels.

A Review of Professional Skills and Functions for Information Security Risk Manager

1. Information Security Risk Manager Overview

  • Vendor Engagement: Engage with internal vendor owners to determine initial third-party vendor risk ratings.
  • Risk Evaluation: Manage third-party vendor risk evaluation services.
  • Vendor Communication: Communicate directly with third-party vendors.
  • Security Assessment: Perform third-party vendor security assessment activities, including evaluation of vendor controls and practices, process enhancements, and review of independent audit service reports.
  • Risk Escalation: Escalate outstanding risk items to management for acceptance or rejection.
  • Remediation Tracking: Communicate and track remediation plans with third-party vendors, business, and technology partners, and recommend mitigating or compensating controls.
  • Metrics Reporting: Maintain and present metrics on the vendor risk program to management.
  • Security Monitoring: Continuously monitor third-party vendor security posture and information security risk.
  • Control Advisory: Advise and guide business and technology partners regarding compensating control alternatives where security requirements cannot be met.

2. Information Security Risk Manager Job Description

  • Security Assessment: Perform Information Systems Security Assessments, write Information Systems Security Reports, and provide guidance to risk owners on management response and mitigation.
  • Process Improvement: Contribute to improving methods and practices related to focus domains.
  • Project Alignment: Align with other projects and application security competencies (IT and Business) within the security community.
  • Risk Management: Perform, advise, and follow up on generic risk assessments and identified risks.
  • Control Mitigation: Drive mitigation of agreed controls.
  • Risk Register: Update the security risk register.
  • Policy Compliance: Ensure compliance with security policies and standards.
  • Team Alignment: Align with IT and security teams on controls and required activities.
  • Audit Preparation: Maintain sufficient and appropriate evidence of work performed for review by Internal Audit and other oversight bodies.
  • Risk Tolerance Advisory: Monitor, assess, and advise on acceptable risk tolerances based on policy, control environment, and the evolving regulatory and threat landscape.

3. Information Security Risk Manager Functions

  • Regulatory Assessment: Coordinate assessments against key regulatory and framework guidance for cloud cybersecurity controls.
  • Presentation Development: Build and improve presentations for senior and executive management, clients, and regulators.
  • Feedback Provision: Provide feedback to Technology Risk and Internal Audit on their cybersecurity opinions.
  • Program Documentation: Maintain the Information Security program documents that describe the function.
  • Regulatory Support: Support regulatory developments by monitoring new regulations, preparing actions for compliance, and producing presentations, meeting notes, and summary reports for management.
  • Audit Support: Support Internal Audit activities by guiding auditors and control owners to effective, efficient, balanced, and pervasive controls.
  • Third-Party Evaluation: Evaluate third-party assessments of the Information Security function.
  • Taxonomy Maintenance: Maintain the cybersecurity threat, risk, and control taxonomy.
  • Metrics Support: Support the cybersecurity metrics program.
  • Communication Review: Review internal and external communications related to cybersecurity.
  • Gap Management: Maintain the list of key cybersecurity gaps.

4. Information Security Risk Manager Accountabilities

  • Control Monitoring: Assist in monitoring the IT control environment to identify key risks, related controls, and gaps, and document and report results to management.
  • Stakeholder Collaboration: Collaborate with internal stakeholders to address systemic security issues.
  • Project Tracking: Monitor, track, and document information security-related projects to ensure prompt and efficient resolution.
  • Metrics Management: Manage program-level metrics used to drive program direction and communicate with leadership.
  • Profile Maintenance: Update and maintain the custom NIST FS profile.
  • Audit Support: Provide support and evidence collection for internal and external audits and risk assessments.
  • Corrective Planning: Consult with management to develop corrective action plans for identified audit, risk, Information Security, and IT findings.
  • Security Initiatives: Research, design, and participate in or lead the implementation of security initiatives.
  • Trend Analysis: Stay current on the latest information technology and security trends and recommend corrective actions through Information Security initiatives.
  • Best Practices: Assist in developing enterprise-wide best practices for IT and Information Security.
  • Policy Management: Identify, implement, and maintain policies and procedures required to cost-effectively and uniformly protect information system assets.

5. Information Security Risk Manager Job Summary

  • Cybersecurity Operations: Manage the daily operation of cybersecurity, including security incident response.
  • Threat Awareness: Maintain a current understanding of the technology threat landscape, compliance requirements, and regulatory obligations.
  • Requirements Definition: Define business and technical requirements across multiple workstreams as new technology is adopted and embedded.
  • Strategy Implementation: Create, implement, and operate a strategy for deploying information security technologies, policies, and practices with a focus on continuous improvement.
  • Design Review: Review and approve system designs from a cybersecurity standpoint.
  • Policy Management: Draft, review, and approve security policies and controls, ensure communication to all personnel, and enforce compliance.
  • Platform Management: Manage security platforms such as vulnerability management, security monitoring, and CASB.
  • Technology Delivery: Deliver new security technology approaches and implement next-generation solutions.
  • Testing Oversight: Manage regular cybersecurity testing initiatives such as phishing exercises and penetration testing.
  • Partner Management: Manage external cybersecurity partners in line with procurement frameworks, including conducting regular service reviews.
  • Awareness Training: Lead risk workshops and discussions with the Technology team and manage security awareness training activities for all staff.

6. Information Security Risk Manager Responsibilities

  • Business Partnership: Act as a business partner on IT Security Control, Governance, and Risk Control with business units.
  • Risk Assessment: Perform risk assessments to identify gaps in compliance with information security and BCP standards and policies.
  • Risk Exposure Review: Assess and review potential risk exposure, including security vulnerabilities, coverage of security technologies, application security, and technical control compliance.
  • Compliance Advisory: Provide advisory support for compliance with regulatory requirements.
  • Policy Guidance: Advise business and technology users on technology risk policies and standards to ensure security principles are understood, and ensure that security solutions are adopted by users.
  • Assessment Collaboration: Collaborate with IT and business teams to perform information security, risk, and compliance assessments through the application SDLC.
  • Initiative Participation: Participate in global and local risk and security initiatives.
  • Awareness Facilitation: Facilitate global security awareness and education across the region.
  • Audit Planning: Plan and drive the IS audit plan across various scopes with a focus on high-risk domains.

7. Cyber And Information Security Risk Manager Details

  • Executive Support: Support the Head of Cyber & Information Security Risk, create senior management presentations, and represent the CISO in risk management meetings.
  • Framework Execution: Drive the execution of the F2B Risk Framework across the CISO function.
  • RCSA Execution: Execute the annual Risk and Control Self-Assessment (RCSA), including establishing and monitoring effective controls within an agreed risk appetite.
  • Control Assessment: Support the CISO in the Key Procedural Control Assessment Process.
  • Risk Reporting: Provide transparent risk reporting to management, regulators, and other internal units.
  • Mitigation Support: Identify risk areas in existing processes and support management and the CISO organization in defining and executing mitigation plans.
  • Risk Review: Coordinate and perform internal risk assessments and risk reviews, including ORI reviews, to ensure sustainable remediation of issues.
  • Stakeholder Engagement: Engage proactively with business stakeholders for the assigned portfolio to identify and escalate risks.
  • Task Champion: Serve as “Task Champion” for the Operational Risk Framework.
  • Metrics Development: Develop metrics to evaluate and mitigate risk.
  • Ad-hoc Support: Support ad-hoc cyber and information security risk mitigation initiatives.

8. Information Security Risk Manager Duties

  • Security Leadership: Responsible for all Security and Risk issues, acting as the face of the function, and delivering solutions to the senior board, whilst operational and technical activities of IT Security are handled by the IT team.
  • Compliance Management: Ensure statutory and contractual obligations are adhered to, covering areas such as Information Security, Data Protection, and GDPR.
  • Legal Collaboration: Work closely with the in-house Legal function, assisting with areas such as Risk and Compliance frameworks.
  • Audit and Assessment: Conduct auditing and risk assessments, and maintain policies and procedures in line with certifications and mandates linked to Information Security.
  • Continuous Improvement: Take ownership of continuous improvement programmes, developing, implementing, and maintaining suitable programmes.
  • Governance Facilitation: Chair an ongoing and regular Security Working Group, working with the key senior leadership team to ensure that the Information Security Management System (ISMS) is meeting all requirements.
  • Training and Reporting: Deliver reports and presentations across the organisation, and design and deliver training to the business for best practice around the ISMS.
  • Third-Party Management: Manage security requirements with third parties, including due diligence of products and service providers and integration of information security clauses in service provision agreements and contracts.
  • Policy Development: Develop, coordinate, and maintain information security policies, procedures, and other security-related documentation.
  • Technology Advancement: Advance the technological approach to information security within the firm.

9. Information Security Risk Manager Additional Details

  • Framework Management: Maintain, enhance, and execute the technology risk management framework, policies, and procedures to support the business.
  • Resilience Framework: Maintain and enhance the cybersecurity resilience framework to support the business.
  • Documentation Development: Develop and enhance technology and security risk-related documentation to ensure alignment with group policies and adherence to regulatory requirements.
  • Risk Reporting: Report technology and security risk updates and dashboards for various audiences and applicable committees, including the board and senior management.
  • KRI Management: Enhance, monitor, and track technology key risk indicators (KRIs), including cybersecurity elements, in line with the enterprise-wide risk management framework.
  • Governance Oversight: Ensure governance and oversight of entities and technology workstreams to comply with internal, industry, and regulatory requirements.
  • Control Challenge: Provide an effective challenge to the adequacy and effectiveness of technology and security controls.
  • Risk Assessment: Conduct technology, security, and related risk assessments with business units, such as RCSA and Information Security Risk Assessments, to identify and manage control gaps.
  • Business Collaboration: Collaborate with business units to provide support and guidance on technology risk and control matters.
  • Committee Participation: Lead or participate in relevant committees for technology risk and contribute to other applicable committees.
  • Audit Support: Support technology and security audit engagements.
  • Incident Response: Participate in IT and security breach and incident workstreams.
  • Continuous Improvement: Perform continuous improvement in technology risk management.

10. Information Security Risk Manager Essential Functions

  • Framework Development: Develop, manage, and communicate the Corporate Information Security Framework that includes policies, standards, and processes based on international standards (e.g., ISO27001) and legal or regulatory requirements (e.g., PCI DSS, GDPR), ensuring adoption and adherence.
  • Security Strategy: Develop an overall information security and compliance strategy and recommend appropriate controls and tools aligned with organizational objectives, set measures, and information control requirements.
  • Trend Monitoring: Monitor environmental and market trends, proactively assess their impact on business strategies, and advise on necessary security controls in collaboration with legal, technical support, and architecture experts.
  • Risk Framework: Define and implement a risk management framework to ensure IT security and risks are managed to acceptable levels and comply with relevant regulations.
  • Vulnerability Testing: Coordinate periodic vulnerability assessments and penetration tests on the IT environment to monitor performance, identify risks and threats, and manage solutions for effective protection of information assets and regulatory compliance.
  • Risk Visibility: Ensure sufficient visibility at appropriate management levels for every risk, its impact, and the cost of mitigation.
  • Access Control: Conduct investigations on permission violations and define organizational policies on access rights.
  • Data Protection: Coordinate effective implementation of the data protection program aligned to applicable regulatory regimes (e.g., GDPR), including records of processing, policies, procedures, reporting, and engagement with supervisory authorities.
  • Team Guidance: Direct and guide internal teams and external providers to ensure all information assets are well-protected.
  • Exception Management: Review and action exceptions to policies and standards based on impact, and take ownership of all information security initiatives.
  • Market Awareness: Keep abreast of market trends and products related to information security and maintain a broad understanding of the environment to source services externally.
  • Incident Response: Develop, manage, maintain, and regularly test the security incident response plan to ensure all incidents are reported, documented, resolved, and recovered.
Relevant Information
What Does A Cybersecurity Manager Do?
What Does An Information Security Manager Do?