Risk, Information Security & Compliance Manager at Metrofile

Job Purpose

• The Group Risk, Information Security & Compliance Manager is responsible for leading and managing the organisation’s enterprise information security, IT risk, governance, compliance, and assurance functions across the Group.
• The role is accountable for maintaining and improving the organisation’s security posture, ensuring compliance with applicable regulatory and industry standards, and overseeing the governance and continuous improvement of frameworks including ISO standards and PCI DSS.
• The incumbent will work closely with executive management, operational teams, auditors, regulators, customers, and external service providers to ensure the organisation maintains secure, compliant, resilient, and audit-ready operations across both physical and digital information management environments.

Key Responsibilities

Information Security Governance

• Develop, implement, and maintain the Group Information Security Framework.
• Oversee enterprise cybersecurity governance, controls, and risk mitigation strategies.
• Ensure appropriate security controls are implemented across infrastructure, applications, cloud platforms, endpoints, and operational environments.
• Coordinate vulnerability management, penetration testing, patch governance, and remediation tracking.
• Manage information security incidents and coordinate incident response activities.
• Drive security awareness and cybersecurity culture initiatives across the organisation.

Risk Management

• Establish and maintain the Group IT and Information Security Risk Register.
• Conduct risk assessments across systems, applications, operational environments, vendors, and business processes.
• Monitor and report on key technology and information security risks.
• Develop mitigation plans and track remediation activities to closure.
• Ensure risks are appropriately escalated and communicated to executive management and governance committees.

Compliance & Governance

• Develop, maintain, and enforce IT governance policies, standards, procedures, and frameworks.
• Ensure compliance with applicable legislation, regulations, contractual obligations, and industry standards.
• Coordinate compliance initiatives relating to:
• POPIA
• PCI DSS
• ISO standards
• Client contractual obligations
• Internal governance standards
• Maintain evidence repositories and compliance documentation.

ISO Management Systems

• Manage and maintain the organisation’s Information Security Management System (ISMS).
• Coordinate and maintain ISO certification programmes including:
• ISO 27001
• ISO 9001
• ISO 22301 (where applicable)
• Other relevant ISO standards
• Coordinate internal and external ISO audits.
• Manage corrective actions, non-conformances, and continuous improvement initiatives.
• Ensure the organisation remains audit-ready at all times.

PCI DSS Governance

• Coordinate PCI DSS compliance programmes and assessments.
• Ensure ongoing compliance with PCI DSS requirements.
• Coordinate vulnerability scans, remediation activities, evidence collection, and audit preparation.
• Work closely with internal teams and external assessors to address PCI findings and maintain compliance certification.

Client Assurance & Audit Coordination

• Serve as the primary point of contact for customer security and compliance audits.
• Respond to client security questionnaires, due diligence requests, and audit requirements.
• Coordinate internal and external audit activities.
• Manage audit findings and remediation plans through to closure.
• Build and maintain strong relationships with enterprise clients and auditors.

Business Continuity & Disaster Recovery

• Coordinate IT Disaster Recovery and Business Continuity planning activities.
• Ensure regular DR testing and recovery validation exercises are conducted.
• Maintain and improve resilience and continuity capabilities across critical systems and operational environments.

Vendor & Third-Party Risk Management

• Conduct security and compliance assessments for third-party vendors and service providers.
• Review supplier security controls, contractual obligations, and compliance requirements.
• Ensure third-party risks are identified, assessed, and appropriately managed.

Reporting & Governance

• Prepare and present executive and board-level reports relating to:
• Security posture
• Compliance status
• Risk exposure
• Audit outcomes
• Incident trends
• Remediation progress
• Provide regular updates to management committees, audit committees, and executive stakeholders.

Minimum Qualifications

• Bachelor’s degree in Information Technology, Information Security, Risk Management, Computer Science, or related field.
• Relevant industry certifications such as:
• CISSP
• CISM
• CRISC
• ISO 27001 Lead Implementer or Lead Auditor
• PCI DSS related certifications
• COBIT
• ITIL

Experience Required

• Minimum 5 - 10 years’ experience in Information Security, Risk, Compliance, Governance, or related fields.
• Experience managing ISO certification environments.
• Strong understanding and practical experience with PCI DSS compliance.
• Experience working within highly regulated industries such as:
• Banking
• Healthcare
• Financial Services
• Records Management
• Enterprise Managed Services
• Experience coordinating audits and engaging with enterprise customers.
• Experience managing security governance across multi-site or multi-country environments will be advantageous.

Technical Knowledge & Competencies

• Information Security Governance
• IT Risk Management
• Cybersecurity Controls & Best Practices
• ISO 27001 and related ISO standards
• PCI DSS
• POPIA and data privacy regulations
• Business Continuity & Disaster Recovery
• Vendor Risk Management
• Audit Management
• Security Incident Management
• Governance Frameworks (COBIT, NIST, ITIL)

Behavioural Competencies

• Strong analytical and problem-solving skills
• Excellent communication and stakeholder engagement abilities
• High attention to detail
• Strong organisational and documentation skills
• Ability to work under pressure and manage multiple priorities
• Strong leadership and coordination capabilities
• Integrity, professionalism, and confidentiality

Key Performance Indicators (KPIs)

• Successful maintenance of ISO certifications
• PCI DSS compliance status maintained
• Reduction in audit findings and repeat findings
• Closure of identified security and compliance risks
• Security incident response effectiveness
• Vulnerability remediation timelines achieved
• Compliance training and awareness completion rates
• Successful DR testing outcomes
• Client audit success rate
• Timely reporting to management and governance structures

Additional Requirements

• Willingness to travel to operational sites and regional offices where required.
• Ability to engage with both technical and non-technical stakeholders.
• Ability to work after hours during major incidents, audits, or critical operational activities when required.