Legal IT Jobs

Information Security Analyst – Clifford Chance

Opening for an Information Security Analyst (with Risk Assessment experience and CISSP) to join our IT Risk team.


Clifford Chance is one of the world’s leading law firms, helping clients achieve their goals by combining the highest global standards with local expertise. The firm has unrivalled scale and depth of legal resources across the three key markets of the Americas, Asia and Europe and focuses on the core areas of commercial activity: capital markets; corporate and M&A; finance and banking; real estate; tax; pensions and employment; litigation and dispute resolution.

Alongside world-class legal careers, Clifford Chance offers excellent opportunities in the support functions that underpin its business operations. By joining us in business services, you will help us to innovate in the way we deliver our services and enable us to run a successful multinational business that never stands still. Business services are integral to the running of the firm and are critical to its success.

Clifford Chance is not alone in facing increasing cyber security threats and information risks, along with heightened client scrutiny of our information security controls. The IT Risk team has an important remit to provide governance, coordination and leadership across these areas, drive continuous improvement, and provide assurance to our clients. We are a small team that works closely with our colleagues in IT Security, all other parts of IT and right across the firm globally.

Job Purpose

This role reports to the Global IT Risk Manager (who is the firm’s Chief Information Security Officer). IT Risk requires a fast-learning and self-motivated individual to add capability to our small team.

IT Risk is evolving to dynamic business needs, a rapidly changing threat environment, and the firm’s own ambitious IT Strategy. This role will help play a key part in implementing and improving the underlying processes required to provide a structured, systematic and audited approach to IT Risk across the firm. The role will have clear areas of focus combined with exposure and involvement in a broad spectrum of information security activities.

Key Responsibilities

The key tasks and responsibilities include, but are not limited to, the following:

• Drive the firm’s ISO27001-certified ISMS by managing a structured programme of activities including risk assessment and management work, audit and compliance initiatives, and associated documentation.

• Coordinate the programme of internal security audit activities and delivering a quarterly assessment.

• Provide process governance and specialist advice/insight into security investigations.
• Plan, organise and deliver a series of security penetration tests (some regular, some ad-hoc) by working with external suppliers and internal applications & infrastructure colleagues.
• Lead on the collation, analysis, and enhancement of security KPIs/metrics.
• Help to review and advise internal projects/initiatives on risk and security aspects, liaising with technical IT colleagues where necessary.
• Help to review and assess external service providers and data custodians.
• Participate in client security reviews and assurance activities.
• Assist with developing and delivering security awareness, including through intranet sites, news stories, policy and guidance documentation, direct engagement/advice to staff, and periodic ‘campaign’ activities.
• Support the firm’s cybersecurity strategy and programme by assisting the Global IT Risk Manager where needed, e.g. helping to carry out threat monitoring, research, and elements of policy change and programme delivery.
• Participate in the evaluation, selection and implementation of security products and technologies.
• Provide support and cover for certain time-critical elements of IT Risk team responsibilities, such as incident management and security investigations.
• Maintain an awareness of current and developing threats and reflect these back into the risk management processes.

Key Requirements

The candidate must have experience of ISO27001 processes including risk management, audits, and policies, ideally in a certified capacity.

They should be able to perform information security risk assessments, rapidly assimilate technical information to assess and document risks, have the knowledge and skills to engage with different levels of seniority, balance the need to obtain information with provision of support and advice, and continually demonstrate how IT Risk supports the firm’s business objectives and our clients’ need for information assurance.

They should be able to apply an organised approach to managing and prioritising multiple concurrent assignments and be motivated to continually improve processes and documentation, and to take ownership of parts of the firm’s information security programme.

Although no formal qualifications are mandated, the successful candidate is likely to be degree educated and have one or more of the following – CISSP, CISA, CISM, ISO27001 Lead Auditor or Lead Implementer.

It is essential that the successful candidate is a self-starter with an inquisitive, pragmatic and flexible approach backed by the tenacity to pursue enquiries through to a timely conclusion. It will be important to remain focussed on the strategic goals whilst maintaining an eye for detail.
The role may bring the candidate into contact with sensitive information and, as such, the ability to press ahead to a pragmatic conclusion whilst exhibiting the utmost discretion is important.

Experience in developing and using structured documentation – process, format, logical content, version control etc is also important.

Click here to apply: