Role Overview
We are seeking an experienced Third-Party Risk Manager with recent, hands-on experience in vendor risk and security governance. The role focuses on identifying, assessing, and reducing information security risks introduced by external partners, ensuring alignment with modern regulatory frameworks such as NIS2.
Sitting within the procurement function, you will work closely with internal teams and suppliers to strengthen security standards across the supply chain, ensuring third parties operate in line with organisational policies and do not expose the business to unnecessary risk.
Key ResponsibilitiesEstablish and maintain frameworks for managing security risks linked to external vendors, including classification based on risk and business impactEnsure third-party relationships meet regulatory requirements (including NIS2), covering areas such as risk controls, incident handling, and supply chain securityPerform security due diligence and ongoing risk assessments for both new and existing suppliersMaintain vendor risk records, scoring models, and mitigation plans, ensuring risks are tracked and addressed appropriatelyPartner with procurement and security teams to embed strong security requirements into contracts, including incident reporting, audit rights, and data protection obligationsOversee vendor performance from a security perspective, including monitoring, reporting, and remediation follow-upSupport end-to-end vendor lifecycle management, from onboarding through to offboardingCoordinate responses to security incidents involving third parties, ensuring timely communication and resolutionEngage with internal stakeholders and suppliers to promote best practices in third-party security and complianceContribute to awareness initiatives and guidance to ensure partners understand and meet required security standards
Skills & ExperienceProven background in third-party risk, cybersecurity, or compliance within regulated environmentsStrong understanding of supplier security within frameworks such as ISO 27001 and broader industry standards (e.g. NIST, CIS)Familiarity with European cybersecurity regulations, particularly NIS2Experience conducting vendor assessments and supporting contract negotiations from a security standpointKnowledge of supply chain risk and resilience conceptsExposure to GRC tools (e.g. ServiceNow) is beneficialRelevant certifications (such as CISM, CISSP, CRISC, or ISO 27001-related) are advantageousStrong communication and stakeholder management capabilities