About this ISMS and Risk Officer role at WPP
WPP is the trusted growth partner for the world’s leading brands.
We unite cutting-edge media intelligence and data solutions, world-class creativity, next-generation production, transformative enterprise solutions and expert strategic counsel in a single company – powered by exceptional talent and our agentic marketing platform, WPP Open, to help our clients navigate change, capture opportunity and deliver transformational growth.
We work with the world's most valuable brands and have global reach across 100+ markets, with deep local expertise.
Our people are the key to our success. We're committed to fostering a culture of creativity, belonging and continuous learning, attracting and developing the brightest talent, and providing exciting career opportunities that help our people grow.
For more information, visit WPP.com.
ISMS and Risk Officer
- Department: Data & Technology Solutions (DTS)
- Reports To: SVP Security and Compliance
- Location: [Insert Location/Remote/Hybrid]
- Position Type: Full-Time
Role Purpose
The ISMS and Risk Officer (DTS) is responsible for managing and continuously improving the Information Security Management System (ISMS) across Data & Technology Solutions. You will ensure that security policies, controls, risks, exceptions, and governance processes are properly maintained, evidenced, reviewed, and acted upon.
Reporting to the SVP Security and Compliance, you will provide the operational backbone for security governance across DTS. This is a hands-on Governance, Risk, and Compliance (GRC) role. You will collaborate across security, product, engineering, infrastructure, architecture, legal, risk, compliance, and delivery teams to transform security governance into a dynamic, working management system rather than a static documentation exercise.
Key Responsibilities
1. ISMS Ownership & Operation
- Manage the day-to-day operation and continuous improvement of the DTS ISMS.
- Maintain the ISMS framework, documentation, control library, policies, standards, and procedures.
- Ensure the ISMS accurately reflects how DTS operates across products, platforms, infrastructure, data, and engineering.
- Support alignment with frameworks such as ISO 27001, SOC 2, GDPR, HIPAA (where applicable), and wider WPP security requirements.
- Ensure ISMS artefacts are version-controlled, approved, reviewed, and communicated appropriately.
- Maintain clear evidence of security governance activity, control operation, risk treatment, and management reviews.
2. Policy Management & Control Governance
- Own the lifecycle of DTS security and compliance policies, standards, procedures, and control documentation.
- Coordinate policy reviews with Security, Architecture, Infrastructure, Engineering, Product, Legal, Risk, and Enterprise Technology stakeholders.
- Ensure policies are practical, clear, enforceable, and aligned with DTS's operating reality.
- Track policy exceptions, waivers, compensating controls, and review dates.
- Ensure policy changes are communicated and seamlessly embedded into operational processes.
3. Risk Review Board Operation
- Establish and continuously run the DTS Risk Review Board.
- Define the Board’s cadence, agenda, inputs, outputs, attendees, and escalation routes.
- Prepare comprehensive risk packs, dashboards, decision logs, and action trackers.
- Ensure risks are presented clearly, consistently, and with appropriate supporting evidence.
- Track decisions, owners, due dates, mitigations, exceptions, and residual risks.
- Escalate risks exceeding agreed thresholds to the SVP Security and Compliance, DTS leadership, the CISO office, or other appropriate forums.
4. Risk Register Management
- Own and maintain the central DTS security and compliance risk register.
- Capture, assess, categorise, and maintain security, compliance, privacy, operational resilience, third-party, and technology risks.
- Ensure all risks have clear descriptions, owners, likelihood/impact ratings, inherent risk scores, mitigations, residual risk scores, treatment plans, and target dates.
- Partner with risk owners to ensure mitigations are realistic, funded, and actively progressed.
- Track overdue risk actions and escalate insufficient progress.
- Produce regular risk reporting for DTS leadership and wider WPP governance forums.
5. Control Assurance & Evidence Management
- Support ongoing assurance activity by ensuring controls are consistently evidenced, tested, and reviewed.
- Maintain control evidence for ISO 27001, SOC 2, client assurance, internal audits, and other compliance needs.
- Coordinate evidence collection from Engineering, Infrastructure, Security, Product, HR, Legal, and Enterprise Technology.
- Identify gaps between documented controls and actual operating practices, tracking remediation plans.
6. Compliance Support & Audit Readiness
- Support DTS compliance obligations (ISO 27001, SOC 2, HIPAA, GDPR-related controls, and client-specific requirements).
- Help prepare for internal/external audits, client reviews, security questionnaires, and due diligence exercises.
- Maintain an organized, always-ready evidence library and audit trail.
- Support management reviews required by ISO 27001 and other governance frameworks.
7. Exception, Waiver & Remediation Tracking
- Manage the formal process for security exceptions, policy waivers, risk acceptances, and remediation plans.
- Ensure exceptions are documented, reviewed, approved, time-bound, and assigned to accountable owners.
- Track compensating controls, monitor residual risk, and manage the renewal/escalation of expired exceptions.
8. Third-Party & Supplier Risk Support
- Help assess security and compliance risks associated with vendors, partners, tools, platforms, and managed services.
- Maintain supplier risk records and coordinate with Procurement, Legal, CISO, Enterprise Technology, and Product teams.
- Ensure third-party risk is appropriately integrated into the DTS risk register and Risk Review Board.
9. Security Governance Reporting
- Produce clear, reliable, and actionable governance dashboards and reports for the SVP Security and Compliance and DTS leadership.
- Translate complex governance and technical data into clear business language, highlighting trends, overdue actions, and material risks.
10. Stakeholder Engagement & Culture
- Foster a collaborative and practical security governance culture across DTS.
- Coach risk owners on how to describe, assess, treat, and monitor risks.
- Ensure risk processes support business delivery rather than becoming bureaucratic overhead.
Key Accountabilities
The ISMS and Risk Officer will be directly accountable for:
- Effective operation, accuracy, and maintenance of the DTS ISMS and Risk Register.
- Continuous, disciplined operation of the DTS Risk Review Board.
- Up-to-date, approved, and realistic security policies, standards, and control documentation.
- Structured tracking of risks, exceptions, waivers, and remediation plans.
- Audit-ready evidence management and reliable governance reporting to leadership.
Skills & Experience
Required:
- Proven experience in information security governance, risk management, compliance, audit, or ISMS operation.
- Strong working knowledge of ISO 27001 and practical ISMS management.
- Familiarity with SOC 2, GDPR, HIPAA, cloud security, SaaS platforms, and enterprise security controls.
- Experience maintaining risk registers, policy frameworks, control libraries, and audit evidence repositories.
- Experience running or supporting risk committees, governance forums, or control review boards.
- Excellent technical writing skills (policies, standards, risk statements, and governance reports).
- Ability to collaborate with technical teams and translate technical issues into business risk/compliance language.
- Strong organizational skills, high attention to detail, and a constructive yet persistent approach to driving action.
Preferred:
- Experience operating within a complex, matrixed, enterprise environment is highly valued.
Leadership Expectations
- Disciplined & Reliable: Bring structure, order, and high standards of documentation to risk and compliance processes.
- Pragmatic & Delivery-Aware: Build trust with technical teams by making governance useful, proportionate, and aligned with delivery.
- Proactive: Follow through persistently on actions, dates, and evidence, and escalate bottlenecks clearly.
- Collaborative: Support the SVP Security and Compliance in building a mature, transparent, and well-governed security function.
Success Measures
- A current, well-maintained DTS ISMS with zero "reactive" compliance rushes.
- Security policies and standards reviewed, updated, and communicated on schedule.
- The Risk Review Board operating systematically with clear actions and high leadership engagement.
- DTS risk register actively used by leadership to drive risk-based decisions.
- Audit and certification evidence organized so there are "fewer surprises" during external audits and client reviews.
- Security governance fully embedded as a natural part of daily DTS operations.
Who you are:
You're open: We are inclusive and collaborative; we encourage the free exchange of ideas; we respect and celebrate diverse views. We are open-minded: to new ideas, new partnerships, new ways of working.
You're optimistic: We believe in the power of creativity, technology and talent to create brighter futures or our people, our clients and our communities. We approach all that we do with conviction: to try the new and to seek the unexpected.
You're extraordinary: we are stronger together: through collaboration we achieve the amazing. We are creative leaders and pioneers of our industry; we provide extraordinary every day.
What we'll give you:
Passionate, inspired people – We aim to create a culture in which people can do extraordinary work.
Scale and opportunity – We offer the opportunity to create, influence and complete projects at a scale that is unparalleled in the industry.
Challenging and stimulating work – Unique work and the opportunity to join a group of creative problem solvers. Are you up for the challenge?
#LI-Hybrid
We believe the best work happens when we're together, fostering creativity, collaboration, and connection. That's why we’ve adopted a hybrid approach, with teams in the office around four days a week. If you require accommodations or flexibility, please discuss this with the hiring team during the interview process.
WPP is an equal opportunity employer and considers applicants for all positions without discrimination or regard to particular characteristics. We are committed to fostering a culture of respect in which everyone feels they belong and has the same opportunities to progress in their careers.