About the job Information Security & Risk Manager
Position Description
Information Security & Risk Manager (ISO 27001)
Reporting to:
CTO/CISO
Hours:
20-30 hrs per week
Part Time or Fractional
Term:
Permanent or Contractor
Location:
Christchurch, New Zealand
Date:
December 2025
Purpose of the Position
As the iViis & Spinika group* continues to expand its client base we need a dedicated part-time role to manage the groups ISO27001 certification and audit, monitor and improve the security posture of the group, and proactively assess the threat environment to take proactive action when necessary.
This position plays a key role in maintaining our credibility in market, protecting our client and staff information and reducing the risks associated with bad actors targeting iViis and Spinika.
The Information Security & Risk Manager is responsible for the end-to-end management of the organisations information security management system (ISMS), including ISO/IEC 27001 certification, audits, security incident management, internal reviews, and the continuous improvement of the security posture.
This role assumes operational responsibilities typically held by a CISO and acts as the day-to-day owner of security governance, working closely with engineering, product, leadership, and external auditors.
The ISO7001 program has been in place since 2013, is mature and certified. This role is to maintain the current quality and improve where practical.
*iViis and Spinika share certification as they follow and apply the same program of work – iViis is the platform provider and Spinika its largest internal client.
Key Responsibilities
ISO 27001 ownership & certification
Own and maintain the ISO/IEC 27001 ISMS
Lead:
Surveillance and recertification audits
External auditor engagement and remediation tracking
Risk register maintenance and treatment plans
Ensure policies, controls, and evidence remain audit-ready year-round
Translate ISO requirements into practical, business-aligned controls
Security governance and risk management
Maintain and evolve:
Information security policies and standards
Risk assessments and control effectiveness reviews
Conduct periodic internal ISMS audits and management reviews
Provide security risk advice into:
Product development
Vendor and third-party risk assessments
Customer security questionnaires and due diligence
Security Incident support
Support the CISO during the security incident process assisting with:
Incident classification and escalation
Root cause analysis and corrective actions
Post-incident reporting and lessons learned
Continuous improvement & security programme delivery
Working with the CISO to:
Maintain a rolling security improvement roadmap
Prioritise initiatives based on:
Risk reduction
Audit findings
Track delivery of remediation actions and security initiatives
Drive practical improvements (not just documentation)
Skills, Knowledge and Attributes
This section outlines the capabilities required to perform effectively at 100% in this role, including qualifications, experience, competencies, and professional behaviours valued at Spinika.
Knowledge / Experience / Qualifications
Strong experience in security, risk and compliance roles
Hands on experience with:
o
ISO/IEC 27001 certification and audits
o
Running an ISMS in production (not just implementation)
Experience managing:
o
Security incidents
o
Audit findings and remediation programmes
Comfortable operating in:
o
SaaS, technology lead professional services environments
Qualifications which would be beneficial:
o
Relevant tertiary qualification in:
Information Security
Computer Science
Risk Management
Or equivalent experience
o
CISSP, CISM, CRISC
Key Performance Indicators
The position of Quality Assurance & Testing Analyst encompasses the following major functions of Key Performance Indicators:
Key Performance Indicator 1: ISO27001 management
The annual audit result supports a mature implementation and management of the ISO27001 program
Issues identified are kept to the minor non-conformity in the main
Audit issued are remediated or accepted within required timeframes
Key Performance Indicator 2: Documentation and process management
Security documentation is readily available and accessible for client and staff purposes
Policies and procedures are maintained and reviewed annually or when changes are required
Key Performance Indicator 3: Audit
Facilitate meetings and responses for internal and external audit
Ensure clear communication with all parties
Work effectively with the auditor to assess our compliance with the standard
Key Performance Indicator 4: Engineering program of work
Work with the technical teams to schedule and prioritise the audit program
Review and check the quality of the work undertaken
Key Performance Indicator 5: Continuous Improvement
Continuously assess and provide recommendations to improve the groups security posture at a governance, management and technology level
Suggest enhancements to processes, workflows, or specifications.
Key Performance Indicator 7: Compliance with iViis / Spinika Policies & Health & Safety
Ensure adherence to all Spinika policies, including health and safety requirements
Promote wellbeing and foster a positive team environment
Uphold Spinikas values and culture
Demonstrate responsibility for personal and team safety
Milestones
When you join the team, you will:
Learn the iViis/Spinikas platform, modules, and configuration model.
Demonstrate strong documentation and governance discipline
Build effective working relationships with the development team, and internal stakeholders.
Change to Job Description
This Job Description outlines the main duties and responsibilities of the position. It is not an exhaustive list of all responsibilities that may be required of the role. Employees may be asked to undertake any duties reasonably requested by the employer.
From time to time, changes may be required in response to evolving business needs, new technology, or updates in legislation. The Job Description may therefore be reviewed and updated accordingly.