Job Title

Job purpose The Security Compliance Lead is responsible for the ongoing operation of Fusion5’s governance, risk and compliance function and supports the CISO in ensuring security controls, risk management and compliance activities are consistently embedded across the organization. The role focuses on maintaining continuous alignment between security requirements and day-to- day business operations, ensuring that governance processes, evidence and controls remain current as the organization evolves. This position works closely with delivery, engineering, ICT, product, legal and procurement teams to support secure, compliant services across all regions.The Security Compliance Lead also provides operational security leadership during cybersecurity incidents, acting in lieu of the CISO when required to support incident coordination, governance oversight and timely decision-making.Operating model & working time alignment The Security Compliance Lead operates as an embedded, operational role within Fusion5 and is required to work aligned hours with most of the business, primarily NZ and AU core working hours.​ ( 3:00/4:00 AM IST Login)This alignment is required to enable: ∙Real-time collaboration with delivery, engineering, ICT, product, legal and procurement teams ∙Timely participation in security incidents, risk discussions and operational decision-making ∙Effective coordination of audits, assurance activities and remediation follow-ups ∙Responsive handling of client, vendor and regulatory security requests ∙Due to the nature of the role, security governance, incident response support and assurance activities cannot be effectively delivered on delayed time zones.Key accountabilities ISMS&ISO 27001/27701 Ownership ∙Maintain and operate the ISMS across NZ, AU and India as a continuous, year-round programme of work. ∙Own the Statement of Applicability (SoA) and ensure accurate implementation of all required controls through ongoing engagement with system and process owners. ∙Lead internal and external ISO audits, including surveillance and recertification cycles, supported by regular control reviews and evidence validation throughout the year. ∙Ensure policies, procedures and supporting evidence remain aligned to ISO 27001/27701 requirements through active collaboration with teams as services, systems and processes change.Risk Management & Governance ∙Own the cybersecurity risk management register and conduct quarterly risk reviews supported by regular engagement with business and system owners. ∙Approve risk assessments, treatment plans, residual risk acceptance and exceptions based on current operational context and control effectiveness. ∙Maintain oversight of risk registers, treatment progress and control maturity across pillars through consistent follow-up, review meetings and status updates with accountable owners. ∙Ensure alignment with NIST CSF v2.0, AE8 and privacy compliance requirements as part of ongoing governance activities, not point-in-time assessments.Audit Leadership ∙Lead internal audits, client audits and regulator-driven assessments as part of established governance and assurance processes. ∙Review evidence, findings and remediation plans through regular check- ins with teams to confirm accuracy, completeness and progress. ∙Govern audit logs, documentation, corrective actions and follow-up activities, ensuring issues are tracked, discussed and resolved with responsible owners.Incident Response & Operational Support ∙Support cybersecurity incident response activities in line with the Incident Response Plan. ∙Act as the primary governance and compliance lead during incidents and as the delegate for the CISO when required. ∙Provide real-time, hands-on support to incident response managers, ICT, engineering, legal and communications teams during active incidents. ∙Ensure incident-related decisions, actions and communications align with regulatory, contractual and compliance obligations. ∙Oversee post-incident reviews, working directly with teams to ensure findings, control gaps and improvement actions are documented, owned and progressed.Penetration Testing & Assurance ∙Manage annual penetration testing, including scoping, scheduling and vendor engagement, supported by ongoing coordination with technical teams. ∙Govern remediation outcomes with ICT, developers and system owners through regular follow-ups to confirm progress, evidence and closure. ∙Track findings, ensure timely resolution and integrate outcomes into risk management and monthly reporting.Reporting & Metrics ∙Produce monthly security metrics for the CISO, including audit status, ISO evidence progress, risk changes, pen-test remediation, exceptions and training compliance. ∙Support SGSC and Board-level reporting through structured dashboards and summaries informed by current, validated operational inputs.Documentation & Compliance ∙Maintain governance over policy documents, control documentation and procedures through ongoing review and engagement with content owners. ∙Ensure evidence repositories, SharePoint structures and ISMS documentation remain accurate and audit-ready through regular validation with teams throughout the year. ∙Oversee consistency of documentation across all pillars and regions by working directly with teams to establish, update and maintain artefacts.Key behavioural competencies Customer-centric Thinking ∙Considers customer impact in all security and compliance decisions. ∙Advocates for secure services that support customer trust and contractual obligations. ∙Balances security, compliance and delivery requirements in customer- facing contexts. ∙Communicates risk, assurance posture and compliance status in clear, customer-appropriate language. ∙Prioritises issues that affect customer data protection, service integrity and regulatory exposure. Collaboration & Teamwork ∙Engages effectively with a wide range of stakeholders across NZ and Australia, including engineering, product, operations, legal, procurement and leadership. ∙Builds strong working relationships through regular one-to-one and team-based engagement. ∙Leads and facilitates workshops with teams to establish, develop and maintain governance artefacts, controls and evidence required for certification and audits. ∙Supports teams during audits, assurance activities and incidents through clear guidance and coordination. ∙Adopts a collaborative, practical and solution-focused approach when working with diverse teams. Communication & Influence ∙Demonstrates strong written communication skills, including the ability to produce clear, structured policies, standards, reports and audit artefacts. ∙Communicates complex governance, risk and compliance requirements in a way that is understandable to technical and non-technical audiences. ∙Provides concise, well-reasoned advice to senior stakeholders to support timely decision-making. ∙Is able to join calls or discussions at short notice when issues require immediate attention or clarification. Critical Thinking & Problem Solving ∙Applies structured reasoning and evidence-based analysis to assess security and compliance risks. ∙Breaks complex regulatory and certification requirements into clear, actionable steps for teams. ∙Evaluates options and trade-offs based on risk, business impact and feasibility. ∙Continuously refines governance processes based on audit outcomes, incidents and operational feedback. Governance & Certification Leadership ∙Demonstrates deep, practical understanding of ISO 27001/27701 and how certification frameworks operate in practice. ∙Builds, operates and improves governance and certification frameworks as ongoing programmes of work. ∙Leads evidence development, validation and collation activities in partnership with system and process owners. ∙Ensures certification activities are embedded into everyday business operations rather than treated as isolated exercises.Risk Management Mindset ∙Proactively identifies emerging risks across systems, services and vendors. ∙Maintains and drives risk registers through consistent engagement with accountable owners. ∙Follows up remediation actions through regular discussion, validation and status review. ∙Communicates risk in business-relevant terms to support prioritisation and informed decision-making.Learning Agility ∙Demonstrates initiative and ownership in identifying gaps, improvements and emerging requirements. ∙Responds quickly to changing priorities, incidents or assurance requests. ∙Learns from audits, incidents and regulatory change to continuously strengthen governance outcomes.Core Competencies ∙Strategic thinking ∙Problem-solving ∙Adaptability ∙Governance and technical leadership ∙Stakeholder engagement and communicationSuccess Factors ∙Maintains audit readiness through year-round governance, evidence and control management. ∙Establishes trusted working relationships with system owners, delivery teams and leadership across NZ and AU. ∙Produces high-quality policies, reports and certification artefacts that meet audit and customer expectations. ∙Leads certification and assurance activities with minimal findings and efficient remediation. ∙Provides timely, authoritative input during audits, incidents and risk discussions.Experience: ∙5+ years in cybersecurity governance, compliance, audit or risk roles. ∙Strong practical experience building and operating ISO 27001/27701 governance and certification frameworks. ∙Demonstrated experience leading audits, assessments and certification programmes. ∙Proven ability to run workshops and working sessions focused on evidence development, risk and control maturity. ∙Strong experience managing risk registers and driving remediation with system and service owners. ∙Excellent written communication skills for policies, standards, audit responses and executive reporting. ∙Experience supporting incident response, post-incident reviews and business continuity activities.