Information Security Analyst

The Information Security Analyst is responsible for supporting information security governance, risk management, and compliance initiatives. The role focuses on ISMS and ISO 27001 operations, security risk and gap assessments, incident response support, regulatory compliance (e.g. PDPA, GDPR), and working with cross-functional teams to strengthen the organisations security posture.

Key Responsibilities

• Support and contribute to the organisations information security planning, strategy, and governance initiatives.
• Implement, operate, and continuously improve the Information Security Management System (ISMS), including support for ISO/IEC 27001 certification and audit activities.
• Perform security gap assessments using recognised frameworks such as NIST Cybersecurity Framework (CSF) and/or CIS Controls, and assist in tracking remediation actions.
• Conduct security risk assessments, maintain risk registers, and support risk mitigation and treatment plans.
• Participate in and support security incident response activities, including analysis, containment, and post-incident reviews.
• Assist in ensuring compliance with applicable information security and data protection regulations, including GDPR and the Personal Data Protection Act (PDPA).
• Develop, review, and maintain internal information security policies, standards, and guidelines.
• Plan, coordinate, and deliver security awareness and training programs to promote a strong security culture.
• Provide security guidance to IT and infrastructure teams across network, server, and cloud environments.
• Collaborate with cross-functional teams to integrate security controls into systems, projects, and operational processes.
• Prepare security documentation, reports, metrics, and audit evidence for management and stakeholders.

Requirements

• Bachelors degree in Computer Science, Information Technology, Engineering, or a related field.
• Minimum 5 years of experience in information security, including security planning, governance, or risk management.
• Professional certifications such as CISSP, CISM, or Registered Information Security Specialist.
• Experience developing and maintaining information security policies, standards, and procedures.
• Experience planning and delivering security awareness and training programs.
• Familiarity with cloud security, vulnerability management, and identity and access management concepts.
• Basic knowledge and operational experience with IT infrastructure (network, cloud, servers).
• Experience developing internal policies and guidelines is an added advantage.
• 3+ years of system operation and deployment experience is an added advantage.
• Ability to communicate effectively, influence stakeholders, and build consensus.
• Proactive, self-driven, and collaborative mindset.
• Experience in managing Linux OS and web servers including Apache and Nginx.