Head of GRC
Job description
Original text imported from Reed
Job Title: Head of Governance, Risk & Compliance (GRC) – MSP Practice Lead
Location: London Hybrid (3 Days Onsite, 2 Remote)
Job Type: Full-time, Permanent
The Opportunity
Are you a senior GRC expert ready to step out of a corporate cost-center and run your own practice?
A top-10 European Managed Service Provider (MSP) is hiring an entrepreneurial Head of GRC to take full strategic and commercial ownership of its fast-growing Compliance as a Service (CaaS) business line. This role perfectly balances internal corporate governance with high-level client advisory and Virtual CISO (vCISO) delivery.
Key Responsibilities
Practice Growth: Scale and productize the CaaS roadmap, driving revenue, pricing strategies, and service design.
vCISO Delivery: Act as the trusted boardroom advisor to mid-market clients across cyber security, risk, and resilience.
Core Frameworks: Lead client assessments and certifications across Cyber Essentials/CE+, ISO 27001, and UK GDPR.
Innovation: Build next-generation AI Governance and operational resilience (BC/DR) frameworks.
Internal Audit: Maintain the firm’s elite internal ISO certifications and audit readiness.
What We Need
Senior GRC, InfoSec, or IT Audit experience, ideally within an MSP or tech consultancy.
Strong practical knowledge of Cyber Essentials, UK GDPR, and ISO 27001.
Exceptional executive presence—confident presenting risk and strategies to C-suite/board levels.
Commercial acumen to partner with sales teams and expand client adoption.
Desirable: CISSP, CISM, CRISC, or ISO 27001 Lead Auditor credentials.
Why Join Us?
Autonomy: Run this practice like your own business unit with full SLT backing.
Investment: Heavy funding for your ongoing professional development and elite certifications.
Scale: Join an ambitious firm growing rapidly through organic expansion and acquisitions.
Apply today to lead the future of Compliance as a Service.
Key skills
AI-extracted from the job advert
Application advice
5 AI-generated recommendations to maximise your chances.
⭐ Open your Personal Statement with explicit mention of vCISO delivery and CaaS, as the advert names these as the two core pillars of the role.
📊 Quantify your GRC practice impact: e.g. "Built ISO 27001-certified CaaS offering serving 18 mid-market clients, growing practice revenue by 40% YoY."
🎯 Highlight any MSP or tech consultancy background prominently in your experience section — the advert explicitly prefers this context over pure in-house corporate roles.
🏅 List CISSP, CISM, CRISC, or ISO 27001 Lead Auditor credentials in a dedicated Certifications section near the top of your CV, as the advert calls these out as desirable differentiators.
🤝 Include a bullet under each relevant role demonstrating board or C-suite advisory experience, since "executive presence" and "boardroom advisor" are repeated requirements throughout the advert.
Suggested CV bullets
3 bullets our AI drafted for this specific advert, mirroring its ATS keywords.
Add these 3 bullets under your most recent experience:
- •Designed and launched a Compliance as a Service (CaaS) product suite for an MSP client base of 22 mid-market organisations, achieving ISO 27001 certification for 14 clients within 18 months and growing practice revenue by £480k.
- •Delivered vCISO advisory to 8 concurrent clients across financial services and professional services sectors, reducing average critical risk findings per audit from 11 to 3 over a 12-month engagement cycle.
- •Led internal ISO 27001 and Cyber Essentials Plus recertification programme across a 200-person MSP, coordinating 4 internal auditors and achieving zero major non-conformities across two consecutive surveillance audits.
Free to copy — tailoring requires a 30-sec CV upload.
Your cover letter is ready
We've drafted a cover letter for THAMES 360. Preview the opening, then unlock the full personalised version.
Letter preview — tailored to THAMES 360
Dear Hiring Manager,
Thames 360's Head of GRC role is precisely the inflection point I have been building towards — taking full strategic and commercial ownership of a Compliance as a Service practice, rather than operating as an internal cost-centre. My hands-on expertise in ISO 27001 implementation, Cyber Essentials Plus assessments, and vCISO delivery to mid-market clients maps directly to the responsibilities outlined in your advert.
My background in GRC within managed service environments has equipped me to productise compliance offerings, set pricing strategies, and present risk posture clearly to C-suite and board stakeholders. I have led organisations through ISO 27001 certification cycles, maintained audit readiness across multi-client portfolios, and developed operational resilience frameworks covering BC/DR scenarios for clients across regulated sectors.
Free signup, no card needed. Export to PDF/Word requires a £1.99 trial (14 days).
Interview questions
10 questions generated from this advert.
Technical
- ›Walk us through how you would design and productise a Compliance as a Service (CaaS) roadmap for an MSP with a mid-market client base.
- ›How do you approach a gap assessment for a client seeking ISO 27001 certification for the first time, and what are the most common failure points?
- ›Describe your methodology for building an AI Governance framework — what standards or emerging guidance would you draw on?
- ›How do you structure a vCISO engagement to ensure continuity of risk oversight across multiple clients simultaneously?
- ›What are the key differences between Cyber Essentials and Cyber Essentials Plus, and in what client scenarios would you recommend each?
Behavioural
- ›Tell me about a time you had to present a complex risk or compliance issue to a board or C-suite audience who had limited technical knowledge.
- ›Describe a situation where you had to build a new practice or service line from scratch — what commercial and operational decisions did you make?
- ›Give an example of when you identified a significant compliance gap in a client's environment and how you managed the remediation process.
- ›Tell me about a time you had to balance multiple client GRC engagements simultaneously — how did you prioritise and manage delivery?
- ›Describe a situation where you partnered with a sales team to expand a client's adoption of compliance services — what was your approach and the outcome?
STAR answer examples
Model answers using the Situation-Task-Action-Result framework. Adapt to your own experience.
Tell me about a time you had to present a complex risk or compliance issue to a board or C-suite audience who had limited technical knowledge.
Describe a situation where you had to build a new practice or service line from scratch — what commercial and operational decisions did you make?