Policy Lead

About the Role  

The Cyber Security Policy Lead is responsible for authoring, assuring, and continuously improving Haleon’s Information Security Policies & Standards. This role ensures that policy requirements are clear, actionable, and aligned with Haleon’s regulatory, statutory, contractual, industry best practice obligations. The Policy Lead partners closely with Cyber Advisory, GRC, Security Architecture, and Technical Domain teams to maintain a robust, traceable taxonomy that enables consistent measurement of secure and compliant outcomes across Haleon’s global technology environment. 

Key Responsibilities 

Policy Development & Lifecycle Management 

• Author, update, and maintain Haleon’s Information Security Policies & Standards. 

• Lead structured governance cycles, including annual reviews, stakeholder consultations, and approval processes. 

• Ensure policy, standard, control, and procedure documentation meets Haleon’s standards for clarity, accuracy, technical relevance, and usability. 

• Participate in policy exception processes, ensuring risk-based evaluation and traceability. 

Control Framework Integration & Taxonomy Management 

• Develop and maintain a policy-to-standards-to-controls taxonomy that supports measurable compliance and risk reporting. 

• Ensure alignment to recognized frameworks (NIST, CIS, ISO 27001) and harmonize external requirements into Haleon’s control library. 

• Partner with GRC teams to ensure policy requirements align with Haleon’s risk management systems and control sets. 

• Support development of testable control statements and evidence requirements. 

Cross-Functional Collaboration & Advisory 

• Work closely with Cyber Advisory to ensure policies support secure-by-design architecture and effective risk identification. 

• Partner with Domain Architects and SMEs across IAM, Cloud, Data, Infrastructure, OT, and Application Security to validate technical accuracy. 

• Serve as a policy authority during solution assessments, onboarding activities, and governance forums. 

• Support stakeholder education and communication to ensure policy understanding across Haleon. 

Continuous Compliance & Automation Support 

• Define policy and standard requirements that can be automated within solution delivery pipelines and operational platforms. 

• Collaborate with engineering and platform teams to embed policy-aligned controls into DevSecOps. 

• Contribute to Haleon’s continuous compliance strategy by ensuring traceable, measurable, and enforceable policy requirements. 

Governance, Assurance & Documentation Quality 

• Provide expert guidance for audits, assurance reviews, and regulatory assessments. 

• Maintain high-quality documentation and ensure all policy materials reflect Haleon’s governance model. 

• Identify opportunities to streamline and modernize Haleon’s policy framework and governance processes. 

Deliverables 

• Updated and approved Information Security Policies & Standards aligned with Haleon’s risk posture. 

• A unified, traceable policy taxonomy linking requirements to controls and assurance measures. 

• Clear and testable standard requirements enabling continuous compliance and automation. 

• Policy exception assessments and governance documentation. 

• High-quality communication materials for policy rollouts, stakeholder briefings, and awareness campaigns. 

Experience & Qualifications 

Required 

• 7–12 years experience in Cyber Security, Information Security Governance, GRC, or related roles. 

• Demonstrated experience authoring and governing security policies, standards, or enterprise control frameworks. 

• Strong understanding of key technical domains, including: IAM, Cloud, Data Protection, Infrastructure, Application Security, and OT. 

• Experience collaborating with architecture, engineering, and risk functions in a global enterprise. 

• Exceptional written communication and documentation skills. 

Preferred 

• Certifications: CISSP, CISM, ISO 27001 Lead Implementer/Auditor. 

• Experience working in regulated or high-governance environments. 

• Familiarity with GRC platforms (ServiceNow GRC, Archer, etc). 

• Experience with cloud governance and automated security controls. 

Core Competencies 

• Deep knowledge of security controls and governance principles. 

• Policy authoring, compliance analysis, and control mapping. 

• Analytical thinking and ability to simplify complex technical concepts. 

• Strong communication and collaboration skills. 

• Ability to influence decision-making across technical and business teams. 

• High standard of documentation quality and technical accuracy. 

• Strategic thinking with a continuous improvement mindset. 

What Success Looks Like 

• Haleon has a modern, cohesive, and measurable Information Security Policy framework. 

• Policies and standards clearly guide secure design decisions and support enterprise risk reduction. 

• Business and technical teams understand their obligations and feel supported by actionable guidance. 

• Policy requirements seamlessly integrate with Haleon’s risk management, continuous compliance, and automation initiatives. 

• Governance processes are efficient, transparent, and trusted. 

• Haleon’s security posture is strengthened through clear, consistent, and traceable security expectations.