Risk Manager Information Security Jobs 2026 AFFCO Karachi
AFFCO
Posted Jun 22, 2026
About the Job
A. F. Ferguson & Co. (AFFCO) is one of Pakistan's most established professional services firms, founded in 1952 with roots tracing back to 1893. As a member firm of PwC (PricewaterhouseCoopers), the world's largest professional services network, AFFCO provides audit and accounting, tax advisory, management consulting, IT consulting, financial advisory, and business process outsourcing services. The firm operates from offices in Karachi, Lahore, and Islamabad, and serves blue-chip companies, financial institutions, and multinationals across Pakistan.
AFFCO is looking for a Risk Manager – Information Security based in Karachi. As Manager – Information Security, you will be responsible for establishing and enforcing security protocols that safeguard the company's information systems, digital assets, and customer data.
Job Details
| Organization | AFFCO |
| Position | Risk Manager – Information Security |
| Location | Karachi |
| Education | Masters/Bachelor's degree (16 years) in Business Administration (Information Systems), Computer Science or related field from HEC recognized institution |
| Experience | Minimum 3 years post qualification experience in computer systems with specialization in information security |
| Age Limit | Maximum 40 years (as of the last date of submission of application) |
| Apply | https://www.affco.com.pk/recruitment |
Key Responsibilities
- Develop and Implement Information Security Strategy – Design and execute a comprehensive information security roadmap aligned with the company's digital infrastructure, business model, and regulatory obligations.
- Cybersecurity Risk Management – Identify, assess, and mitigate cybersecurity risks across infrastructure, applications, APIs, mobile platforms, and third-party integrations.
- Regulatory Compliance and SBP Alignment – Ensure full compliance with SBP guidelines and international security frameworks (e.g., ISO 27001, NIST), and act as the point of contact for regulator-driven security reviews.
- Security Architecture and Operations – Oversee the design, configuration, and monitoring of security systems including firewalls, endpoint protection, SIEM, encryption, and identity/access management tools.
- Incident Response and Threat Management – Develop and lead the incident response process, including detection, containment, investigation, recovery, and post-mortem reporting.
- Security Audits and Penetration Testing – Coordinate regular internal and third-party audits, vulnerability assessments, and penetration testing to ensure system hardening.
- Employee Awareness and Policy Enforcement – Establish security awareness programs, train internal staff, and enforce information security policies across all departments.
- Collaboration with Internal Audit and IT – Work closely with Internal Audit, Technology, and Compliance teams to ensure consistent enforcement of risk controls and secure infrastructure design.
Required Qualification and Experience
- Masters/Bachelor's degree (16 years of equivalent education) in Business Administration (Information Systems), Computer Science or related field from HEC recognized institution
- Professional certifications such as CISSP, CISM, CEH, or ISO 27001 Lead Implementer/Auditor will be encouraged
- Minimum 3 years post qualification experience in computer systems with specialization in information security will be highly preferred
- Age: Maximum 40 years as of the last date of submission of application
Relevant Expertise
- Information Security Expertise – Minimum 3 years of relevant experience in information security or cybersecurity roles, preferably within fintech, digital banking, or regulated financial institutions
- Regulatory and Standards Knowledge – Strong understanding of SBP cybersecurity guidelines, ISO 27001, NIST, and relevant global information security frameworks
- Incident Management and Threat Response – Demonstrated experience in handling security incidents, vulnerability assessments, and threat intelligence operations
- Security Operations and Architecture – Hands-on experience with firewalls, IDS/IPS, antivirus, endpoint protection, encryption, and secure network architecture
Required Competencies
- Technical Cybersecurity Proficiency – Deep technical knowledge of cybersecurity tools, infrastructure protection, and digital risk management in consumer-facing platforms
- Regulatory and Audit Readiness – Proven track record of preparing for and managing regulator-led audits and aligning cybersecurity operations with legal and compliance standards
- Risk and Policy Management – Ability to define, implement, and enforce cybersecurity policies, standards, and control frameworks organization-wide
- Cross-Functional Collaboration – Strong interpersonal skills to work closely with technology, audit, risk, and compliance teams to embed a culture of security
- Adaptability in Fast-Paced Environments – Demonstrated ability to manage evolving security risks
How to Apply
- Apply online through AFFCO's official careers portal: https://www.affco.com.pk/recruitment
How to Prepare for This Role
The Risk Manager – Information Security role at AFFCO is a senior cybersecurity position at one of Pakistan's leading professional services firms and a member firm of PwC. The interview panel will assess your depth of technical knowledge in information security, your experience with SBP regulatory frameworks and international standards, and your ability to lead incident response and security operations at a strategic level. The guide below covers the four areas most likely to determine your selection.
The first two responsibilities listed are developing an information security strategy and managing cybersecurity risk. The panel will assess whether you can operate at a strategic level. Be ready to discuss: how you have designed or contributed to an information security roadmap at a previous organization, how you identified and assessed cybersecurity risks across infrastructure, applications, APIs, mobile platforms, and third-party integrations, and how you prioritized and mitigated those risks within a business context. Prepare a clear example of a risk assessment you led and the controls you recommended or implemented.
AFFCO serves financial institutions, multinationals, and blue-chip companies across Pakistan. Be ready to discuss cybersecurity risks specific to a professional services environment: client data protection, secure infrastructure across multiple offices, third-party integrations, and regulatory compliance for financial sector clients. Framing your experience in a regulated, client-facing context will strengthen your candidacy.
Regulatory compliance is explicitly required and AFFCO is regulated by the State Bank of Pakistan. The panel will assess your working knowledge of SBP cybersecurity guidelines, ISO 27001, and NIST frameworks. Be ready to discuss: how you have implemented or audited against ISO 27001 controls, how you have prepared for or supported regulator-led security reviews, and how you have maintained ongoing compliance with SBP directives. If you hold an ISO 27001 Lead Implementer or Lead Auditor certification, prepare to discuss what the certification process involved and how you applied it in practice.
The role explicitly requires acting as the point of contact for regulator-driven security reviews. Be ready to describe a specific instance where you coordinated with a regulator or external auditor for a cybersecurity review: what you prepared, how you managed the review process, and what the outcome was.
Three of the eight listed responsibilities relate to hands-on technical operations: security architecture, incident response, and coordinating penetration testing. The panel will assess your practical depth. For incident response, prepare a specific example of a security incident you led from detection through post-mortem reporting. For security architecture, be ready to discuss your hands-on experience with firewalls, SIEM, endpoint protection, IDS/IPS, encryption, and identity/access management tools. For penetration testing, describe how you have coordinated internal or third-party pen tests and acted on the findings.
For certifications, CISSP covers security architecture and risk management broadly, CISM focuses on information security management, and CEH is relevant to penetration testing and ethical hacking. If you hold any of these, prepare a brief explanation of your certification and how it applies to this specific role. If you do not yet hold these certifications, acknowledge awareness of the frameworks they cover.
This role requires close collaboration with Internal Audit, Technology, and Compliance teams, as well as running employee security awareness programs. The panel will want to see that you can enforce security policies across an organization without having direct authority over all departments. Be ready to discuss: how you have built a security-aware culture across non-technical teams, how you have navigated pushback when enforcing security controls that impacted business operations, and how you have worked with internal audit or compliance teams to close control gaps. Apply through the AFFCO recruitment portal at https://www.affco.com.pk/recruitment.
You'll be redirected to the official portal
Find Your Next Opportunity on Genzeejobs
Verified listings updated daily across all cities and sectors in Pakistan.