🔒 You need security that actually works — not a report that says it does. The organisations I work with want to find the vulnerabilities that matter, fix them with confidence, and get on with growing their business without security becoming the thing that stops them.
I have delivered over 1,000 commercial penetration tests across 27 years. Not side projects. Not internal assessments. Full mission-critical engagements for high street and investment banks, hedge funds, insurance firms, government departments, police, military, national infrastructure, retailers, law firms, airports and more. I led the security architecture for the Athens 2004 Olympics internet-facing systems. I was lead architect on the UK Cyber Essentials scheme at launch. I have published in commercial security press and guest lectured at universities.
There is a difference between someone who does penetration testing and someone who has seen every flavour of environment, every attack pattern, and every way organisations deceive themselves about their security posture. That difference is what you are hiring.
🎯 Where can I help:
🗡️ Network & Infrastructure Penetration Testing — adversarial testing of internal and external infrastructure, finding exploitable exposures before an attacker does.
🌐 Application Penetration Testing — web application and API security testing against real attack patterns: authentication, authorisation, input handling and business logic flaws.
☁️ Microsoft 365 Security Assessment — Entra ID, Conditional Access, PIM, Intune, DLP, sensitivity labelling, Exchange Online and Defender for Office 365.
🔷 Azure Security Assessment — identity and access management, network controls, storage and key management, Defender for Cloud posture, and monitoring coverage.
🟢 Google Workspace, GCP & AWS Security Assessments — configuration and access control assessments across Google and Amazon cloud environments.
🏛️ Security Architecture and Risk Advisory — senior technical input on architecture decisions, control design and risk without a full engagement commitment.
👤 Every engagement is delivered directly by me — David Morgan, founder of Metis Security. No account management layer, no junior handoffs, no templated output. You work with the person conducting the analysis and writing the report.
📋 How I work is as important as what I find
Every finding in my reports is one I will defend as genuinely material to your environment. No padding, no low-hanging fruit included to justify the fee, no default risk ratings copied from a scanner. If your context changes the risk, the rating reflects that.
What you receive:
✅ A visually structured report with clear separation between executive summary, findings and remediation roadmap — written to be read by people who are not security specialists
✅ Risk ratings adjusted to your specific environment and context, not defaulted from a tool
✅ A prioritised remediation roadmap so your team knows exactly what to fix first and why it matters commercially
✅ Immediate escalation of any high-risk finding or schedule-affecting issue during the engagement — you are never waiting until the end to hear something important
✅ Daily status updates so you always know where the engagement stands
✅ A debrief call at close to walk through findings, answer questions and finalise the report before it is delivered
CISSP | ISSAP | Microsoft Security certifications | 27 years
If you need to know whether your environment is genuinely secure — not whether it looks configured — I am worth a conversation.
Information Security Audit
Penetration Testing
Web Application Security
Network Penetration Testing
Office 365
Microsoft Azure
Cloud Security
Network Security
Vulnerability Assessment
Security Assessment & Testing
Cybersecurity Management
Zero Trust Architecture
Security Analysis
Google Cloud Platform
Google Workspace
Amazon Web Services
NIST Cybersecurity Framework
Microsoft 365 Copilot
Internet Security
Information Security Consultation
Rob S.
Bembridge, United Kingdom
$60/hr
4.9
353 jobs
IT Professional with over 30 years experience. 15+ years experience in web development. 10+ Years experience in PCI-DSS Consultation, including level 1 companies, working with QSA's to swiftly obtain compliance. For the past seven years, I have been providing GDPR consultation to many small to medium-sized companies. Five years experience with ISO 27001 helping clients get and maintain ISO 27001 accredited certification.
I spent 20 years working in various IT roles, mainly support, engineering, and web development, within one of the largest companies in the world. I was awarded Charted IT Professional status from the British Computer Society in July 2008. Since then, I have run my own company with a small team producing web-based platforms and services and offering freelance compliance consultation to small businesses.
I have also worked as a CTO on several start-up projects managing their entire IT infrastructure and gaining valuable PCI compliance experience, essential to all e-commerce projects.
Due to my experience and varied IT roles, I have a good knowledge of web design, programming, databases, security, SEO, troubleshooting, technical writing & more.
I am a highly organised and reliable individual, utilising existing knowledge and experiences to find practical solutions to even the most complex project.
Information Security Audit
Information Security
Security Analysis
Web Content Accessibility Guidelines
GDPR
Risk Assessment
ISO 27001
Compliance
PCI
Website Security
Data Protection
PCI DSS
Vulnerability Assessment
Data Privacy
Compliance Consultation
Omer R.
London, United Kingdom
$10/hr
4.3
7 jobs
Cyber Security, Compliance, and Cloud Infrastructure expert with extensive knowledge of global regulatory standards and secure architecture review.
As an ISO 27001 Lead Auditor and the CTO of CyberGaar, I bring deep technical expertise and strategic leadership to ensure your systems meet strict compliance requirements.
Compliance & Audit Expertise Includes:
- ISO 27001, PCI-DSS, SOC 2, GDPR
- NIST SP 800-53, NIST SP 800-63, OWASP Standards
- Risk & Gap Analysis, Control Activity Matrix (CAM) development
- Vulnerability Assessment review, Penetration Test & Scanning Report analysis
- Documentation review, Physical Security assessments, and Control Advisory
Technical & Infrastructure Expertise Includes:
- Cloud Platforms: AWS, Azure, Oracle Cloud
- DevOps & CI/CD Security: Terraform, Ansible
- Virtualization & Containerization: Docker, Kubernetes, VMware, Proxmox
- Architecture & Code Review: C++, .NET, Java, Python, Node.js, Next.js
- On-Premise and Hybrid Cloud environments
PCI
NIST Cybersecurity Framework
NIST SP 800-53
GDPR
HIPAA
ISO 27001
Gap Analysis
Secure SDLC
.NET Core
Java
C++
Python
Terraform
Ansible
Penetration Testing
Ayushi G.
London, United Kingdom
$60/hr
5.0
19 jobs
Top Rated Plus | CISA | ISO 27001 & ISO 42001 Lead Auditor | IAPP Certified Privacy Professional
I'm an IT Audit Manager at a leading European consulting firm, with prior experience at a Big 4, delivering high-impact assurance and advisory engagements across Financial Services, Energy & Infrastructure, and Public Sector clients globally.
What I bring to the table:
ISO 27001 & 42001 - I hold Lead Auditor certifications for both ISO 27001:2022 and ISO 42001 (AI Management Systems). I've led certification audits end-to-end and supported clients through readiness, gap assessment, policy and procedure development, internal audit programmes, and management review - for both first-time certifications and surveillance cycles. My experience spans multinationals, SMEs, and early-stage startups across the UK, US, EU, and beyond, so I understand how to make the standard practical and proportionate regardless of your organisation's size or maturity.
AI Governance - One of a small pool of practitioners certified to audit against ISO 42001. I help organisations build and assess governance frameworks for AI systems, covering risk, accountability, and compliance requirements.
Privacy & Data Protection - As a CIPP/E certified professional, I've conducted GDPR audits and gap assessments for clients across the UK, US, EU, and South Africa, covering data mapping, lawful basis, DPIAs, and third-party data flows.
Broader Assurance Coverage - My engagements span:
- SOC 2 (manual and tool-assisted via Vanta, Drata, Secureframe)
- SWIFT Customer Security Controls Framework (CSCF)
- Third-Party Risk Assessment (NIST SP 800-53, CIS Controls, CSA CCM)
- IT Health Checks (ITHC) and penetration testing oversight
- Segregation of Duties (SoD) reviews
- SDLC, Change & Incident Management
- DR/BCP reviews
- ISO 9001 and ISO 27701
Certifications: CISA | ISO 27001:2022 Lead Auditor | ISO 42001 Lead Auditor | CIPP/E | SWIFT CSCF | CSM | CSPO
Whether you're a startup pursuing your first ISO certification or an established organisation needing an experienced pair of eyes on your controls, I deliver quality work on time with no chasing required. If you need someone who can hit the ground running, ask the right questions, and give you an honest view of where you stand, feel free to reach out.
Financial Audit
Cybersecurity Management
Business Analysis
Information Technology
Governance, Risk Management & Compliance
GDPR
Data Privacy
Risk Assessment
NIST SP 800-53
ISO 27001
Product Strategy
Digital Transformation
Secure SDLC
Program Management
AI Governance
ISO 9001
Change Management
IT Compliance Audit
Incident Management
Artificial Intelligence
Creston V.
Wembley, United Kingdom
$75/hr
4.9
27 jobs
Microsoft 365 Architecture Expert!
Microsoft Certified: Cybersecurity Architect Expert
E-Learn Certified Professional Penetration Tester
Dedicated and ambitious Cyber Security Solutions Architect with a extensive experience in information security principles and industry leading best security practices with over 10 years of experience in the corporate world.
I have helped companies achieve compliancy & audited for Cyber Security Frameworks such as ISO 27001, SOC 2, Cyber Essentials Plus, GDPR and many more by carefully planning based on budget, current Infrastructure assessment, Security testings and remediation efforts.
Proficient in conducting risk assessments, penetrations testing, implementing security controls, and assisting in incident response. Skilled in utilizing cybersecurity tools and technologies to detect and mitigate threats. Committed to learning and expanding knowledge in the field to contribute to the organization's security objectives. Strong teamwork and communication skills, with a passion for maintaining a secure and resilient IT environment.
System Security
Security Engineering
VPN
Cloud Security Framework
User Identity Management
Microsoft Active Directory
Office 365
Enterprise Architecture
Application Security
Virtualization
Insurance & Risk Management
Malware Detection
Security Management
Threat Detection
Data Protection
Sivakumar R.
Birmingham, United Kingdom
$40/hr
5.0
1 jobs
Sivakumar Raju is a seasoned Technology Risk, Audit, and Compliance Consultant with over 15 years of experience in implementing and auditing information security frameworks. He specialises in developing security policies, conducting risk assessments, evaluating the effectiveness of controls, and providing strategic guidance to address compliance gaps.
Experienced Technology Auditor Offering the Following Services:
1. SOC 1 (System and Organization Controls 1) – Based on ISAE 3402, issued under the AICPA framework (U.S.); focuses on controls relevant to financial reporting.
2. SOC 2 / SOC 3 – Based on AICPA Trust Services Criteria; focuses on security, availability, processing integrity, confidentiality, and privacy.
3. ISO/IEC 27001: 2022 Certification
4. CSA STAR Attestation
5. PCI DSS (Payment Card Industry Data Security Standard)
6. NIST SP 800-53 / FedRAMP Compliance
7. C5 (Cloud Computing Compliance Criteria Catalogue)
8. Third party vendor risk assessments
9. ISAE 3402 Audit Support (Third party service auditor reports)
IT Compliance Audit
ISO 27001
Risk Management
Governance, Risk & Compliance Software
How it works
Post a job for freePost a job
Tell us what you need. Create your own job post or generate one with AI then filter talent matches.
Hire top talent fast
Consult, interview, and hire quickly, so you can meet the freelancers you're excited about.
Collaborate easily
Use Upwork to chat or video call, share files, and track project progress right from the app.
Payment simplified
Manage payments in one place with flexible billing options. Only pay for approved work, hourly or by milestone.
Don't just take our word for it
“Upwork provides an umbrella-level of security. I can see a talent’s work history and ratings. I can hold payments in escrow. I can communicate through Upwork Messages instead of working through my email address.”
KD
Kim Darling
Emerald Tiger
“Upwork is the best platform to hire skilled professionals when we're not looking for a full-time employee. All the companies in our portfolio use Upwork to find talent across a wide range of fields.”
DM
David Merry
Kinetic Investments
“Our very specific requirements can be a challenge—With Upwork, we’re able to access a bigger community to ensure the success of our projects.”
KK
Katja Krohn
Summa Linguae
How do I hire a Information Security Audit Freelancer in the United Kingdom on Upwork?
You can hire a Information Security Audit Freelancer in the United Kingdom on Upwork in four simple steps:
Create a job post tailored to your Information Security Audit Freelancer project scope. We'll walk you through the process step by step.
Browse top Information Security Audit Freelancer talent on Upwork and invite them to your project.
Once the proposals start flowing in, create a shortlist of top Information Security Audit Freelancer profiles and interview.
Hire the right Information Security Audit Freelancer for your project from Upwork, the world's largest work marketplace.
At Upwork, we believe talent staffing should be easy.
How much does it cost to hire a Information Security Audit Freelancer?
Rates charged by Information Security Audit Freelancers on Upwork can vary with a number of factors including experience, location, and market conditions. See hourly rates for in-demand skills on Upwork.
Why hire a Information Security Audit Freelancer in the United Kingdom on Upwork?
As the world's work marketplace, we connect highly-skilled freelance Information Security Audit Freelancers and businesses and help them build trusted, long-term relationships so they can achieve more together. Let us help you build the dream Information Security Audit Freelancer team you need to succeed.
Can I hire a Information Security Audit Freelancer in the United Kingdom within 24 hours on Upwork?
Depending on availability and the quality of your job post, it's entirely possible to sign up for Upwork and receive Information Security Audit Freelancer proposals within 24 hours of posting a job description.
Find more freelancers
Top cities for Information Security Audit Freelancers in the United Kingdom