Information Security Officer

ROLE AND RESPONSIBILITIES

Information Security Governance & Risk Management

• Lead enterprise and project-level Information Security Risk Assessments, including identification, analysis, treatment, and reporting of security risks.

• Support project governance by embedding security risk management practices across technology and business initiatives.

• Identify, assess, and track project-related security risks, ensuring timely mitigation and risk acceptance where applicable.

Vendor Risk Management

• Own and operate the Vendor Risk Management (VRM) framework, including due diligence, onboarding assessments, periodic reviews, and exit assessments from Information Security perspective.

• Perform security risk assessments of third-party vendors covering data protection, access controls, resilience, and regulatory compliance.

• Collaborate with Procurement, Legal, and Business teams to ensure security requirements are embedded into vendor contracts and SLAs.

ISO 27001 Implementation & Management

• Lead the ISO/IEC 27001 Information Security Management System (ISMS) implementation, operation, and continual improvement.

• Maintain ISMS documentation including policies, standards, procedures, risk registers, and control evidence.

• Coordinate internal audits, Management Reviews, corrective actions, and surveillance/certification audits.

Cyber Resilience

• Support and enhance Cyber Resilience programs including incident response, disaster recovery, and business continuity from an information security perspective.

• Participate in cyber incident simulations, tabletop exercises, and post-incident reviews to improve organizational readiness.

Job Description

TAGICL-D-JD|Rev No: 1.0|Issued Date: 01.07.2024|Classification: Internal 2

Logical Access Management (LAM) & Data Protection

• Review and validate role definitions and access controls defined by the Logical Access Management (LAM) team to ensure least privilege and segregation of duties.

• Oversee Data Leakage Management controls including monitoring, policy enforcement, and incident handling relating to data loss or exposure.

Security Awareness & Training

• Design and drive Information Security Awareness and Training programs for employees, contractors, and relevant third parties.

• Promote a strong security culture through campaigns, phishing simulations, and targeted training initiatives.

Audit & Compliance Management

• Act as the primary point of contact for internal and external audits related to information security.

• Coordinate audit responses, track observations, and ensure timely closure of audit findings.

• Support regulatory, customer, and contractual security compliance assessments.

KEY DECISIONS TAKEN

• Acceptance, mitigation, or escalation of information security risks in line with risk appetite.

• Review and recommendations for vendor onboarding and continued engagement from a security risk perspective.

• Determination of applicability and prioritization of ISO 27001 controls and security improvement initiatives.

• Recommendations on access control designs and exceptions in collaboration with the LAM team.

• Direction on corrective actions arising from audits, incidents, and risk assessments.

EDUCATION & EXPERIENCE REQUIREMENTS

• Bachelor's and/ or master's degree in information technology, Computer Science, Cybersecurity, or a related field.

• 8-10 years of experience in Information Security, Risk Management, GRC, or related roles.

• Hands-on experience with ISO/IEC 27001 ISMS implementation and audits.

• Strong experience in vendor/third-party risk management, audits, and security risk assessments.

Certifications (preferred):

• ISO/IEC 27001 Lead Implementer / Lead Auditor

• CISM, CISSP, CRISC, or equivalent security certifications