Tasks and Responsibilities

📍Support the design and improvement of the information security framework (ISF): policies, controls, procedures using the NIST Cyber Security Framework; including third party risk management. 📍Assess new and existing systems, data flows, business processes, and third party providers engagements and services to implement and verify compliance to the ISF reporting identified risks and issues to systems, processes and third party providers owners. 📍Perform information security risk assessments such as but not limited to: security business impact analysis (BIA) and business dependency analysis; security controls plans; controls maturity assessments; third party provider risk profiling, risk assessments and audits. 📍Maintains the information security risks and issues registers, deliver high quality reports and run information security committees meetings with business and IT mangement to manage risks. 📍Support the design and improvement of the third party information risk management policies, controls and procedures. Assist or lead assessment of information security risks arising from engagement with third party providers and drive remediation efforts. 📍Drive the design and implementation of a GRC platform including functional requirements, reviewing process designs, rolling out the new processes to the business and IT teams. 📍Support in the administration and maintenance of the GRC tool. 📍Design, improve and periodically report security key risk indicators and metrics to IT and business management to support continuous improvements and increase security maturity in our business processes. 📍Designs, and delivers the security education training awareness program (SETA) across all business functions. Manage external resources supporting the security awareness activities. 📍Desirable: Experience in implementing controls and managing compliance risks in regards to GXP regulated systems, data protection regulations such as EU and UK GDPR, CCPA, and cyber security regulations such as the EU NIS2, and the USA SEC Disclosure

Requirements.

📍Minimun of 10 years of professional experience in information technology, at least 3 years as an information security risk manager, preferably in a pharmaceutical, biotechnology or in other manufacturing organizations. 📍Bachelor’s or Master’s degree in information security, or in Information Technology. 📍Relevant information security professional certifications e.g. CISSP, CISM, CRISC, CISA, GSEC-GIAC, ISO 27001 auditor / practitioner. 📍Desirable: Training and or certifications in GRC platforms such as ServiceNow GRC, Archer, Metricstream; and the NIST Cyber Security Framework: Standards, Guidelines and Practises. 📍You are resilient and take accountability for delivering your work. 📍You are passionate about cybersecurity and is able to coach and help others who come from different backgrounds in information technology, compliance or information security domains. 📍You have a high level of personal integrity, ability to professionally handle confidential matters and convince others using appropriate level of judgment and maturity. 📍You have strong verbal and written communication skills in English, German is a plus. 📍You are a strong communicator: presentation and training, relationship management, consultation, negotiation. 📍You can work in a matrix and geographically dispersed organization. 📍All candidates must provide a Criminal record (not older than 3 months).