GRC Officer

As a GRC Officer within the CISO team, you will be responsible for managing and improving the Governance, Risk and Compliance processes of our organization. You will work closely with various internal and external stakeholders to ensure a seamless integration of risk management and compliance within all layers of the organization.

Your main task is to ensure that our organization complies with relevant laws and regulations, including NIS2 and GDPR, and that our internal processes and procedures are constantly adapted to the latest developments in information security and risk management.

Contributing to or co-developing, implementing, and maintaining an effective Information Security Management System (ISMS) and risk management program to protect the organization's sensitive information, ensure compliance with relevant regulations, and minimize security risks is also part of this.

DOMAIN-RELATED:

Governance:

•      Develop and maintain an effective GRC Framework that ensures the organization complies with legal, regulatory and internal requirements.

•      Collaborate with the Enterprise Risk Management team to align risk management strategies with business objectives.

Risk:

•      Identifying, assessing and managing risks within the organization, with a special focus on IT, cyber [JH1] and information security risks.

•      Prepare risk assessment reports and ensure timely and effective communication of risks to the relevant stakeholders.

•      Monitoring and reporting on the effectiveness of risk management measures.

Compliance:

•      Ensure compliance with relevant laws and regulations such as NIS2 and GDPR.

•      Develop, implement, and manage compliance programs and controls within the organization.

•      Maintaining relationships with regulatory bodies and ensuring that the organization responds to regulatory changes in a timely and effective manner.

ROLE-RELATED:

•      Implementation

•      Monitoring and Reporting

•      Advice and guidance

•      Improvement of processes

•      Response to incidents

TASK-RELATED:

ISMS Development and Deployment:

•      Support the ISMS domain lead in developing, implementing, and maintaining the organization's ISMS framework in accordance with international standards (e.g., ISO 27001).

•      Identify and classify information assets, assess risks, and establish appropriate security controls.

Risk Analysis and Risk Management:

•      Support the Risk domain lead in the implementation of new methodologies.

•      Conduct regular risk assessments to identify vulnerabilities and threats to the organization's information systems and data.

•      Prioritizing risks based on their potential impact and probability, and developing mitigation strategies.

•      Integrate with projects and implementations to provide timely and accurate recommendations as preventive risk measures.[JH2] 

•      Supporting the Risk domain lead in the implementation of new methodologies.

Compliance with Policies and Procedures:

•      Create and update security policies, procedures, and guidelines in line with industry best practices and regulatory requirements.

•      Communicate and inform employees about security policies and procedures.

•      Follow-up of policies and monitoring compliance with them

Project Management:

•      Lead and support GRC-related projects from start to finish, leveraging advanced project management skills.

•      Collaborate with internal teams such as Security Architects, Cybersecurity, and Identity, Credential and Access Management (ICAM) to achieve project objectives.

•      Ensure timely delivery of projects within scope, budget, and set timelines.

Stakeholder Management:

•      Act as a Subject Matter Expert (SME) for all GRC topics within the organization.

•      Communicate and collaborate effectively with different teams and departments to achieve GRC objectives.

Requirements

• Master or Bachelor’s degree in Computer Science, Business Administration, Law or a related field

• Relevant information security and risk certificates, such as CISSP, CRISC, CISM, or other

• Relevant project management certificates such as PMP, Prince2 or other project management certificate

• ISO 27001-27005, NIST Cybersecurity Frameworks, Risk Management Frameworks (FAIR)

• Extensive knowledge of NIS2, GDPR and other relevant laws and regulations

• Knowing and protecting compliance with applicable policies and legislation

• Knowledge of Information Security Management Systems, Information Security Principles and Standards, Information Security Governance, Policies & Awareness

• Knowledge of Information Security Risk Management

• Knowledge of cybersecurity and privacy standards, frameworks, policies, regulations, legislation, certifications and best practices

• Familiarity with GRC tooling, CISO Security Solutions & Services

• Familiarity with auditing an ISMS and IT compliance along with best practices for responding to audit findings

• Keeping records, processing data and ensuring their quality and completeness

Required:

• Strong analytical skills and the ability to solve complex problems

• Excellent communication skills, both written and verbal

• Excellent analytical and problem-solving skills

• Fluent in English and at least fluent in one of the national languages Dutch or French, with some knowledge of the other

Additional plusses:

• Knowledge of Management Practices & Resource Management

• Knowledge of Cybersecurity Measures and Cybersecurity Maturity Models

• Knowledge of IT data flow documentation

• Knowledge of the structure and internal (work) procedures of the organization

• Knowledge of current and company-specific software

Our offer

Within our open corporate culture, you contribute to the digital transformation of SNCB. You will have a job with social impact and ample opportunity to make your own contribution. In addition to a good work-life balance and a competitive salary, you will receive the following benefits:

• the possibility to work remotely + flexible working hours;

• 35 days of leave;

• a company car + a public transport season ticket;

• a target bonus;

• a comprehensive insurance package (affiliation without own contribution, excl. outpatient costs for family members);

  • hospitalisation and dental care for the whole family;

  • outpatient costs (= medical costs separate from hospitalisation);

  • group insurance: supplementary pension, work disability and death (cafeteria plan);

  • accidents at work (extralegal);

• meal vouchers and eco-vouchers;

• net allowances for remote working and carwash + internet budget.