ISMS Security Administrator

Information Technology Houston, Texas Minneapolis, Minnesota


Description

JOB SUMMARY

Enterprise ISO Security Administrator’s primary focus will be leading and managing Empyreans ISO audits and certification. As the role broadens it will include participation in risk assessments, SOC 1 and 2 audits, penetration testing and so on. As part of this role you will be responsible for developing policies and processes aligned to Empyreans ISO/SOC control frameworks and ensuring those controls are adhered to, followed and working as designed

 

ESSENTIAL DUTIES AND RESPONSIBILITIES

  • Lead and manage ISO 27001 audit and certification
  • Review ISO 27001 controls testing and handle communications with control owners and business partners
  • Coordinates and collaborates with Empyrean business units on the identification of risks/gaps to ensure alignment with established control environments
  • Partner with business unit management to design and implement and test corrective action plans resulting from the ISO 27001 readiness assessment.
  • Manages internal audit projects related to ISO, SOC, information security/cyber, business application, and integrated business audits
  • Provides technical expertise to the teams and uses sound security and audit practices
  • Applies analytical skills to review information and determine potential control weaknesses.
  • Participates in meetings with business unit to discuss audit controls and results
  • Guide the planning, scoping and execution of ISO audits
  • Work with Security and Privacy teams to understand the information security and privacy risk profile and use this knowledge for ISO audit planning and execution.
  • Partner with security and engineering teams and lead and manage the ISO 27001 certification internal audit phase.
  • Partner with security and engineering teams to review, assess, and evaluate the effectiveness of the enterprise cybersecurity threat and vulnerability monitoring and management plan.
  • Partner with security and engineering teams to review, assess, and evaluate results of cybersecurity threat and vulnerability monitoring campaigns.
  • Design, lead and execute audit programs, including security and privacy audits, operational process reviews, system implementation reviews, application and other IT-related risk areas.
  • Ability to identify gaps in policies and policy documentation, then create the appropriate policy and/or bridge identified gaps.
  • Work cross-functionally on technology implementation projects to provide IT controls expertise and test controls to meet established control environments requirements. Understand applicable laws and regulations to provide a point of view on control requirements related to information security and privacy controls.
  • Work with management and users to interpret the significance of audit findings, conclude on findings, make practical recommendations, and verify that remediation plans are implemented.

REQUIRED SKILLS AND ABILITIES

  • Strong communication, presentation, and organization skills
  • Ability to multi-task and time management skills are essential
  • Ability to effectively engage and work with a variety of roles and teams
  • Prior compliance audit experience, in  particular ISO 27001 (SOC,  PCI-DSS, FedRamp etc. would be pluses )
  • Contribute to the overall success of the department and participate in various projects including technology, SOC 1 & 2 and ISO audits
  • Strong written and verbal skills with experience preparing work papers, audit reports, and presentations
  • Strong interpersonal skills with experience dealing with people of various levels of seniority
  • Solid understanding, experience, and skills related to the IIA Professional Practices and ISACA Technology Audit Standards
  • Strong understanding COSO, COBIT, ISO and NIST frameworks and controls within the framework.
  • CISA, CISSP, CIA, CPA or equivalent, a plus

 

KNOWLEDGE, EXPERIENCE AND/OR EDUCATION REQUIREMENTS

  • 5 year’s work experience in technology audit, information security engineering, IT governance risk and compliance, or related areas, preferably within the technology industry. Big 4 Experience strongly preferred
  • Must have completed ISO lead implementer courses, CISA, CISM and/or CISSP certifications preferred
  • Working knowledge of information technology best practices and control frameworks such as NIST CSF, CIS, ISO27001, COBIT, ITIL, ISMS
  • Demonstrated knowledge of technology risks, including direct experience evaluating the effectiveness of cybersecurity, privacy and engineering controls.
  • Strong understanding of cybersecurity processes and concepts (e.g. vulnerability management, security governance, software development, incident response, physical security, auditing and logging, micro segmentation, secure access service edges, zero trust architecture, Insider Threat,  Vendor Risk Management, PKI, penetration testing) as well as application controls and segregation of duties
  • Advanced understanding of internal controls and the demonstrated ability to evaluate and determine the adequacy of control design and operating effectiveness.

#LI-RZ1