Chief Information Security Officer

Chief Information Security Officer (CISO) | Driving Secure Digital Healthcare Transformation

The assignment involves supporting the organization in developing, implementing, and maintaining an organization-wide information security policy and management framework. The services are risk-driven and aim to ensure the availability, integrity, and confidentiality of information and critical processes.

General Tasks and Responsibilities

• Developing, maintaining, and improving an Information Security Management System (ISMS).
• Translating relevant laws, regulations, and standards (including NIS2 and ISO/IEC 27001) into concrete security measures.
• Managing and updating the information security policy, guidelines, and standards.
• Supporting the integration of information security within enterprise risk management and internal control systems.
• Advising management on risks, maturity levels, and priorities related to information security.

Risk Management and Compliance

• Establishing and maintaining a central information security risk register.
• Conducting or coordinating periodic risk assessments.
• Monitoring mitigation measures and reporting on residual risks.
• Supporting internal and external audits and compliance processes.

Security Architecture and Operations

• Advising on security architecture for networks, systems, cloud environments, and applications.
• Assessing security designs and changes impacting information security.
• Overseeing logging, monitoring, vulnerability management, and patch management.
• Supporting the development of detection and response mechanisms.

Incident Management and Continuity

• Maintaining an incident response framework and related procedures.
• Advising on the handling of security incidents and coordinating post-incident evaluations.
• Supporting the development and testing of business continuity and disaster recovery plans.

Supplier and Supply Chain Security

• Supporting the assessment of security risks related to external suppliers and service providers, including cloud and SaaS solutions.
• Advising on appropriate security clauses and controls.

Awareness and Training

• Developing a strategic information security awareness program, including awareness campaigns, training sessions, and simulated exercises.

Reporting and Consultation

• Providing periodic reports to management on the status of information security, key risks, incidents, audit findings, and the progress of improvement initiatives.

Scope of Services

The services will be delivered based on an average commitment of 20 hours per week. The planning and specific implementation of activities will be aligned with the organization’s priorities and risks.