Chief Information Security Officer (CISO) | Driving Secure Digital Healthcare Transformation
The assignment involves supporting the organization in developing, implementing, and maintaining an organization-wide information security policy and management framework. The services are risk-driven and aim to ensure the availability, integrity, and confidentiality of information and critical processes.
General Tasks and ResponsibilitiesDeveloping, maintaining, and improving an Information Security Management System (ISMS).Translating relevant laws, regulations, and standards (including NIS2 and ISO/IEC 27001) into concrete security measures.Managing and updating the information security policy, guidelines, and standards.Supporting the integration of information security within enterprise risk management and internal control systems.Advising management on risks, maturity levels, and priorities related to information security.Risk Management and ComplianceEstablishing and maintaining a central information security risk register.Conducting or coordinating periodic risk assessments.Monitoring mitigation measures and reporting on residual risks.Supporting internal and external audits and compliance processes.Security Architecture and OperationsAdvising on security architecture for networks, systems, cloud environments, and applications.Assessing security designs and changes impacting information security.Overseeing logging, monitoring, vulnerability management, and patch management.Supporting the development of detection and response mechanisms.Incident Management and ContinuityMaintaining an incident response framework and related procedures.Advising on the handling of security incidents and coordinating post-incident evaluations.Supporting the development and testing of business continuity and disaster recovery plans.Supplier and Supply Chain SecuritySupporting the assessment of security risks related to external suppliers and service providers, including cloud and SaaS solutions.Advising on appropriate security clauses and controls.Awareness and TrainingDeveloping a strategic information security awareness program, including awareness campaigns, training sessions, and simulated exercises.Reporting and ConsultationProviding periodic reports to management on the status of information security, key risks, incidents, audit findings, and the progress of improvement initiatives.