The role is responsible for supporting and maintaining the organization's cybersecurity governance, risk and compliance posture across applicable regulatory and industry frameworks.
Job Responsibilities
- Conduct and support cybersecurity / information security risk assessments, including asset and threat identification, vulnerability and likelihood/impact analysis, risk scoring, and the development of risk treatment plans aligned to the organization's information security risk management methodology.
- Maintain the information security risk register, track risk treatment progress and residual risk, and monitor open and overdue high-risk items against board-approved remediation timelines.
- Support the design, maintenance, and continual improvement of the Information Security Management System in line with ISO/IEC 27001:2022, including the Statement of Applicability, risk treatment plans, and management review inputs.
- Coordinate and prepare for internal and external audits and certification engagements (e.g., ISO 27001:2022, SOC 2 Type II), including evidence collection, control walkthroughs, gap remediation tracking, and auditor liaison.
- Support SOC 2 Type II readiness specifically, including defining the observation period, ensuring controls operate consistently over that period, and assembling operating-effectiveness evidence (not just design).
- Map and maintain control crosswalks across multiple frameworks (ISO 27001, SOC 2 Trust Services Criteria, NIST CSF 2.0, NIST SP 800-53/800-63B) and applicable regulations to avoid duplication and surface gaps.
- Monitor compliance against BSP regulatory requirements (e.g., Circular 982, Circular 808, MORB technology and information security provisions) and, where relevant, Insurance Commission expectations, and track remediation of findings against board-approved timelines.
Job Qualifications
- Bachelor's degree in Information Technology, Computer Science, Information Security, Accounting/Audit or a related field.
- 3–5 years of hands-on experience in cybersecurity compliance, IT audit, GRC, or information security risk management, ideally within a regulated industry (financial services preferred).
- With hands-on experience conducting cybersecurity / information security risk assessments — asset/threat identification, risk scoring and risk treatment planning.
- With demonstrated working knowledge of ISO/IEC 27001:2022 (ISMS), SOC 2 Type II and NIST frameworks (CSF and/or SP 800-series) including audit and certification lifecycles.
- Has practical audit and compliance background: experience preparing for or supporting audits, managing evidence and tracking remediation including familiarity with the operating-effectiveness testing that distinguishes SOC 2 Type II from Type I.
- With strong documentation skills with precise, source-grounded citation of standards and regulations.
- With excellent analytical, communication and stakeholder-management skills.