The Division of Information Technology provides support to the IAEA in the field of information and communication technology (ICT), including information systems for technical programmes and management. It is responsible for planning, developing, and implementing an ICT strategy, for setting and enforcing common ICT standards throughout the Secretariat and for managing central ICT services. The IAEA’s ICT infrastructure comprises hardware and software platforms, and cloud and externally hosted services. The Division has implemented an IT service management model based on ITIL (IT Infrastructure Library) and Prince2 (Projects in a Controlled Environment) best practices.

Main Purpose

The Information Security Management System (ISMS) is a set of policies and procedures for systematically managing the information security risk of Agency information assets. The Agency ISMS is certified under ISO/IEC 27001: 2022. To maintain and increase the maturity of the Information Security Programme at the IAEA, it is imperative to ensure a comprehensive and robust Governance, Risk, and Compliance Framework is in place. This initiative is necessary to ensure information security standards and governance, set within the risk management framework, underlie critical business processes to assure confidentiality, integrity, and availability across the Agency.

Functions / Key Results Expected

• Under the supervision of the Chief Information Security Officer (CISO), align information security strategies with organizational objectives within established and relevant regulatory frameworks. Assist with defining IT security governance objectives, identifying relevant roles and responsibilities, and recommend target objectives for the development of policies and procedures, implementing controls, and monitoring and reporting. Assist with the establishment of project goals, objectives, timelines, and reporting milestones in relation to identified GRC implementation strategies.
• Analyse current and relevant policies, processes, and standards, and collaborate with relevant stakeholders to identify gaps in information security policies, processes, and standards. Generate recommendations and strategies for filling gaps in policies, processes, and standards. Draft language for existing and/or create new policies, processes, and standards, as applicable.
• Support decision-making processes by providing actionable data-driven recommendations derived from thorough analyses, evidence-based research, and collaborations with relevant stakeholders. Generate statistical analyses, flow charts, decision-trees, and/or any relevant visual processes to complement presentations to management/leadership.
• Assist with the implementation of information security GRC principles within the Information Security Roadmap. Liaise with stakeholders and business units to derive value-impact assessments of information security GRC implementation.
• Assist with establishing frameworks for implementation of controls, monitoring and reporting, and development of Key Performance Indicators (KPIs) and other relevant metrics to assess effectiveness of GRC implementation.

Knowledge, Skills and Abilities

Required

•    Project Management

•    Information Governance

Assets

•    Persuasion and influencing

•    Analytical thinking

Qualifications and Experience

• University Degree in Information Security, Information Management, Computer Information Systems, Risk Management, or related field (or four additional years of experience may be considered in lieu of a University Degree.)

• Non-Degree Program – Accredited certification in CISA certification or any other related (such as CISSP, CISM) as an asset.
• Minimum of five years of experience with Information Security, Governance, Risk Management, Compliance, Auditing or a related field.
• Minimum of two years of experience working with the development of policies and standards.
• Proven experience with project management, planning, coordination, implementation.
• Proven experience with and knowledge of presentation of data visualisation, strategies, roadmaps, and best practices to effectively communicate.
• Ability to work independently and self-initiate relevant tasks.
• Excellent communication skills to convey complex findings to both technical and business executives.

Remuneration

The remuneration for this consultancy is a daily fee of up to a maximum of € 375, based on qualifications and experience. In case duty travel is required within the assignment, a daily subsistence allowance (DSA) and travel costs are provided. Health coverage and pension fund are the responsibility of the incumbent.