ISMS Internal Auditor

Position: ISMS Internal Auditor

Qualification: BE Eng. Graduate

ISMS Internal Auditor or ISMS Lead Auditor certified

Experience: 5-10 years of working experience in ISMS management system implementation in IT

Job Purpose/Summary:

• Reporting to the Head of IT Operations and liaising with the Head of Infrastructure, the Information Security Manager will be responsible for maintaining Information Security policies and controls, in addition to application, infrastructure and network security reviews of local and national operations to ensure the security of all Information Security assets within the SOBHA LTD.
• The Information Security Internal Auditor will be involved with the prevention, identification and detection of IT and information security risks over the entire business environment supporting the companys operations and key processes.
• The Information Security Internal Auditor will have ownership and overall control of the ISMS process.
• The Information Security manager will also be responsible for discussing the control weaknesses noted from the Information Security audits to local and/or senior management and develop recommendations to address them.

Main Accountabilities/Purpose Information Security Management System (ISMS)

• Execute audits efficiently including analysis of business data and IT systems by liaising with the IT and other departments and/or as standalone technical reviews.
• Support and manage the on-going ISO 27001 audit activities including preparation for the annual audit by Certification Body.
• Assist the Head of IT Operations, Infrastructure Manager and the Head of Risk with the planning and scoping of audits.
• Complete assigned tasks within specified times and provide concise and timely updates to the management.
• Support, manage and enhance the ISMS system including scheduling of audits, Conducting as per schedule, Audit Closure reviews and MRM process execution.
• Carry out a continual improvement process with risk assessments in both methodology and scope by testing and evaluating operational & IT processes and the effectiveness of existing controls (encompassing policies, procedures and standards).
• Identify and clearly define control issues, including root causes. Review and evaluate the adequacy of internal controls and compliance with IT security policies and procedures.
• Develop and review policies, controls and standards where appropriate.
• Develop and monitor the Information Security audit schedule.
• Regularly interact and communicate with management to discuss the present audit results, gain acceptance and provide advice to remedy the audit issues or weaknesses discovered.
• Standardise the reporting format so audit results are communicated to senior management in a consistent fashion.
• Develop and maintain professional, credible relationships with key stakeholders (IT, Business & Risk) including relevant third parties and strategic suppliers.
• Complete security audits on third parties.

Other responsibilities

• Assist with Business Continuity Planning
• Training staff on network and information security procedures.
• Raising awareness of need for information security within the business.
• Assist on information security requirements for IT and Onsite projects and provide a risk assessment.
• Be responsible for completing all mandatory training and to do so within required timescales

Management and Planning

• Reviews, approves and directs metrics used for measuring and improving the performance of the Information Security Management System.
• Monitors related industry trends, technological developments and emerging practices in the IT industry and business in anticipation of changing investor and internal needs and best practice.
• Liaises with the IT Infrastructure HOD, Head of IT Operations, Head of Facilities, and Risk to provide auditing support, security reviews and / or assist in the escalation of information breaches.
• Supervises and participates in on-going work by assisting IT in the generation of policies and procedures and maintaining a central, accessible repository of these documents.
• Provides ad hoc training for IT Staff and other departmental staff where appropriate.