Information Security Officer

The Information Security Officer (ISO) is responsible for establishing, implementing, and maintaining the company’s Information Security Management System (ISMS) in compliance with ISO/IEC 27001 and other relevant security standards tailored to our company’s size and industry. The ISO ensures that the company’s information assets are adequately protected by identifying, assessing, and mitigating security risks. The role involves collaborating with various departments to ensure compliance with legal, regulatory, and company security policies.

Key Responsibilities:

• Develop Information Security Management System (ISMS):
• Implementing, maintaining, and continually improving the company’s Information Security Management System (ISMS) aligned with the company’s goals and objectives based on ISO/IEC 27001 and other applicable frameworks.
• Risk Management:
• Identify, assess, and manage security risks related to the SaaS platform and internal operations.
• Conduct regular security risk assessments and audits to identify vulnerabilities and areas for improvement.
• Develop and implement risk mitigation strategies to reduce identified risks completely or to acceptable levels.
• Ensure that security risks are communicated to senior management with recommendations for action.
• Compliance and Governance:
• Ensure compliance with relevant information security regulations, standards, and best practices (e.g., GDPR, HIPAA, ISO/IEC 27001, NIS2).
• Monitor and report on compliance with information security policies and procedures.
• Security Operations:
• Prepare and manage internal and external audits, including ISO 27001 certification audits, and ensure continuous compliance with audit requirements.
• Oversee the day-to-day operations of the information security measures, including monitoring and responding to security incidents.
• Work closely with the development and IT teams to embed security best practices in the software development lifecycle (DevSecOps) and cloud infrastructure management (firewalls, intrusion detection/prevention systems, encryption solutions, and antivirus programs).
• Coordinate and conduct vulnerability assessments and penetration testing.
• Collaborate with key clients, particularly large railway undertakings, to address specific security requirements and ensure trust in the security posture of our SaaS product.
• Incident Response:
• Lead the ‘project’ in the event of a security breach, including investigation, containment, and recovery.
• Develop and maintain an incident response plan, ensuring all relevant personnel are trained and aware of their roles.
• Post-incident analysis and reporting to identify root causes and improve future response efforts.
• Security Awareness and Training:
• Develop and deliver security awareness programs and training sessions for employees.
• Ensure that all employees are aware of their roles and responsibilities in protecting company information.
• Promote a culture of security awareness across the organization.
• Vendor and Third-Party Management:
• Assess the security posture of third-party vendors and partners.
• Ensure that third-party agreements include appropriate security requirements.
• Monitor and review third-party security practices regularly.

Qualifications

Education:

• Bachelor’s degree in Information Security, Computer Science, Information Technology, or a related field.
• Master’s degree or relevant certifications are highly desirable.
• Relevant certifications such as SOC2, CISM, CISSP, ISO 27001 Lead Auditor/Implementer, or CRISC are a strong plus.

Experience:

• 5+ years of experience in information security, with a focus on software or SaaS environments. Experience working with large enterprises, government entities, or critical infrastructure providers is highly desirable.Experience in developing and implementing security strategies, policies, and procedures.
• Proven experience in risk management, incident response, and security operations. Managing and working with an Information Security Management System (ISMS).

Skills and Competencies:

• Strong knowledge of information security frameworks and standards (e.g., ISO/IEC 27001, NIST).
• Excellent understanding of security technologies (e.g., firewalls, IDS/IPS, encryption, SIEM).
• Strong analytical and problem-solving skills.
• Excellent communication and interpersonal skills, with the ability to communicate security-related concepts to both technical and non-technical audiences.
• Ability to work under pressure and handle multiple priorities.

About Us

From four locations, Paris (France), Porto (Portugal), Sydney (Australia), Rotterdam (the Netherlands) and most recently Minneapolis (USA) (Spark TS), CRX Software builds, delivers and supports an intuitive and innovative ERP solution called RailCube for the railway industry. RailCube targets Railway companies seeking reliable operations management and the highest safety standards. Our goal is to enhance operations by continuing to develop intuitive and innovative features, resulting in more efficient and improved business processes for our clients. Hosted in Microsoft Enterprise Cloud (Azure) the RailCube solution fosters scalable technology that streamlines business processes for our clients. Given our recent growth, we aim to enhance our Information Security Management System (ISMS) to better serve both existing and new clients while meeting increasingly stringent regulatory requirements.