Senior Governance, Risk and Compliance (GRC) Specialists

Job Description

Cyber Security GRC (Governance, Risk and Compliance) unit plays a crucial role embedding defined standards and regulatory frameworks within information and IT security to H&M Group, as well as ensuring risk supervision and business continuity. This includes e.g. a responsibility for auditing compliance, as well as overseeing the identification, assessment and mitigation of technology and cyber security risks.

We work determinedly within the following areas:

Governance: Ability to build a structured way of working with cyber security by aligning processes and functions in order to achieve organizational objectives and improve the security culture.

Risk: Ability to identify, address, assess, mitigate and follow-up on cyber security and technology risks.

Compliance: Ability to meet global and local existing and new laws, standards and other regulatory requirements within cyber security.

Resilience: Ability to continue delivering intended outcomes despite experiencing challenging cyber events.

We collaborate closely with other departments within the organization and constantly commit to enhancing our services and processes.

Our goal is to have a unified, systematic and risk-based way of working that helps H&M Group to reach a robust and resilient cyber security that comply to all applicable regulations. The benefits include e.g. reduced costs, less duplicate work, greater visibility into risks, increased data accuracy and consistency, and more alignment across stakeholders.

For the GRC unit, we are looking for four new senior team members with the following focus areas. In this role, you will report directly to the Unit Manager for Cyber Security GRC.

Risk Officer:

Strategically responsible for keeping H&M Group’s Cyber Security Risk Management Framework up to date on a global market, as well as driving the continuous risk work on an enterprise and operational level within BT Cyber Security.

Compliance Officer:

Strategically responsible for keeping H&M Group’s Cyber Security Common Control Framework (CCF) and its related exception and exemption management processes up to date for all applicable markets, as well as strategically designing the annual Audit Plan and Program for H&M Group and our vendors.

Resilience Officer:

Strategically responsible for keeping H&M Group’s Cyber Security Resilience Work up to date for all applicable parts of the organization, including a systematic risk-based approach with Business Continuity, Disaster Recovery and Crisis & Incident Management.

GRC Officer:

Working within all GRC areas, assisting in the day-to-day work as well as with specific improvement initiatives and projects.

All four roles are expected to:

• Defining policies, processes and procedures, as well as creating and maintaining instructions, guidelines and templates.
• Closely collaborating with internal and external stakeholders within the area of responsibility.
• Incessantly looking for opportunities to introduce more effective and efficient controls and ways of working within cyber security.

Qualifications

You must be an expert with 5-10 years of experience within cyber security in general and/or GRC-related work in specific. This includes e.g. having documented knowledge for the focus area that you’re applying to:

Risk Officer:

Implement risk management associated with cyber security, including identification, analyses and mitigation plans on both an enterprise and operational level.

Compliance Officer:

Comply with legal requirements, best practices and standards associated with cyber security, and work with Qualified Security Assessors (QSA) and auditors.

Resilience Officer:

Build a robust and resilient cyber security environment with the help from business continuity and disaster recovery strategies as well as expedient incident and crisis management systematics.

GRC Officer:

A general experience from GRC-related work tasks.

To succeed in the role, we see that you have:

• Strong experience in helping a global organization to adopt a robust, resilient and maintainable approach to modern tech or cyber security.
• Very high knowledge of legal regulations, international standards and best practice within cyber security risk management, such as ISO 27000/22301/31000, NIST 800, PCI-DSS, GDPR, NIS2, DORA.
• Strong experience of implementing and operating cyber security focused controls.
• Strong experience of working within Qualified Security Assessors (QSA) and auditors to deliver useful independent audits of an organization or division.
• You must be a great team player, as this role works closely with several internal and external stakeholders.

Skill requirements:

We use the Chartered Institute of Information Security (CIISEC) roles framework. You can find out more about the skills and levels on their website (www.ciisec.org):

• Governance (5<)
• Legal & regulatory environment & compliance (5<)
• Policy & standards (5<)
• Information risk management (5<)
• Risk assessment (5<)
• Incident management, incident investigation & response (5<)
• Innovation & business improvement (5<)
• Communication & knowledge sharing (5<)

To stand out, we believe you have some of the following skills/ qualifications:

• Information security strategy (5<)
• Business skills (5<)
• Management, leadership & influence (5<)
• Behavioral change (5<)
• Third party management (5<)

Additional Information

Apply by sending in your CV in English as soon as possible. Due to data policies, we only accept applications through career page.