ICT Risk Assurance Specialist (f/m/d)

Your area of work:

The Chief ICT Risk Office / CISO department combines IT & IS Risk Management in the 2nd Line of Defense (LoD). Its mandate is to:

Define ICT risk governance and framework.

Set control objectives, review methodology, and risk assessment methodology.

Conduct independent oversight of 1st LoD IT and IS controls.

Monitor and report on ICT risk levels.

Drive transformation and collaboration across the organization.

You will ensure continuous monitoring and oversight of ICT risk to provide reasonable assurance that ICT controls are properly designed, implemented, and operating effectively.

Your responsibilities:

Plan & Prepare - Develop annual/multi-year assurance plans, define scope, and prepare workbooks with control requirements and test steps.

Assess & Monitor - Perform Test of Design (ToD) and Test of Implementation (ToI) for ICT controls; test operating effectiveness (ToE) using inquiry, observation, inspection, and re-performance.

Request evidence – Collect and analyze evidence (policies, procedures, system configs, logs); escalate delays when needed.

Report & Communicate – Document observations and improvement opportunities; share preliminary results for validation; deliver structured reports with severity ratings and remediation timelines.

Follow-up & Track – Monitor remediation progress, escalate overdue items, validate closure evidence, and update status reports.

Continuously Improve – Enhance methodologies, templates, and processes; ensure alignment with regulatory requirements (e.g., DORA) and internal frameworks.

Your profile:

University degree (Bachelor/Master) in IT, Information Security, Risk Management, or related field.

Minimum 2 years of experience in IT/Information Security, ideally in internal/external audit, second-line assurance, or control implementation roles.

Experience in the financial sector, preferably within EU-regulated environments; familiarity with BAIT, MaRisk, CSSF, and DORA is a plus.

Strong understanding of ICT risk frameworks, control design and implementation principles, and the Three Lines of Defense model.

Familiarity with common IT standards (CSA-CCM, COBIT, BSI Grundschutz, ITIL, ISO/IEC 27000 series).

Professional certifications such as CISA, CISM, CISSP, CEH, or CIA are preferred.

Ability to apply assurance techniques (inquiry, observation, inspection, re-performance) and sampling methodologies.

High analytical skills and conceptual thinking; ability to interpret complex technical and regulatory requirements.

Strong interpersonal and communication skills for engaging senior stakeholders.

Experience in Cloud Security, Network Security, Vulnerability Management, Security Information and Event Management (SIEM), Privileged Access Management (PAM), Threat Intelligence, Incident Response, or related domains is an advantage.

Excellent English (written and spoken); German is an advantage.