Senior Information Security Leader and Auditor
Resume:
Tanmay Kumar Kundu
CISSP®, CISM®, CeH®, CISA Qualified, 6 Sigma Black Belt
Lead Auditor ISO 27001 (ISMS), ISO 9001 (QMS), ISO 22301 (BCMS) Lead Implementer ISO 27001 (ISMS), 27017, ISO 27701 (PIMS) E-Mail : ******.*********@*****.*** Contact No. : +91 – 931*-***-*** Professional Summary
Dynamic Regional Information Security Officer with 17+ years of experience driving information security programs across diverse industries and sectors, including Advertising, Big-4 Consulting, IT/ITES, Background Screening, Due Diligence Services, and Reverse logistics. Proven ability to develop and implement robust security strategies that align with business goals, mitigate risks, and ensure regulatory compliance. Expert in building security capabilities, leading cross-functional teams, and fostering a culture of security awareness and business continuity. Skilled communicator adept at simplifying complex security concepts for stakeholders and securing executive support. Experienced in designing and implementing solutions in line with international standards, including ISO 27001, ISO 9001, and ISO 22301. Committed to continuous improvement and innovation in security practices to protect critical assets and drive organizational success. Skill Set
• CISSP, CISM, CeH • Information Security Strategy and Alignment
• ISO 27001 (ISMS), ISO 27002, SOC2 • Risk Management, Governance and Compliance
• ISO 27005 (InfoSec Risk Management) • Vulnerability & Pen-Test Management (VAPT)
• ISO 31000 (Enterprise Risk Management) • Third-Party Risk Management
• ISO 22301 (BCMS) • Stakeholder and Client Management
• ISO 27018 (Protection of PII in Cloud) • Leadership, Skill Building & Development
• ISO 27701 (PIMS) • Security Awareness and Training
• ISO 9001 (QMS) • Monitoring, Measurement, Improvements
• ISO 27004 (Monitoring, & Measurement) • Managing External & Internal Audits
• ISO 27017 (Cloud Services) • Managing Audit Findings, RFIs & RFQs
• OHSAS 18001 • Handling RCA (Root Cause Analysis)
• Six Sigma Black Belt, and Green Belt • Data Protection, DLP
• Program Management, Corrective Actions • Consulting, Service Delivery
• Quality Management System • CE & CE+ attestation
• Continual Improvement • Agile and waterfall methodologies
• Visualization and Data Analysis • Statistical Analysis, QC Tools
• RSA eGRC Archer, Service-Now • GDPR, NIST 800-53 Professional Certifications
Information Security Certifications:
• CISSP® from (ISC)2
• CISM® from ISACA
• CeH® from EC Council
• CISA Certificate of Continuing Education Completion from Cybrary
• Cloud Computing Certificate of Continuing Education Completion from Cybrary
• PCI DSS for Corporates from Udemy
ISO Lead Auditor International Certifications (IRCA Approved):
• ISO/IEC 27001:2013 (Information Security Management System) from BSI.
• ISO 9001:2015 (Quality Management System) from INTERTEK.
• OHSAS 18001:2007 (Occupational Health & Safety) from INTERTEK.
• ISO 22301:2019 (Business Continuity Management System) from INTERTEK. ISO Lead Implementer Certifications:
• ISO 27701:2019 (Privacy Information Management System) from EYCP.
• ISO 27017:2015 (Code of Practice for Info. Security Controls for Cloud Services) from EYCP Statistical and Process Improvement Certifications:
• Six Sigma Black Belt (certified) from Advance Innovation Group, Noida.
• Six Sigma Green Belt (certified) from Indian Statistical Institute (ISI), Delhi. Microsoft Certification:
• Microsoft certified Azure Fundamentals (AZ-900)
Page 2 of 4
Work Experience
Omnicom Media Group (OMG)
Designation: Regional Information Security Officer (RISO)- APAC Tenure: Sep’2023 – Till Date
Key Responsibilities:
• Security Strategy: Lead and guide the organization and stakeholders in defining and implementing a robust security strategy and vision aligned with business objectives.
• Risk Management: Establish and drive effective risk management practices to protect information and assets.
• Risk Mitigation: Guide teams in developing and implementing effective risk mitigation strategies and controls.
• Develop Security Standards: Implement and maintain security models and standards, including ISO 27001, SOC 2, etc. ensuring relevance and compliance.
• Cross-Departmental Leadership: Provide leadership and guidance to departments such as Security, IT, HR, and Administration to enhance security efforts.
• Policy Enforcement: Oversee the development and enforcement of security policies, standards, and procedures organization wide.
• Promote Security Culture: Foster a security-centric culture through regular security awareness initiatives, training and educational programs for all employees.
• Vulnerability Management: Oversee vulnerability management and remediation efforts to strengthen the organization’s defenses.
• Monitoring and Improvement: Develop an effective monitoring framework and drive continual improvements in security practices.
• Team Development: Lead and develop the security team, promoting a culture of security awareness and professional growth.
• Business Continuity Management: Ensure that appropriate business continuity plans are established and maintained to ensure resilience and swift recovery in the event of disruptions.
• Incident Management: Oversee incident management and response plans to effectively recover from security breaches and incidents.
• Third-Party Risk Assessment: Manage and assess risks associated with third-party vendors to ensure appropriate mitigation.
• Audit Management: Coordinate and manage internal and external audits to evaluate the effectiveness of security controls and ensure compliance with regulations and standards.
• Regulatory Compliance: Ensure compliance with relevant information security regulations and standards.
• External Relations: Maintain strong relationships with external auditors, certification bodies, and regulatory agencies.
• Executive Communication: Provide regular updates to executive management and the board of directors on the health of the Information Security Management System (ISMS).
• Stakeholder Communication: Effectively communicate security risks, strategies, and initiatives to executive leadership and other stakeholders.
EY (Ernst & Young)
Designation: Manager – Information Security
Tenure: Dec’2014 – Sep’2023
Key Responsibilities:
• Global Security Leadership: Directed initiatives as program manager, management advisor, and solution architect for international standards like ISO 27001, ISO 9001, Risk Management, External VAPT & other security frameworks.
• Framework Development: Designed, customized, and enhanced information security frameworks for EY Global Offices and Member/Partner firms, ensuring compliance with ISO 27001, ISO 27005, ISO 31000, ISO 27017, etc.
• Governance, Risk & Compliance: Collaborated with CXOs to create and implement Governance, Risk, and Compliance (GRC) models aligned with organizational objectives.
• Risk Management Expertise: Led the Global Information Security Risk Management function, implementing and improving risk management strategies based on ISO 27001, ISO 31000, and ISO 27005.
• Stakeholder Engagement: Conducted comprehensive risk assessments, advised on mitigation strategies, and defined key performance indicators (KPIs) and information security objectives.
• Audit Management: Managed external, internal, and client audits, facilitating corrective actions and root cause analyses (RCAs) to address audit outcomes and findings.
• Continual Improvement: Spearheaded management reviews, training programs, and Business Continuity Management (BCM)/Business Continuity Planning (BCP) efforts. Page 3 of 4
• Vulnerability Management: Oversaw External VAPT programs for networks and applications, enhancing security posture.
• Performance Reporting: Delivered regular updates on ISMS health, risks, controls, and KPIs to stakeholders for informed decision-making.
• Client and Vendor Relations: Managed RFIs/RFQs and fostered strong relationships through effective onboarding and ongoing engagement.
• Training and Awareness Programs: Developed and implemented training initiatives to bolster employee security awareness and culture.
• Third-Party Coordination: Liaised with certification bodies for external audits and managed vendor security assessments and quality evaluations.
• Tool and Methodology Development: Tailored tools and methodologies to align with business needs, utilizing GRC Archer to automate risk management processes.
• Framework Proficiency: Knowledgeable in SOC2, DLP, Cyber Essentials (CE, CE+), and NIST frameworks, ensuring compliance with client requirements. Compunnel Technology/InforPro India Pvt. Ltd.
Designation: Manager– Total Quality Management
Tenure: Sep’2010 –to- Oct’2014
Key Responsibilities:
• Leadership Roles: Bagged as Management Representative, Information Security Manager, and Solution Architect for ISO 9001 and ISO 27001 standards.
• Framework Implementation: Implemented and managed the ISO 9001 and ISO 27001 frameworks to ensure organizational compliance with Quality and Information Security Management Systems.
• Risk Management: Conducted risk assessments and drove risk treatment plans to support business operations and functions.
• Audit Management: Led internal audit programs and managed ISO external and client audits, addressing findings with corrective actions and continuous improvement initiatives.
• Business Continuity: Drove the Business Continuity Program (BCP), overseeing change management and conducting root cause analyses.
• Documentation Control: Created and maintained ISO documentation for both ISO 9001 and ISO 27001 standards, ensuring accuracy and compliance.
• Customer Engagement: Led customer satisfaction survey programs to gather and communicate the voice of the customer to management.
• Data-Driven Improvements: Identified and implemented improvements through gap analysis, data analysis, and trend analysis.
• Quality Initiatives: Utilized Six Sigma, Minitab, and various quality tools for problem-solving and quality initiatives.
• Collaboration with Auditors: Collaborated with certification bodies and external auditors on certification programs and audit processes.
• Process Design: Designed and updated process flow diagrams and process mapping for new and existing services to enhance efficiency.
• Process Monitoring: Ensured effective process adherence through regular monitoring, reporting, and audits, keeping management informed about the health of ISMS and QMS.
• Training and Awareness: Conducted awareness programs on ISO implementation, information security, and quality management; facilitated training programs for process compliance and internal auditors.
• Agile Implementation: Successfully implemented Agile software development processes to improve project efficiency and team collaboration. AuthBridge Research Services Ltd.
Designation: Senior Executive- Compliance
Tenure: Oct’2009 –to– Aug’2010
Key Responsibilities:
• Implement, manage, and compliance of ISO 9001and ISO 27001 standard.
• Handling External & Internal audits.
• Handling Management Representative responsibilities.
• Handling process improvements, customer satisfaction surveys.
• Conducting training like ISO awareness, Compliance etc. Aforeserve.com Ltd.
Designation: Engineer- Quality & Process
Tenure: Aug’2008 –to– Sep’2009
Key Responsibilities:
• Implement, manage, and compliance of ISO 9001 standard. Page 4 of 4
• Heading QC department.
• Handling External & Conducting Internal audits.
• Conducting ISO awareness training.
• Handling all MR activities for ISO 9001 standard. RT Outsourcing Services Ltd.
Designation: Quality Analyst
Tenure: July’2007 –to– Aug’2008
Key Responsibilities:
• Involved in ISO 9001 compliance.
• Executing Quality control checks & audits.
• Involvement during External & Internal audits.
• Involvement in ISO awareness training.
• MIS and quality reporting for the team.
• 5S, KAIZAN activities and awareness.
Technical Tools
• eGRC Archer • MindManager • SharePoint • Minitab
• Advance Excel • MS PowerPoint • MS Projects • MS Visio Academics
• M.B.A. (distance learning) specialized in Production & Quality Management from Annamalai University, Chennai, India (passed out in 2010).
• B.E. (full time) with Electronics & Communication from Maharishi Dayanand University, Haryana, India (passed out in 2007).
• 12th (PCM/Non-Medical), and 10th (General) from D.A.V Public school, Faridabad, Haryana, India affiliated to CBSE (passed out in 2002 and 2000 respectively). Professional Achievements
• Project Delivery: Successfully delivered 50+ projects on ISO 27001 and ISO 9001 standards, encompassing initial certification, re-certification, and continuous assessment audits.
• Internal Audit Experience: Conducted over 600 person-days of internal audits for ISO 9001 and ISO 27001 standards, ensuring compliance and continuous improvement.
• Recognition and Awards: Awarded the ‘Extra Miler’ achievement award at EY within a year of joining for exceptional contributions.
• Framework Development: Developed a scalable ISO 27001 framework product for implementation across EY and its global offices, requiring minimal customization.
• Management Roles: Achieved the roles of ‘Management Representative’ for ISO 9001 and
‘Information Security Manager’ for ISO 27001 within three years of starting my professional career.
• Outstanding Performance: Recognized as ‘Best Debutant’ within two months at AuthBridge Research Services Ltd. for exemplary performance.
• Top Performer Recognition: Acknowledged as ‘Best Performer’ within three months at RT Outsourcing Ltd. for outstanding contributions to the team. Personal Dossier
Year of Birth : 1984
Nationality : Indian
Valid Passport : Yes
Current Location : Delhi/NCR. India
Languages known : English, Hindi
Interests : Travelling, Photography, Listening to Music
Contact this candidate