Senior Internal Auditor (IT & Security)

ROLE OVERVIEW

The Senior Internal Auditor - IT & Security plays a pivotal role in strengthening the organization's information security posture and governance framework. Sitting within the Legal, Compliance, Risk & Audit (LCRA) division and reporting directly to the Director of Internal Audit, this position carries two primary mandates: leading the company's ISO/IEC 27001 certification journey and delivering independent, risk-based IT and security internal audits.

Beyond the ISO 27001 remit, the role contributes to the broader internal audit function - executing audits across the approved annual audit plan, managing findings through the audit lifecycle, and supporting cross-functional initiatives including policy reviews, risk assessments, and business continuity planning.

KEY RESPONSIBILITIES

ISO 27001 Certification & Compliance

• Lead and coordinate all activities required to achieve ISO/IEC 27001 certification, acting as the organization's primary subject matter expert throughout the process.
• Conduct gap analyses against the ISO 27001 standard, identifying control deficiencies and defining a prioritized remediation roadmap.
• Design, develop, and implement an Information Security Management System (ISMS) aligned with ISO 27001 requirements.
• Collaborate with IT, Security, HR, Legal, and business unit stakeholders to embed ISMS controls into day-to-day operations.
• Prepare and maintain all mandatory ISO 27001 documentation including the Statement of Applicability (SoA), risk treatment plans, and control policies.
• Liaise with external certification bodies, managing the certification audit process from pre-audit preparation through to successful certification.
• Monitor post-certification compliance and coordinate annual surveillance and recertification audits.

Independent IT & Security Internal Audits

• Plan, execute, and report on independent ISO 27001 internal audits across all applicable departments and business units in accordance with the audit plan.
• Assess the design and operational effectiveness of information security controls, identifying risks, weaknesses, and areas of non-conformity.
• Conduct technical reviews covering areas such as access management, change management, vulnerability management, network security, incident management, and data protection.
• Produce clear, evidence-based audit reports with well-articulated findings, risk ratings, and actionable recommendations.
• Present audit results to process owners and senior management, facilitating understanding and acceptance of findings.

Audit Plan Execution & Departmental Contribution

• Execute or co-lead IT, operational, and compliance audits as defined in the approved annual Internal Audit Plan.
• Participate in integrated audits alongside colleagues covering financial, operational, and regulatory topics.
• Document audit fieldwork, evidence, and conclusions accurately in the internal audit management tool/application in accordance with departmental standards.
• Conduct structured follow-up procedures to track implementation of management action plans and verify that agreed corrective actions have been effectively remediated.
• Maintain an up-to-date audit findings register and provide regular status updates to the Director of Internal Audit.

Cross-Functional Projects & Advisory

• Contribute to company-wide initiatives relevant to Internal Audit, including corporate policy reviews, information security policy updates, and standards alignment.
• Participate in enterprise risk assessment processes, providing IT and security risk perspectives and supporting the maintenance of the risk register.
• Support business continuity planning (BCP) and disaster recovery (DR) reviews, assessing control frameworks and readiness levels.
• Act as an internal advisor on IT security and audit-related matters for project teams, providing control design guidance at appropriate stages.
• Stay current with evolving information security threats, regulatory developments, and audit methodologies, sharing knowledge within the team.

QUALIFICATIONS & EXPERIENCE

Education

• Bachelor's degree in Information Systems, Computer Science, Cybersecurity, Business Administration, or a related field. A Master's degree is an advantage.

Experience

• Minimum 4-6 years of experience in IT audit, information security, or a combined role.
• Proven, hands-on experience with ISO/IEC 27001 - either leading or significantly contributing to a certification project.
• Demonstrated experience conducting internal audits independently, including planning, fieldwork, reporting, and follow-up.
• Familiarity with IT audit frameworks and standards such as COBIT, NIST CSF, ISO 27001/27002, SOC 2, and CIS Controls.
• Experience with GRC or audit management tools and documentation platforms.
• Exposure to business continuity management (BCM/BCP) and disaster recovery frameworks is a plus.

Certifications (Required / Preferred)

SKILLS & COMPETENCIES

Technical Skills

• Deep knowledge of ISO/IEC 27001 and 27002, including Annex A controls and the PDCA implementation cycle.
• Proficiency in risk assessment methodologies applicable to information security.
• Understanding of IT infrastructure domains: networks, cloud environments, operating systems, databases, and application security.
• Ability to review and assess IT general controls (ITGCs), application controls, and cybersecurity controls.
• Proficiency with audit management systems and MS Office productivity tools (Excel, Word, Visio, PowerPoint).
• Familiarity with vulnerability management tools, SIEM platforms, or security assessment tooling is a plus.

Professional & Interpersonal Skills

• Strong analytical and critical thinking skills, with the ability to evaluate complex systems and translate findings into business risk language.
• Excellent written and verbal communication skills; ability to produce professional audit reports and present findings to management.
• High level of personal integrity, independence, and objectivity in all audit-related activities.
• Strong organizational skills with the ability to manage multiple concurrent assignments and meet deadlines.
• Collaborative and approachable, able to build trust with stakeholders at all levels of the organization.
• Self-motivated, adaptable, and proactively engaged with developments in information security and audit practices.

WORKING CONDITIONS

This role is primarily based at the company's main office. Occasional business travel may be required to support multi-site audits, certification activities, or attendance at professional events. The frequency of travel will vary depending on the audit calendar and business needs, and will be agreed in advance.