Consultant for Information Systems Governance, Risk Management and Compliance Audit

Job Posting Organization:
The International Civil Aviation Organization (ICAO) is a specialized agency of the United Nations established in 194

• It is funded and directed by 193 national governments, which work together to support their diplomacy and cooperation in air transport as signatory states to the Chicago Convention. ICAO's mission is to serve as the global forum for States in international civil aviation, developing policies and standards, conducting compliance audits, performing studies and analyses, and providing assistance to build aviation capacity. The organization operates globally, with a focus on enhancing the safety, security" style="border-bottom: 1px dotted #007bff !important;">security, and efficiency of international air transport.

Job Overview:
The consultant will play a crucial role in auditing Information Systems Governance, Risk Management, and Compliance (GRC) at ICAO. This position involves evaluating the adequacy and effectiveness of the organization's Information Systems governance framework and assessing the alignment between information security governance and the ICT strategy. The consultant will also assess the effectiveness of ICT risk management processes, internal controls, and compliance with regulatory requirements. The work will adhere to the Global Internal Auditing Standards, ensuring a systematic and disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.

Duties and Responsibilities:
The consultant will be responsible for conducting a comprehensive audit of information security, which includes several specific tasks:

• Network Security Assessment: Evaluate the security of the organization's network infrastructure, including firewalls and intrusion detection/prevention systems.
• Network Segmentation and Traffic Monitoring: Assess the effectiveness of network segmentation strategies and traffic monitoring controls.
• Remote Access Security: Evaluate the security of remote access mechanisms, ensuring secure connectivity for remote users.
• Patching and Vulnerability Management: Assess the organization's processes for managing vulnerabilities and deploying security patches.
• Incident Response and Business Continuity: Evaluate the adequacy of the incident response plan for handling security breaches.
• Integration with Business Continuity and Disaster Recovery: Assess the integration of information security into business continuity plans. The consultant will also conduct fieldwork, collect and analyze documents and data, and conduct interviews to support the audit findings. This includes preparing working papers and maintaining effective communication with the audit focal point.

Required Qualifications:
Candidates must possess an advanced level university degree (Masters’ degree or equivalent) in Information Security, ICT, risk management, or related areas, supplemented with one or more professional certifications such as CISSP, CISM, CISA, CEH, or equivalent. A first-level university degree combined with additional years of qualifying experience may be accepted in lieu of the advanced degree. Essential qualifications include a minimum of 10 years of professional experience in auditing or managing IS/InfoSec Governance, information security, risk management, and information security controls. Strong knowledge of frameworks like ISO/IEC ISMS 27001, NIST 2.0, and COBIT is required, along with practical experience in network security and incident response.

Educational Background:
An advanced level university degree (Masters’ degree or equivalent) in Information Security, ICT, risk management, or related areas is required. Candidates with a first-level university degree and additional qualifying experience may also be considered. Professional certifications such as CISSP, CISM, CISA, CEH, or equivalent are highly desirable and will enhance a candidate's qualifications for this position.

Experience:
Candidates should have a minimum of 10 years of professional experience in auditing or managing Information Security and Governance. This includes experience in information security management, risk management, and controls such as vulnerability assessments and network controls. Experience in report writing and excellent communication skills are essential. Desirable experience includes holding a Lead Auditor certification in ISO/IEC 27001 or equivalent and working at a management level or in an advisory capacity in information security and risk management.

Languages:
Fluent reading, writing, and speaking abilities in English are essential for this position. A working knowledge of any other language of the Organization, such as Arabic, Chinese, French, Russian, or Spanish, is considered desirable and may enhance a candidate's profile.

Additional Notes:
The consultant will be expected to adhere to the highest ethical standards and sign a Code of Conduct and an individual declaration of independence upon acceptance of the assignment. The audit will be conducted in accordance with Global Internal Auditing Standards. The selected consultant is expected to be employed from July 1 to July 31, 2025, for a total of 20 working days. Interested candidates must complete an online application form through ICAO's e-Recruitment website. ICAO does not charge any fees or request money from candidates at any stage of the selection process.