Information Security Officer

The person who runs ICT infrastructure and the person who independently tests whether ICT controls are working need to be different people. In this role, you own the ISMS, carry ISO 27001 and DORA compliance forward, and serve as the independent challenge function for all ICT risk at Blockrise 
 
You will have direct access to the Board and to regulatory conversations. You are building the function with the right structural independence behind it.

 

• Own the ISMS. Maintain and develop Blockrise’s Information Security Management System,keeping it current as the business scales and the regulatory environment evolves.
• Drive ISO 27001 certification. Manage ongoing compliance and audit readiness. Own the relationship with our external auditor and certification body.
• Implement DORA.Translate Articles 5-15 (ICT riskmanagement), 23-25 (incident reporting),and 28-30 (third-party risk) into operational controls, documented evidence, and testing cycles.
• Define and enforce security policy. Own the policy framework across the organisation. Policies need  to hold up under audit and in an actual incident.
• Oversee vulnerability management and penetration testing. Work with our IT team and external parties to ensure findings are tracked, prioritized, and remediated.
• Lead security incident response. Own the process from preparation through detection, containment, and regulatory reporting where required.
• Manage third-party and cloud security risk. Assess and oversee the security posture of our GCP environment and critical outsourced service providers.
• Act as second-line challenge. Independently review, test, and verify that first-line ICT controls are operating as intended. Report findings without a filter.
• Report to the Board and regulators.Translate technical risk into plain business language. Represent security at senior and regulatory level.
• Keep the tooling stack current. Keep ICT Risk Management systems, and end point protection current. Identify gaps and propose solutions.

 
WHAT YOU BRING 

• 5 or more years in information security, with at least 2 years holding ISMS ownership or equivalent scope. 
• Hands-on experience implementing or maintaining ISO 27001 certification. You were actively involved in running the programme, not supported it from the side. 
• Solid working knowledge of DORA, specifically Articles 5-15, 23-25, and 28-30, with experience translating regulatory requirements into controls. 
• Experience across vulnerability management, penetration testing oversight, and security incident response.
• A track record of defining and enforcing security policies. You pushed back when business units wanted exceptions, and you had the authority to do it. 
• Cloud security experience: GCP preferred; AWS or Azure acceptable. 
• Familiarity with SIEM, vulnerability scanners, and endpoint protection; direct experience with Vanta and/or another ICT Risk Management System is a plus. 
• A clear understanding of the three lines of defence model. You know what genuine second-line independence requires and can explain why it matters to a CTO who currently holds both functions. 
• Ability to communicate security risk in business terms to a Board and regulators. Comfort with both the numbers and the regulatory language. 
• Strong written and spoken English. Dutch is a plus. 
• CISSP, CISM, or ISO 27001 Lead Implementer/Auditor (preferred). CRISC is a bonus. 

Nice to have 

• Experience in financial services or in Bitcoin and digital asset businesses. 
• Working knowledge of MiCAR and its operational resilience implications. 
• Experience with regulatory audits run by DNB, AFM, or equivalent authorities. 
• Third-party risk management in outsourced or cloud-first environments, particularly for critical service providers.