CISO Officer – Third Party Risk Management & GRC

Our client, a leading provider of essential public transport services, is looking for a specialist to manage cybersecurity risks associated with third parties and procurement processes. This role ensures that security commitments across the supply chain are compliant, controlled, and aligned with organizational standards and regulatory frameworks.

• Establish and maintain the cybersecurity third-party risk management framework according to industry standards.
• Conduct risk assessments on suppliers and service providers using security questionnaires, documentation, and architecture reviews.
• Define and monitor risk mitigation plans and acceptance conditions for third-party relationships.
• Review cybersecurity requirements within procurement documentation, including RFI, RFC, RFQ, and RFP processes.
• Evaluate supplier proposals to ensure compliance with security and risk management reference frameworks.
• Provide reporting and visibility on third-party risks to management and identify areas for continuous improvement.

• You have 5+ years of experience in cybersecurity roles focusing on Third Party Risk Management, Security Assurance, GRC, or Audit.
• You possess 5+ years of experience reviewing procurement and tender documentation such as RFI, RFC, RFQ, and RFP.
• You bring strong knowledge of cybersecurity standards including ISO 27001, ISO 27002, NIS2, and GDPR.
• You have a deep understanding of reference frameworks such as CyFun, ISO 27036, and ISA/IEC 62443.
• You possess the ability to assess solution architectures and complex contractual documents from a security perspective.
• You bring a Master’s degree in Information Technology, Law, Risk Management, or Information Security.
• You're proactive, analytical, and solution-oriented with a strong risk-oriented approach.
• You are fluent in Dutch or French at C1 level, possess at least B2 level in the other language, and have C1 level proficiency in English.

Nice to Haves

• Willingness to participate in ongoing foundational training and cybersecurity seminars.

• Start date: 01/05/2026
• Duration: Until 30/04/2027
• Work regime: Full-time
• Location: Brussels
• Working model: Hybrid (2 days on-site)
• Contract: open to both permanent employees and freelancers