ICT Risk Assurance Specialist (Auditor) (f/m/d)

Your area of work:

Join our Chief ICT Risk Office CISO section, the central pillar for managing IT & Information Security Risk in our 2nd Line of Defense (LoD). Our team acts as an independent oversight function, ensuring the entire organization operates within a defined and robust risk management framework.

In this role, you will be at the heart of our assurance activities, performing continuous monitoring and oversight to confirm that our ICT controls are well-designed, correctly implemented, and operating effectively to protect the firm.

 Your responsibilities:

• Plan & Prepare: Contribute to the development of our annual and multi-year assurance plans. You will help define the scope of reviews and prepare detailed workbooks outlining control requirements and specific test steps.
• Assess & Monitor: Execute independent control assurance activities. This includes performing Tests of Design (ToD) to ensure controls are properly structured and Tests of Implementation (ToI). You will also test the ongoing Operating Effectiveness (ToE) of controls through inquiry, observation, inspection, and re-performance.
• Request Evidence: Take charge of collecting and analyzing evidence to support your testing, including policies, procedures, system configurations, and logs. You will learn to professionally manage your requests and escalate any delays to ensure deadlines are met.
• Report & Communicate: Clearly document your findings, observations, and opportunities for improvement. You will share preliminary results with control owners for validation and contribute to structured, high-quality reports that include severity ratings and recommended remediation timelines.
• Follow-up & Track: Actively monitor the progress of remediation plans for identified issues. You will escalate overdue items, validate evidence submitted for closure, and help maintain accurate status reports for management.
• Continuously Improve: Be a part of enhancing our assurance methodologies, templates, and internal processes. You will help ensure our team stays aligned with evolving regulatory requirements (e.g., DORA) and leading industry frameworks.

Your profile:

• Education: A university degree (Bachelor or Master) in Information Technology, Information Security, Risk Management, or a related field.
• Experience: At least 1 years of relevant experience in IT/Information Security. Ideal backgrounds include internal/external IT audit, second-line assurance, or hands-on control implementation/IT governance roles.
• Industry Knowledge: Experience in the financial sector is highly valuable, particularly within EU-regulated environments. Familiarity with regulations such as DORA, BAIT, MaRisk, or CSSF is a significant plus.
• Frameworks and Standards: You have a strong understanding of ICT risk concepts, control design principles, and the Three Lines of Defense model. You are familiar with common IT standards and frameworks like COBIT, CSA-CCM, ISO/IEC 27000 series, ITIL, or BSI Grundschutz.
• Certifications: Professional certifications are a strong asset and demonstrate your commitment to the field. Preferred certifications include CISA, CISM, CISSP, CEH, or CIA.
• Core Skills:
  • Assurance / Audit Techniques: You know how to apply assurance techniques (inquiry, observation, inspection, re-performance) and have a basic understanding of sampling methodologies.
  • Analytical Mindset: You possess high analytical skills and conceptual thinking, with an ability to interpret complex technical information and regulatory requirements.
  • Communication: You have strong interpersonal and communication skills, enabling you to engage effectively with stakeholders, including senior colleagues.
• Technical Domains: Experience in one or more of the following technical areas is an advantage: Cloud Security (Azure/AWS/Google), Network Security, Vulnerability Management, SIEM, Privileged Access Management (PAM), Threat Intelligence, or Incident Response.
• Stay Current: Keep abreast of the latest industry trends, emerging technologies, and changes in the regulatory landscape, including cyber threats and security-related events.

Languages: Excellent command of English (both written and spoken) is required. Proficiency in German is an advantage.

You can look forward to our benefit package:

• Hybrid Work and Flexible working hours
• Work from abroad - 12 days of remote work from EU countries per year
• Group Share Plan - discount on company shares
• Pension fund contribution - 3% of your gross salary (5% after 5 years with us)
• Health & Wellbeing - fully covered Multisport card, life & accident insurance, sick days and 100% salary contribution during sick leave (up to 56 days)
• 25 vacation days
• Mobility - fully covered public transport in Prague & free parking
• Flexible Benefit Account (Pluxee) - 1200 per month
• Personal Development - annual budget of €690 ... and way more!