Information Security Governance & Business Continuity Consultant

This role is responsible for leading, coordinating, and driving the Information Security Governance (GRC) and Business Continuity functions across the organization and its subsidiaries. The position ensures effective governance, regulatory compliance, audit readiness, risk oversight, and timely closure of enterprise-wide initiatives and actions.

The consultant will operate as a hands-on senior resource, owning end-to-end delivery of critical governance and resilience initiatives, with direct exposure to senior management and all business units.

Note: This is a hands-on execution and ownership role with full accountability across initiatives. It is not a people-management or delegation-based position.

Key Responsibilities

1. Information Security Governance & GRC

• Establish, maintain, and continuously enhance the Information Security Governance, Risk, and Compliance (GRC) framework. Define and maintain the organization’s Information Security framework, including policies, standards, procedures, charters, and governance structures. Lead enterprise-wide risk management activities, including identification, assessment, treatment, and reporting of information security and operational risks. Ensure alignment with regulatory requirements, UAE IA standards, international frameworks (e.g., ISO 27001, ISO 22301, NIST), and Cybersecurity Council policies. Provide governance oversight across critical security domains. Support development of annual security plans, objectives, and performance metrics aligned with organizational strategy.

2. Audit, Compliance & Regulatory Oversight

• Manage and coordinate all internal, external, and regulatory audits (Information Security, Business Continuity, EHS/IMS where relevant). Drive end-to-end audit lifecycle management, including: Preparation and coordination Stakeholder alignment Evidence collection and validation Audit walkthroughs and responses

Ensure timely closure of audit findings with: Clear ownership Defined remediation plans Evidence tracking Executive reporting 3. Integrated Management System (IMS)

• Coordinate and maintain the Integrated Management System (IMS) across Information Security, Business Continuity, and related domains. Ensure all documentation (policies, SOPs, procedures) remains: Current Approved Effective

Ensure alignment with organizational objectives and audit expectations. Support governance forums including committees, working groups, and management reviews. Manage management system lifecycle activities, including: Recertification Surveillance audits Scope expansion Continuous improvement initiatives Act as a primary point of contact for auditors, regulators, and assurance partners. Maintain oversight of compliance against applicable frameworks and regulatory mandates, ensuring continuous compliance posture. 4. Business Continuity & Operational Resilience

• Manage the Business Continuity Management System (BCMS), Disaster Recovery (DR) plans, and operational resilience program. Ensure organizational readiness through: Regular testing and simulation exercises Scenario planning and validation Post-exercise reporting and improvement tracking

Oversee development, testing, and maintenance of business continuity, disaster recovery, and crisis management frameworks. Ensure the organization is prepared for disruptive events through structured planning, simulations, and executive-level reporting. Provide strategic input into resilience planning, including technology, people, facilities, and third-party dependencies. 5. Awareness, Culture & Human Risk Management

• Define and drive the Information Security and Business Continuity awareness strategy at an enterprise level. Ensure awareness initiatives address multiple channels including training, communications, campaigns, and leadership engagement. Perform vendor-supported awareness and simulation programs, ensuring quality, relevance, and measurable outcomes. Promote a strong security and resilience culture across the organization.

6. Identity, Access & Third-Party Governance

• Regularly perform identity and access reviews, and segregation of duties across various functions. Manage third-party risk management, including methodology definition, assessments, and remediation oversight. Ensure access, vendor, and supplier risks are identified, reviewed, and managed in line with policy and regulatory expectations.

7. Strategy, Projects & Advisory Role

• Act as a senior advisor to leadership on information security, resilience, and emerging risk topics. Engage in enterprise initiatives and projects to ensure security and continuity requirements are embedded early. Contribute to long-term strategy, annual plans, objectives, and performance reporting. Support executive, board, and committee-level reporting, providing clear insights and recommendations.

Key Skills & Experience

Essential

• Strong experience in Information Security, Business Continuity, GRC, or operational resilience roles. Proven ability to independently own and deliver complex, cross-functional initiatives. Hands-on experience with audits, regulatory requirements, and standards-based environments. Ability to work effectively in regulated, high-accountability environments. Excellent organization, tracking, and follow-through skills. ISO 27001 / ISO 22301 certification preferred.

This role is responsible for leading, coordinating, and driving the Information Security Governance (GRC) and Business Continuity functions across the organization and its subsidiaries. The position ensures effective governance, regulatory compliance, audit readiness, risk oversight, and timely closure of enterprise-wide initiatives and actions.

The consultant will operate as a hands-on senior resource, owning end-to-end delivery of critical governance and resilience initiatives, with direct exposure to senior management and all business units.

Note: This is a hands-on execution and ownership role with full accountability across initiatives. It is not a people-management or delegation-based position.

Key Responsibilities

1. Information Security Governance & GRC

• Establish, maintain, and continuously enhance the Information Security Governance, Risk, and Compliance (GRC) framework. Define and maintain the organization’s Information Security framework, including policies, standards, procedures, charters, and governance structures. Lead enterprise-wide risk management activities, including identification, assessment, treatment, and reporting of information security and operational risks. Ensure alignment with regulatory requirements, UAE IA standards, international frameworks (e.g., ISO 27001, ISO 22301, NIST), and Cybersecurity Council policies. Provide governance oversight across critical security domains. Support development of annual security plans, objectives, and performance metrics aligned with organizational strategy.

2. Audit, Compliance & Regulatory Oversight

• Manage and coordinate all internal, external, and regulatory audits (Information Security, Business Continuity, EHS/IMS where relevant). Drive end-to-end audit lifecycle management, including: Preparation and coordination Stakeholder alignment Evidence collection and validation Audit walkthroughs and responses

Ensure timely closure of audit findings with: Clear ownership Defined remediation plans Evidence tracking Executive reporting 3. Integrated Management System (IMS)

• Coordinate and maintain the Integrated Management System (IMS) across Information Security, Business Continuity, and related domains. Ensure all documentation (policies, SOPs, procedures) remains: Current Approved Effective

Ensure alignment with organizational objectives and audit expectations. Support governance forums including committees, working groups, and management reviews. Manage management system lifecycle activities, including: Recertification Surveillance audits Scope expansion Continuous improvement initiatives Act as a primary point of contact for auditors, regulators, and assurance partners. Maintain oversight of compliance against applicable frameworks and regulatory mandates, ensuring continuous compliance posture. 4. Business Continuity & Operational Resilience

• Manage the Business Continuity Management System (BCMS), Disaster Recovery (DR) plans, and operational resilience program. Ensure organizational readiness through: Regular testing and simulation exercises Scenario planning and validation Post-exercise reporting and improvement tracking

Oversee development, testing, and maintenance of business continuity, disaster recovery, and crisis management frameworks. Ensure the organization is prepared for disruptive events through structured planning, simulations, and executive-level reporting. Provide strategic input into resilience planning, including technology, people, facilities, and third-party dependencies. 5. Awareness, Culture & Human Risk Management

• Define and drive the Information Security and Business Continuity awareness strategy at an enterprise level. Ensure awareness initiatives address multiple channels including training, communications, campaigns, and leadership engagement. Perform vendor-supported awareness and simulation programs, ensuring quality, relevance, and measurable outcomes. Promote a strong security and resilience culture across the organization.

6. Identity, Access & Third-Party Governance

• Regularly perform identity and access reviews, and segregation of duties across various functions. Manage third-party risk management, including methodology definition, assessments, and remediation oversight. Ensure access, vendor, and supplier risks are identified, reviewed, and managed in line with policy and regulatory expectations.

7. Strategy, Projects & Advisory Role

• Act as a senior advisor to leadership on information security, resilience, and emerging risk topics. Engage in enterprise initiatives and projects to ensure security and continuity requirements are embedded early. Contribute to long-term strategy, annual plans, objectives, and performance reporting. Support executive, board, and committee-level reporting, providing clear insights and recommendations.

Key Skills & Experience

Essential

• Strong experience in Information Security, Business Continuity, GRC, or operational resilience roles. Proven ability to independently own and deliver complex, cross-functional initiatives. Hands-on experience with audits, regulatory requirements, and standards-based environments. Ability to work effectively in regulated, high-accountability environments. Excellent organization, tracking, and follow-through skills. ISO 27001 / ISO 22301 certification preferred.