ISO – Senior Consultant Quality & Information Security

Northland Power is based in Toronto, Canada, with offices in eight countries. Since 1987 they’ve developed, owned, and run clean energy plants, now over $12 billion in operational capacity. Northland Power Europa GmbH (NPEG) aims for strong results and a sustainable future. As operator and service provider for critical infrastructures (kDL & KRITIS under BNetzA, EnWG, BSI), NPEG must comply with IT-SiG 2.0 and run an ISO 27001:2022 ISMS. The ISMS scope covers the operation of wind farms (strategic, operational, and secure IT/OT).

• Member of the security team, co-responsible for cyber & information security of the company’s wind farms
• Prepared all documents and measures (policies, security concepts, procedures, cryptography and key management, etc.) to deploy detection systems per BSI IT-SiG 2.0 & EnWG
• Prepared measures (policies, security concepts, procedures, SOPs, etc.) to build and deploy ISMS per ISO 27001:2022 (ISMS manual, BCM, IT emergency plans, IAM, backup & recovery, MDM, supplier/password/patch/asset/configuration/network management, cryptography concepts, and more)
• In risk management, identified, assessed, and addressed critical and potential attack scenarios for wind farms
• Conducted risk management, risk analysis, risk treatment, protection needs assessment, and vulnerability analysis of the IT/OT infrastructure
• Created IT/OT emergency plans, incident response processes, and IT/OT system recovery as part of BCM (BIA, RIA & DRP) The project was ended early by Northland Power Europa GmbH due to sale of the wind farms and closure in Germany.

UKD is the largest hospital in Düsseldorf and a key medical center in NRW, linked with Heinrich Heine University’s medical faculty for healthcare, research, and teaching. In 2017 UKD celebrated its 110th anniversary. As a KRITIS operator under §8a BSIG, UKD runs an ISO 27001:2022 certified ISMS. The scope covers the entire IT department (strategic, operational, security).

• Direct senior consultant to the head of ICT & MedTech (CIO) and innovation project leader
• As ISO, responsible for information security across the IT department
• Created, maintained, and improved ISMS policies and SOPs
• Delivered IT security and incident response training and system recovery awareness for IT staff
• Authored and led the new IT strategy, plus BIA and DRP for IT system recovery
• As ISO, prepared for future BCM per ISO 22301 for the ICT department and UKD
• Drafted IT cybersecurity strategy and roadmap for additional tools and solutions
• Developed IT emergency plan (DRP), security concept, incident response and related concepts (data protection, antivirus, cryptography, hardening measures, asset/configuration/patch management, IAM, etc.)
• Helped prepare for IT detection systems per BSI IT-SiG 2.0 (policies, cryptography & key management, procedures, etc.)
• As PMO, designed a security concept, ran a PoC, evaluated and procured a medical device monitoring security system for device inventory and threat prevention
• Established a Security Operations Center (SOC) with processes for faster threat detection and response
• Deployed a SIEM with Splunk for secure network monitoring
• From Feb 2023 took on the Senior PMO role for IT department
• As PMO, oversaw all IT-related projects (>2K)
• Created and managed Gantt charts for all IT projects (IT & medical, IT security, SAP, etc.)
• Developed patch management security concept and SOPs with system engineers
• Supported continuous improvement of the ISMS ahead of the first surveillance audit
• Regularly reported project progress to department leadership and the board

EUROVIA Services GmbH, part of EUROVIA GmbH in Berlin, is a VINCI Construction subsidiary in Germany. EUROVIA builds roads and infrastructure in 16 countries under VINCI S.A. The IT department, part of EUROVIA France’s DSI, handles IT operations, networks, projects, and information security.

• Planned and delivered awareness training for the company and its subsidiaries
• Reviewed penetration test results and created an action plan to fix vulnerabilities
• Optimized IT processes to best support business processes
• Helped ensure availability of IT services so employees have the information they need
• Reviewed existing ISMS documents, conducted an as-is analysis and gap analysis for ISO 27001 to ensure confidentiality, availability, and integrity of information

• “ISO” – Information Security Officer; responsible for certifying new cloud services of the Police Service Platform (PSP) to the international C5 standard
• Conducted GAP analysis and supported building and improving an ISMS per ISO 27001, IT-Grundschutz, and new BSI compendium
• Created and improved policies and SOPs for the entire agency for C5, ISMS & IT-Grundschutz (Business Continuity (BIA/RIA/DRP), IT emergency plans, compliance management, software development, etc.)
• Developed and refined information security and IT emergency plans for IT operations and new cloud services (IAM, backup & recovery, patch management, crypto & key management, asset/configuration management, hardening, etc.) to meet BSI IT-Grundschutz
• Worked with SOC colleagues to update defenses against growing threats
• Prepared and delivered internal training (workshops & awareness) on information security concepts
• Underwent BKA security clearance SÜ2
• The certification project was halted by the government due to COVID-19 pandemic

• Conducted ISO 27001 audits for various clients
• Ran GDPR workshops and pre-audits for TÜV SÜD Munich and clients

• Planned and built the new Compliance Services & Solutions division to offer customers consulting on ISMS, BCM, IAM, cryptography & key management, GDPR compliance, IT security, IT compliance, IT governance, BSI IT-Grundschutz, BaFin & MaRisk, etc.
• Advised customers on implementing ISMS per ISO 27001 and BSI IT-Grundschutz for GDPR compliance
• Advised customers on implementing BCM per ISO 22301
• Delivered seminars, training, and workshops on deploying ISMS per ISO 27001 for GDPR compliance
• Conducted information security and ISMS audits per ISO 27001, ISO 27006, and ISO 19011

• Conducted banking security consulting on BaFin and MaRisk AT 8.2 compliance and ‘Secure IT Operation’ requirements for Stadtsparkasse Düsseldorf (2,000+ employees)
• Advised on network service outsourcing under KWG 25a/b (risk/outsourcing). Adjusted incident management for a provider switch from T-Systems to Finanz Informatik per MaRisk AT 9. Performed business analysis, modeling, and process adjustments for outsourcing

• eRCP: Enterprise Release, Configuration & Promotion (Deployment)
• GMP – Growing Market Platform: global rollout of a core insurance system for all Zürich Latin American business units
• Built eRCP teams in Chile, Brazil, and India: training, leadership, and continuous improvement worldwide
• Regional eRCP manager, handling problem & incident, change & release, SLA, and crisis management across the application lifecycle for each Latin American unit
• Single point of contact for Latin American users to prepare new software releases
• Worked with users to develop test cases for QA approval of new releases
• Coordinated with regional CABs for change management and release approvals
• Reviewed and adjusted contracts with external vendors (Accenture, CSC, Everis, Wipro, etc.) with legal counsel
• Globally accountable for over 80 staff in Chile (Santiago), Brazil (São Paulo), Spain (Barcelona), and India (Pune)

The Chilean Statistics Office (INE) conducts research and training with internal and external staff to collect population data via traditional and digital methods and process it for national statistics.

• Led preparation, programming (with my IT team), and security of wireless solutions for digital data collection for the 2011–2012 census
• Prepared and delivered training to external staff on digital data collection using wireless devices
• Managed information security, IT, and technology projects for the traditional and digital census and pilot tests
• Restructured the IT department, negotiating with management and works council
• As interim CISO, introduced policies per international standards (ISO 27001, ISO 22301, ITIL, COBIT, UML, BPMN, OECD)
• As interim CISO, drove strategic development of ITSCM, IT services, IT security, and innovation projects
• Built and launched the first SOC with a SIEM for automated threat lifecycle management
• Introduced PMO, PMI & CMMI, and CMMN for software development
• Set up RFP and led improvements to the telecom network across regions
• Interim responsibility for over 50 employees

• Launched an electronic wallet on smart cards
• Defined, benchmarked, selected, procured, implemented, and managed the tech platform for open-innovation eWallet project for banks
• Banks licensed the eWallet from Mondex International (now MasterCard) in London
• Created and led an interbank committee for operations and tech topics as a joint communication channel
• Worked with finance committees, banking regulators, and central bank to design the e-money production, operation, and settlement model with market stability safeguards
• Developed the financial model for investment, management, and profit sharing, balancing real and virtual money interactions and ensuring electronic money stability for end users and market investors
• Served as business analyst between banks and project implementation
• Managed over 20 staff plus external contractors

• Developed, implemented, and managed all electronic banking products for corporate clients
• Launched eCommerce solutions
• Advised on secure eCommerce and EDIFACT implementation in Chile

• Responsible for COMEX, Financial EDIFACT & eCommerce for German and European banks and for CeBIT (financial institutions)
• Promoted eCommerce among German banks
• Member of European interbank committees (Frankfurt, Paris, London)
• Led an eCommerce project between commercial banks and the central bank in Frankfurt