Federico (F.) Leefhelm

ISO – Senior Consultant Quality & Information Security

Düsseldorf, Germany
Experience
Oct 2023 - Jun 2024
9 months
Germany

ISO – Senior Consultant Quality & Information Security

Gemeinsame Klassenlotterie der Länder, Freelancer

The Gemeinsame Klassenlotterie der Länder (GKL) is a public institution owned by Germany’s 16 states. Its task is to run state lottery games and ensure youth protection and addiction prevention. The GKL is currently implementing a Quality and Information Security Management System (QMS & ISMS) according to ISO 9001 & 27001. I’m responsible for rolling out QMS & ISMS on behalf of partner ModernX GmbH & Co. KG.

  • Benchmarked and will implement an ISO tool to centrally manage all management systems
  • Led the deployment of a Quality Management System per ISO 9001:2015
  • Led the deployment of an Information Security Management System per ISO 27001:2022
  • Prepared and wrote Scope, SoA, policies, security concepts, procedures, SOPs, etc., to build and deploy QMS & ISMS per ISO 9001 & 27001
  • In risk management, identified, assessed, and addressed critical and potential attack scenarios
  • Conducted risk management, risk analysis, risk treatment, protection needs assessment, and vulnerability analysis of the institution’s IT
Jul 2023 - Apr 2024
10 months
Hamburg, Germany

ISO – Senior Consultant Cyber- & Information Security

Northland Power Europa GmbH, Freelancer

Northland Power is based in Toronto, Canada, with offices in eight countries. Since 1987 they’ve developed, owned, and run clean energy plants, now over $12 billion in operational capacity. Northland Power Europa GmbH (NPEG) aims for strong results and a sustainable future. As operator and service provider for critical infrastructures (kDL & KRITIS under BNetzA, EnWG, BSI), NPEG must comply with IT-SiG 2.0 and run an ISO 27001:2022 ISMS. The ISMS scope covers the operation of wind farms (strategic, operational, and secure IT/OT).

  • Member of the security team, co-responsible for cyber & information security of the company’s wind farms
  • Prepared all documents and measures (policies, security concepts, procedures, cryptography and key management, etc.) to deploy detection systems per BSI IT-SiG 2.0 & EnWG
  • Prepared measures (policies, security concepts, procedures, SOPs, etc.) to build and deploy ISMS per ISO 27001:2022 (ISMS manual, BCM, IT emergency plans, IAM, backup & recovery, MDM, supplier/password/patch/asset/configuration/network management, cryptography concepts, and more)
  • In risk management, identified, assessed, and addressed critical and potential attack scenarios for wind farms
  • Conducted risk management, risk analysis, risk treatment, protection needs assessment, and vulnerability analysis of the IT/OT infrastructure
  • Created IT/OT emergency plans, incident response processes, and IT/OT system recovery as part of BCM (BIA, RIA & DRP) The project was ended early by Northland Power Europa GmbH due to sale of the wind farms and closure in Germany.
Feb 2023 - Aug 2023
7 months
Velbert, Germany

CISO ad Interim & Senior Management Consultant ISMS, BCM & IAM

Huf Hülsbeck & Fürst GmbH & Co. KG, Freelancer

Huf has been the go-to for secure vehicle entry and authorization systems for auto makers for over 100 years. Headquartered in Velbert, NRW, with more than 17 sites on 3 continents, Huf is certified to TISAX, ISO 9001 (QMS), and ISO 27001 (ISMS). They’re now introducing a BCMS.

  • Led and managed the BCM implementation per ISO 22301
  • Objective: ensure global Huf operations continue through major incidents and can resume in time after unavoidable outages
  • Defined project scope, wrote BCM policy, Business Impact Analysis (BIA), Risk Impact Analysis (RIA), Disaster Recovery Plan (DRP), IT emergency plans, vulnerability analysis, incident response processes, and IT system recovery to achieve ISO 22301 certification
  • Conducted the first audit of the Corporate IAM process, found many irregularities, and recommended urgent improvements
  • Supported continuous improvement for TISAX and ISMS per ISO 27001 The BCM project was not completed due to budget planning.
Dec 2022 - Jul 2024
1 year 8 months
Düsseldorf, Germany

ISO, Sr. Management Consultant & Sr. PMO for IT Department

Universitätsklinikum Düsseldorf (UKD), Freelancer

UKD is the largest hospital in Düsseldorf and a key medical center in NRW, linked with Heinrich Heine University’s medical faculty for healthcare, research, and teaching. In 2017 UKD celebrated its 110th anniversary. As a KRITIS operator under §8a BSIG, UKD runs an ISO 27001:2022 certified ISMS. The scope covers the entire IT department (strategic, operational, security).

  • Direct senior consultant to the head of ICT & MedTech (CIO) and innovation project leader
  • As ISO, responsible for information security across the IT department
  • Created, maintained, and improved ISMS policies and SOPs
  • Delivered IT security and incident response training and system recovery awareness for IT staff
  • Authored and led the new IT strategy, plus BIA and DRP for IT system recovery
  • As ISO, prepared for future BCM per ISO 22301 for the ICT department and UKD
  • Drafted IT cybersecurity strategy and roadmap for additional tools and solutions
  • Developed IT emergency plan (DRP), security concept, incident response and related concepts (data protection, antivirus, cryptography, hardening measures, asset/configuration/patch management, IAM, etc.)
  • Helped prepare for IT detection systems per BSI IT-SiG 2.0 (policies, cryptography & key management, procedures, etc.)
  • As PMO, designed a security concept, ran a PoC, evaluated and procured a medical device monitoring security system for device inventory and threat prevention
  • Established a Security Operations Center (SOC) with processes for faster threat detection and response
  • Deployed a SIEM with Splunk for secure network monitoring
  • From Feb 2023 took on the Senior PMO role for IT department
  • As PMO, oversaw all IT-related projects (>2K)
  • Created and managed Gantt charts for all IT projects (IT & medical, IT security, SAP, etc.)
  • Developed patch management security concept and SOPs with system engineers
  • Supported continuous improvement of the ISMS ahead of the first surveillance audit
  • Regularly reported project progress to department leadership and the board
May 2022 - Dec 2022
8 months
Munich, Germany

Senior Management Consultant BCM, Compliance & Information Security

Bitmarck Beratung GmbH, Freelancer

Bitmarck Beratung is an IT managed service provider for the health insurance market, driving digitalization in the sector. They’re ISO 9001 (QMS) and ISO 27001 (ISMS) certified.

  • Led and managed BCM implementation per ISO 22301 and BSI IT-Grundschutz Standard 200-4
  • Aim: ensure Bitmarck’s operations continue through major incidents or resume timely after outages
  • Defined scope, wrote BCM policy, conducted BIA, RIA, and DRP, and managed risks
  • Developed IT emergency plans, vulnerability analysis, incident response processes, and IT recovery to meet ISO 22301
  • Created project Gantt chart and prepared all documents for ISO 22301 certification The BCM project was not finished due to budget planning.
May 2022 - Jul 2022
3 months
Germany

CISO as a Service – Chief Information Security Officer

EUROVIA Services GmbH, via Mazars GmbH, Freelancer

EUROVIA Services GmbH, part of EUROVIA GmbH in Berlin, is a VINCI Construction subsidiary in Germany. EUROVIA builds roads and infrastructure in 16 countries under VINCI S.A. The IT department, part of EUROVIA France’s DSI, handles IT operations, networks, projects, and information security.

  • Planned and delivered awareness training for the company and its subsidiaries
  • Reviewed penetration test results and created an action plan to fix vulnerabilities
  • Optimized IT processes to best support business processes
  • Helped ensure availability of IT services so employees have the information they need
  • Reviewed existing ISMS documents, conducted an as-is analysis and gap analysis for ISO 27001 to ensure confidentiality, availability, and integrity of information
Mar 2021 - Jun 2023
2 years 4 months
Wilhelmshaven, Germany

Security Engineer, ISO, Senior Management Consultant Cyber- & Information Security

Thales Deutschland GmbH Naval, Freelancer

Thales Naval is a long-time partner of the German military, NATO, and allies. As part of Germany’s high-tech industry, Thales offers secure communications, control systems, satellite components, and services for land, air, sea, civil and military security, digital identity, and cybersecurity. Damen Shipyards, Thales, and Blohm & Voss are building four new F126 frigates (budget €5.27 billion) for the German Navy. Modern ships are floating data centers vulnerable to cyber attacks. To secure the F126, Thales Naval’s Kiel and Wilhelmshaven teams handle cyber & information security for:

  • Member of the F126 team, co-responsible for cyber & information security of new F126 frigates under Germany’s military accreditation authority
  • Led Thales’s largest innovation project in information security for the German Navy
  • Identified, assessed, and addressed critical and potential attack scenarios for F126 ships
  • Conducted risk management, risk analysis, risk treatment, protection needs assessment, IT emergency plans, vulnerability analysis, incident response processes, and system recovery for the F126 IT infrastructure
  • Wrote and improved policies, hardening and security concepts, and SOPs for the F126 IT infrastructure
  • Created and documented information security and emergency concepts per ISO 27001, BSI IT-Grundschutz, and military regulations (ZDV A-960/1, etc.) covering IAM, cryptography & key management, roles & rights, backup & recovery, password/patch/asset/configuration management, antivirus, data protection, and more
  • Supported security for Digital Communication Network (DKN), Ship Entry Point (SEP), and satellite communication (SATCOM) systems
  • Advised functional teams on conflicts between technical design and security requirements
  • Applied ISO/IEC 27001 via BSI IT-Grundschutz and Bundeswehr IT-Grundschutz for navy projects
  • Attended workshops with the German Navy and subcontractors (Thales Germany & Netherlands) in German and English
  • Collaborated with security teams in France and the Netherlands
Jun 2019 - Mar 2020
10 months
Wiesbaden, Germany

ISO & Senior Management Consultant Compliance & Information Security

Bundeskriminalamt (BKA), Freelancer

  • “ISO” – Information Security Officer; responsible for certifying new cloud services of the Police Service Platform (PSP) to the international C5 standard
  • Conducted GAP analysis and supported building and improving an ISMS per ISO 27001, IT-Grundschutz, and new BSI compendium
  • Created and improved policies and SOPs for the entire agency for C5, ISMS & IT-Grundschutz (Business Continuity (BIA/RIA/DRP), IT emergency plans, compliance management, software development, etc.)
  • Developed and refined information security and IT emergency plans for IT operations and new cloud services (IAM, backup & recovery, patch management, crypto & key management, asset/configuration management, hardening, etc.) to meet BSI IT-Grundschutz
  • Worked with SOC colleagues to update defenses against growing threats
  • Prepared and delivered internal training (workshops & awareness) on information security concepts
  • Underwent BKA security clearance SÜ2
  • The certification project was halted by the government due to COVID-19 pandemic
Feb 2019 - Jul 2019
6 months
Düsseldorf, Germany

CISO & Senior Management Consultant Compliance & Information Security

Dr. Glinz COViS GmbH, Freelancer

  • “CISO” – Chief Information Security Officer; wrote security concepts for the company and its software products
  • Ran a GDPR pre-audit and found over 90% compliance
  • Proposed and implemented strategic IT security improvements, continuous improvement, and ISMS maintenance per ISO 27001
  • Introduced event handling processes and improved the informal SOC & ticketing system
  • Improved monitoring and manual operator review in the SOC plus ticketing system
  • Performed security assessments (PenTests & vulnerability scans) to find, fix, and close gaps
  • Developed new compliance services and led workshops on ISMS per ISO 27001 and GDPR
  • Wrote new policies and security concepts as part of ISMS continuous improvement, especially for cloud provider and client roles
May 2018 - Dec 2018
8 months
Mannheim, Germany

Lead Auditor & Sr. Management Consultant Compliance & Information Security

TÜV SÜD, Freelancer

  • Conducted ISO 27001 audits for various clients
  • Ran GDPR workshops and pre-audits for TÜV SÜD Munich and clients
Apr 2018 - Jan 2019
10 months
Walldorf, Germany

Lead Auditor & Sr. Management Consultant Compliance & Information Security

SAP AG, Freelancer

  • International Lead Audit Manager for Quality Management and Information Security under ISO 9001, ISO 27001, ISO 22301, SOC, SOX, C5, PCI-DSS & SIEM in Cloud Network Delivery (CND)
  • Collaborated with Enterprise Compliance & Audit teams and the SOC team (SAP Solution Manager & SAP Enterprise Threat Detection) on threat lifecycle management for SAP Cloud services worldwide
  • Reviewed and improved all CND information security concepts for SAP Cloud services
  • Contributed to innovation projects in SAP information security
  • SPOC between CND, users, and all compliance teams globally
  • Compliance project manager for CND (Cisco switches, all data centers worldwide)
Oct 2017 - Jun 2018
9 months
Karlsruhe, Germany

Division Manager Compliance Services & Solutions

Makro Factory GmbH & Co. KG, Full-time

  • Planned and built the new Compliance Services & Solutions division to offer customers consulting on ISMS, BCM, IAM, cryptography & key management, GDPR compliance, IT security, IT compliance, IT governance, BSI IT-Grundschutz, BaFin & MaRisk, etc.
  • Advised customers on implementing ISMS per ISO 27001 and BSI IT-Grundschutz for GDPR compliance
  • Advised customers on implementing BCM per ISO 22301
  • Delivered seminars, training, and workshops on deploying ISMS per ISO 27001 for GDPR compliance
  • Conducted information security and ISMS audits per ISO 27001, ISO 27006, and ISO 19011
Feb 2016 - Jun 2018
2 years 5 months
Karlsruhe, Germany

CISO & Senior Management Consultant Compliance Services & Solutions

Makro Factory GmbH & Co. KG, Full-time

  • Successfully implemented and certified an ISMS per ISO 27001 and BCM per ISO 22301 in one combined certification, plus ISO 27017/27018 for GDPR data protection as a cloud service provider
  • Created IT emergency plan (DRP) per ISO 22301
  • Performed IT security assessments (PenTest & vulnerability scans) to find and fix gaps
  • Completed the ISMS & BCM project in 14 months
  • Led GDPR & ISMS workshops for Makro Factory clients
  • Advised and implemented ISO 27001 & 22301 for Makro Factory clients
Nov 2015 - Jan 2016
3 months
Düsseldorf, Germany

Senior Management Consultant Compliance & Information Security for Stadtsparkasse Düsseldorf

Makro Factory, Freelancer

  • Conducted banking security consulting on BaFin and MaRisk AT 8.2 compliance and ‘Secure IT Operation’ requirements for Stadtsparkasse Düsseldorf (2,000+ employees)
  • Advised on network service outsourcing under KWG 25a/b (risk/outsourcing). Adjusted incident management for a provider switch from T-Systems to Finanz Informatik per MaRisk AT 9. Performed business analysis, modeling, and process adjustments for outsourcing
Mar 2013 - Jun 2015
2 years 4 months
Santiago, Chile

Strategic ITSCM, CISO, Business & eGRC Senior Management Consultant

Self-employed Entrepreneur

  • Senior project manager & business analyst, senior PMO & senior IT security interim manager for banks, insurers, retail, and industry
  • Technical rollout and training of new ERP systems & change management for an international mining company
  • Strategic development of ITSCM, IT services, and IT security for banks, insurers, retail, and industry as interim CISO
  • Implemented ISMS per ISO 27001 for companies in Chile, Argentina, and Brazil as interim CISO
  • Implemented BCM per ISO 22301 for companies in Chile, Argentina, and Brazil as interim CISO
  • Interim strategic ITSCM, IT service management & business development manager for various IT firms
  • Business analyst, translator, and interpreter for IT and business projects (Spanish/German/English)
Nov 2010 - Feb 2013
2 years 4 months
Santiago, Chile

Regional eRCP-Manager for Latin America

Zürich Shared Services – Versicherungsgesell., Freelancer

  • eRCP: Enterprise Release, Configuration & Promotion (Deployment)
  • GMP – Growing Market Platform: global rollout of a core insurance system for all Zürich Latin American business units
  • Built eRCP teams in Chile, Brazil, and India: training, leadership, and continuous improvement worldwide
  • Regional eRCP manager, handling problem & incident, change & release, SLA, and crisis management across the application lifecycle for each Latin American unit
  • Single point of contact for Latin American users to prepare new software releases
  • Worked with users to develop test cases for QA approval of new releases
  • Coordinated with regional CABs for change management and release approvals
  • Reviewed and adjusted contracts with external vendors (Accenture, CSC, Everis, Wipro, etc.) with legal counsel
  • Globally accountable for over 80 staff in Chile (Santiago), Brazil (São Paulo), Spain (Barcelona), and India (Pune)
Jul 2010 - Oct 2010
4 months
Santiago, Chile

Senior PMO for Latin America

Zürich Shared Services – Versicherungsgesell., Freelancer

  • Senior PMO for each Latin American business unit and all non-core (legacy) applications under the Growing Market Platform (GMP) project
Jul 2008 - Jul 2010
2 years 1 month
Santiago, Chile

CISO ad Interim & Interim Manager IT & IT Security

INE, Chilean Statistical Office, Freelancer

The Chilean Statistics Office (INE) conducts research and training with internal and external staff to collect population data via traditional and digital methods and process it for national statistics.

  • Led preparation, programming (with my IT team), and security of wireless solutions for digital data collection for the 2011–2012 census
  • Prepared and delivered training to external staff on digital data collection using wireless devices
  • Managed information security, IT, and technology projects for the traditional and digital census and pilot tests
  • Restructured the IT department, negotiating with management and works council
  • As interim CISO, introduced policies per international standards (ISO 27001, ISO 22301, ITIL, COBIT, UML, BPMN, OECD)
  • As interim CISO, drove strategic development of ITSCM, IT services, IT security, and innovation projects
  • Built and launched the first SOC with a SIEM for automated threat lifecycle management
  • Introduced PMO, PMI & CMMI, and CMMN for software development
  • Set up RFP and led improvements to the telecom network across regions
  • Interim responsibility for over 50 employees
Mar 2002 - Jun 2008
6 years 4 months
Santiago, Chile

CEO & Owner; Managing Director, CISO & Senior Consultant

ATNet Lateinamerika Management Consulting GmbH

  • Founder, owner, managing director, and senior management consultant of an international IT management consulting firm
  • Specialized in IT governance, risk & compliance, information security, and electronic invoicing per tax authority rules
  • Implemented and certified ISMS per ISO 27001 and BCM per ISO 22301 for large companies in Chile, Argentina, and Brazil, mainly financial institutions (data centers, banks & insurers)
  • Benchmarked and built SOCs with SIEM platforms for various financial institutions in Chile
  • Developed, marketed, and deployed an electronic invoicing application with asymmetric cryptography per tax authority specifications
  • Trainer for the Ministry of Economy and Santiago Chamber of Commerce on electronic invoicing and cryptography in over 20 courses
  • Provided consulting, business analysis, design, and workflow automation for foreign trade between front- and back-office of a Brazilian bank to improve time to market
  • Advised on building a strategic IT plan under open innovation frameworks for a corporate bank
  • Consolidated networks and server platforms to support operations and reduce TCO for a major local bank
  • Advised on IT security guidelines and corporate policies, including IT restructuring, for Chile’s largest mining, iron, and steel company
  • Led a team of over 120 employees
May 2000 - Feb 2002
1 year 10 months
Santiago, Chile

CIO & COO – IT & Operations Manager

Chipkarten AG (ETISA) Bank Subsidiary

  • Launched an electronic wallet on smart cards
  • Defined, benchmarked, selected, procured, implemented, and managed the tech platform for open-innovation eWallet project for banks
  • Banks licensed the eWallet from Mondex International (now MasterCard) in London
  • Created and led an interbank committee for operations and tech topics as a joint communication channel
  • Worked with finance committees, banking regulators, and central bank to design the e-money production, operation, and settlement model with market stability safeguards
  • Developed the financial model for investment, management, and profit sharing, balancing real and virtual money interactions and ensuring electronic money stability for end users and market investors
  • Served as business analyst between banks and project implementation
  • Managed over 20 staff plus external contractors
Jul 1998 - May 2000
1 year 11 months
Santiago, Chile
Remote

Manager, Technology Remote Channels & Marketing

Bank BCI, Banco Crédito Inversiones

  • Oversaw remote channels: web, mobile banking, phone banking, ATMs, etc.
  • Designed and led the first Chilean transactional banking website and mobile banking project with external vendors
  • Managed over 40 employees
Oct 1994 - Jul 1998
3 years 10 months
Santiago, Chile

Senior Consultant Electronic Banking & Corporate Banking

Bank BCI, Banco Crédito Inversiones

  • Developed, implemented, and managed all electronic banking products for corporate clients
  • Launched eCommerce solutions
  • Advised on secure eCommerce and EDIFACT implementation in Chile
Jul 1992 - Sep 1994
2 years 3 months
Santiago, Chile

R&D Manager, IT Research & Technology

Bank BCI, Banco Crédito Inversiones

  • Introduced EDIFACT for the bank
  • Advised on forming an EDI subsidiary
  • Developed and launched the first drive-in branch car banking
  • Managed over 10 employees
Jul 1991 - Jun 1992
1 year
Frankfurt am Main, Germany

Senior Consultant & Deputy Manager International Banking

Digital Equipment Corporation (DEC)

  • Responsible for COMEX, Financial EDIFACT & eCommerce for German and European banks and for CeBIT (financial institutions)
  • Promoted eCommerce among German banks
  • Member of European interbank committees (Frankfurt, Paris, London)
  • Led an eCommerce project between commercial banks and the central bank in Frankfurt
Jul 1988 - Jun 1991
3 years
Frankfurt, Germany

CIO & Authorized Officer

Société Générale, French Bank

Société Générale is a top European financial services group with 126,000 employees serving 25 million clients in 65 countries.

  • Benchmarked, defined, and procured SWIFT-ST400 system for the entire bank
  • Planned, rolled out, and trained users on SWIFT-ST400 across all German branches
  • Implemented the first wide area network (WAN) from Frankfurt to all branches using an analog multiplexer
  • Defined and launched a new data center in Frankfurt
  • As CIO, managed over 40 employees
Jul 1986 - Jun 1988
2 years
Frankfurt, Germany

CTO & Authorized Officer A

Société Générale, French Bank

Apr 1984 - Jun 1986
2 years 3 months
Frankfurt, Germany

Deputy CIO & Authorized Officer B

Société Générale, French Bank

Nov 1983 - Mar 1984
5 months
Frankfurt, Germany

Software Engineering Team Lead

Société Générale, French Bank

Jul 1983 - Oct 1983
4 months
Frankfurt, Germany

Business Analyst & Software Engineer

Société Générale, French Bank

Summary

My experience as CEO includes founding and running my own IT services company, where over 6 years I managed over 120 engineers and successfully delivered large projects.

In 2016 I started working as an ISO in an IT services company. Alongside this, I learned the European General Data Protection Regulation (GDPR).

My entrepreneurial spirit led me back to self-employment and since 2018 I’ve been a freelance Senior Management Consultant for Information Security and Business Continuity.

Languages
German
Native
Spanish
Native
English
Advanced
French
Advanced
Italian
Intermediate
...and 1 more
Education
Oct 1977 - Jun 1982

TU Santiago

Diplom Engineer · Business Informatics · Santiago, Chile

Certifications & licenses

CISA/CISM: Certified IS & Security Lead Auditor under ISO 27000 (TÜV SÜD) and ISO 19011

TÜV SÜD

CISO: Chief Information Security Officer / Professional under ISO 2700X Series

TÜV SÜD

Certified ISMS Lead Auditor per BNetzA IT Security Catalog (KRITIS) under EnWG §11(1a)

Bundesnetzagentur BNetzA

Certified ISMS Lead Implementer under ISO/IEC 2700X Series

TÜV SÜD

Need a freelancer? Find your match in seconds.
Try FRATCH GPT
More actions