Maxim R. - Information Security Officer

Rüdersdorf, Germany

Experience

Jan 2023 - Dec 2024

2 years

Managing the Information Security program according to ISO27001:2022, BAIT, BSI 200-1/4.
Creating and updating IT policies and procedures.
Communicating with C-level and the executive board (weekly, monthly, quarterly reports on incidents, risks, ongoing and planned measures, status of past and planned external and internal audits, strategic and personnel planning).
Coordinating external and internal audits (JAP, BAIT, BaFin).
Relevant standards: BAIT, MaRisk, ISO27001:2022, BSI 200-1/4.
Risk management (monitoring ongoing improvements, assessing new risks, planning countermeasures, reporting).
Incident management (analyzing security-related incidents, monitoring countermeasures, planning improvements).
Training employees on handling security incidents, following internal policies, emergency behavior.
Business continuity management (reviewing and updating BIA, emergency plans, recovery concepts, testing results).
Managing communication between departments (mediator).
Overseeing external IT and cloud service providers.
Vendor assessment and monitoring (reviewing SOC 1/2, ISAE 3402 Type 1/2, C5 reports, on-site audits).

Jan 2023 - Dec 2024

2 years

Leading a team of four identity and access management specialists, overseeing workflows and ensuring project goals are met on time.
Coordinating and delegating tasks, tracking progress, ensuring compliance with legal requirements.
Policy management (developing and implementing policies, procedures, and standards for identity and access management, e.g., authorization concepts, SoD policy, onboarding/offboarding, IT resources, emergency access).
Training and supporting staff on credentials management and secure use of IT systems.
Providing support for issues.
Coordinating with IT, information security officers, data protection officers, legal and HR to ensure appropriate access rights.
Assisting with internal and external reviews.

Jan 2023 - Dec 2023

1 year

Preparing for ISO 27001:2022 certification.
Preparing for ISO 22301:2019 certification.
Developing and reviewing ISMS documentation (security concepts, policies, and procedures).
Conducting training on information security, data protection, and ISO standards.
Evaluating service providers’ security practices.
Building an Information Security Management team of three.
Planning, coordinating, and managing IT audits (year-end, insurance, partners).
Collaborating closely with IT, legal, HR, and product development teams.

Jan 2021 - Dec 2023

3 years

Implementing a GRC tool (selecting the solution, training staff, centralizing and optimizing risk management, significantly improving customer and partner services).
Collaborating closely with IT, legal, compliance, HR, and product development teams.
Developing IT policies according to ISO27001:2022, BAIT, MaRisk, GDPR, NIST.
Managing the Information Security program, improving key vulnerabilities through process standardization, automation, and project management in IT infrastructure, cloud, development, encryption, backup, cyber security, access control, and data protection.
Conducting security assessments of business partners (reviewing ISO2700x, SOC 1/2, ISAE 3402 Type 1/2, C5 reports, on-site audits).
Risk management (centralized via the GRC tool).
Incident management (centralized via the GRC tool).
Business continuity management (enhancing emergency scenarios, monitoring tests).
Conducting internal audits per ISO27001 and BAIT (planning, preparation, training, coordination, execution).
Managing external audits.
Running a Security Champions program to motivate and develop staff in information security and data protection.
Acting as CISO for Nuri Bank GmbH as part of succession planning.

Jan 2018 - Dec 2021

4 years

Leading and developing an agile team of five in information security management, overseeing workflows and ensuring timely project delivery.
Coordinating and delegating tasks, monitoring progress.
Serving as central coordinator and liaison for security requirements.
Working closely with managing directors, IT, legal, HR, and product development teams.
Directing the group-wide IT security strategy.
Preparing and managing ISO 27001 and ISAE 3000/SOC Type 1/2 certifications for financial SaaS services.
Delivering information security and data protection training.
Managing risks and conducting internal and external audits.
Coordinating and supporting suppliers and partners.
Establishing and enhancing emergency management (BCMS) per ISO 22301.
Leading and steering projects.

Jan 2018 - Dec 2018

1 year

Designing and evolving security concepts per ISO/IEC 27001 based on IT-Grundschutz for the public sector and BAIT for the financial sector.
Advising on GDPR compliance in app development.
Auditing data centers.
Implementing GDPR and ISMS documentation for the finance industry.
Managing bid processes.
Supporting presales activities.
Leading and managing projects.
Advancing and improving ISMS in line with ISO 27001 and BSI 100-1/4.

Jan 2015 - Dec 2017

3 years

Conducting risk analyses according to ISO 27005 and ISO 31000 for the finance industry.
Performing ISO/IEC 27001 audits for energy providers.
Conducting IT compliance audits per BAIT for the finance industry.
Leading data protection audits for the telecom industry.
Advising on ISO/IEC 27001 implementation for energy providers.
Guiding IT-Grundschutz adoption per BSI and ISO 27001 for the public sector.
Preparing ISO/IEC 27001 certification for data centers.
Offering strategic and conceptual advice on information security management for SaaS.
Delivering training on information security, data protection, and ISO standards for the public sector.
Developing security concepts per BSI, BaFin, BNetzA, and international standards for the finance industry.
Leading IT compliance projects and managing delivery.

Jan 2012 - Dec 2015

4 years

Conducting certifications for data centers (ISO 27001, ISO 22301, ISO 9001, SOC 1/2, PCI DSS).
Mediating with internal and external stakeholders of various backgrounds.
Centralizing and communicating security requirements to HR, IT, development, support, and sales teams.
Coordinating suppliers and partners.
Leading teams in data protection, information security, and SOC.
Managing risks and audits (internal and external).
Overseeing emergency management.
Leading and steering projects.

Jan 2010 - Dec 2012

3 years

Strategically coordinating data protection tasks with internal and external IT, HR, legal, sales teams, and managing directors.
Building an ISMS per ISO27001.
Acting on behalf of the data protection officer.
Introducing and implementing the data protection framework.
Conducting awareness activities on data protection and information security.
Preparing data protection reports.
Writing internal information security policies.
Revising and updating terms and conditions and corporate rules.
Conducting vendor audits.