FA-26021 SENIOR INFORMATION SECURITY & GRC EXPERT

Permanent contract | Belval

The Luxembourg Institute of Science and Technology (LIST) is a Research and Technology Organization (RTO) active in the fields of materials, environment and IT. By transforming scientific knowledge into technologies, smart data and tools, LIST empowers citizens in their choices, public authorities in their decisions and businesses in their strategies.

Do you want to know more about LIST? Check our website: https://www.list.lu/

The Information Security & GRC Expert supports the implementation, maintenance, and continuous improvement of the organization’s Information Security Management System (ISMS). The role focuses on governance, risk management, compliance, and security policy frameworks while ensuring alignment between business objectives, regulatory requirements, and evolving cyber threats.

You will be mainly in charge of:

• Support the implementation and continuous improvement of the Information Security Management System (ISMS) in alignment with the business strategy, internal and external contexts, legal, regulatory, and contractual requirements, and international standards (e.g., NIS2, GDPR, ISO/IEC 27001).

• Develop, review, and maintain information security policies, standards, procedures, and guidelines.

• Conduct information security risk assessments and support risk treatment planning, ensuring risks are identified, analysed, evaluated, and mitigated appropriately following a risk-based approach.

• Support and operate the security exception management process, including documenting, assessing, approving, and tracking risk-based exceptions to security policies and controls.

• Define, implement, and monitor administrative, organizational, and technical security controls aligned with regulatory and internal requirements.

• Coordinate with internal stakeholders to ensure security requirements are integrated into projects, processes, and IT services, supporting secure-by-design practices.

• Define and track information security KPIs/KRIs, metrics, and dashboards to support risk-informed decision-making and management reporting.

• Contribute to the identification, assessment, and monitoring of internal and external information security risks, maintaining relevant risk registers and documentation.

• Produce and maintain security documentation, including procedures, risk registers, control frameworks, and governance artefacts.

• Support governance processes such as risk committees, security reviews, and compliance monitoring activities.

• Contribute to security awareness initiatives across the organization.

• Provide expert guidance and recommendations on information security governance, risk management, and compliance topics.

• Support and contribute to the security incident management and response process, ensuring lessons learned are integrated into the ISMS improvement cycle.

Education

• Bac+5, graduated in Information security/cyber security

Experience and skills

• At least 5 years of professional experience in Information Security Governance, Risk Management, and Compliance (GRC).

• Strong experience in defining, documenting, and maintaining information security policies, standards, procedures, and security requirements aligned with regulations (e.g., NIS2), legal frameworks (e.g., GDPR, AI Act), and recognized standards (e.g., ISO/IEC 27000 series), with hands-on experience in implementing and operationalizing these frameworks.

• Proven experience in conducting information security risk assessments, risk analysis, and risk treatment planning.

• Experience in the definition, implementation, and monitoring of security controls to ensure compliance with internal policies and regulatory requirements.

• Familiarity with the definition, monitoring, and reporting of security KPIs and KRIs to support governance and risk oversight.

• Strong analytical, documentation, and stakeholder communication skills, with the ability to translate security requirements into practical controls and processes.

• Knowledge of IT security technologies, tools, and infrastructure.

• Understanding of information security audit mechanisms, as well as penetration testing and vulnerability assessment methodologies.

• Knowledge of project management practices, progress tracking tools, and reporting methodologies.

• Relevant certifications such as ISO/IEC 27001 Lead Implementer or Lead Auditor are considered an advantage.

• Ability to collaborate effectively with both technical and non-technical stakeholders across the organization.

Language skills

• Good level both written and spoken English and French

• An organization with a passion for impact and strong RDI partnerships in Luxembourg and Europe that works on responsible and independent research projects

• Sustainable by design, empowering our belief that we play an essential role in paving the way to a green society

• Innovative infrastructures and exceptional labs occupying more than 5,000 square metres, including innovations in all that we do

• An environment encouraging curiosity, innovation and entrepreneurship in all areas

• Personalized learning programme to foster our staff’s soft and technical skills

• Multicultural and international work environment with more than 50 nationalities represented in our workforce

• Diverse and inclusive work environment empowering our people to fulfil their personal and professional ambitions

• Gender-friendly environment with multiple actions to attract, develop and retain women in science

• 32 days’ paid annual leave, 11 public holidays, 13-month salary, statutory health insurance

• Flexible working hours, home working policy and access to lunch vouchers

Your application must include:

• A motivation letter oriented towards the position and detailing your experience

• A CV with contact details

• Contact details of 2 references

Please apply ONLINE formally through the HR system. Applications by email will not be considered.

• We kindly request applicants to provide their nationality for statistical purposes only, as part of our commitment to promoting diversity and ensuring equal opportunities in our workforce. This information will be kept confidential and will not be used for any discriminatory purposes.

• LIST is dedicated to maintaining an inclusive work environment and is an equal opportunity employer. We are committed to attracting, hiring, and retaining a diverse workforce. All applicants will be considered for employment without discrimination based on national origin, race, colour, gender, sexual orientation, gender identity, marital status, religion, age, or disability.

• Applications will be continuously reviewed until the position is filled. An assessment committee will thoroughly evaluate applications, adhering to guidelines designed to ensure equal opportunities. The primary criteria for selection will be the alignment of the applicant's existing skills and expertise with the requirements mentioned above.