The Role
As a Senior Information Security Officer, you are a substantive driving force and strategic sparring partner in the field of information security and privacy within TMC. You take the lead in further developing, implementing, and embedding policies, governance, and compliance, positioning these themes firmly within the organization. You smoothly navigate between strategy and execution, from advising management and the board to overseeing audits, risk analyses, and improvement projects. The key focus areas you address include IT fundamentals, ISO 27001, NIS2, IT security, governance, and privacy (GDPR). TMC Holding B.V. is ISO/IEC 27001:2022 certified; you ensure we remain demonstrably compliant, risks are addressed proactively, and information security is structurally strengthened further.
What You Will Do
- Policy, Governance & ISMS — You are responsible for further developing, updating, and implementing the information security policy and ISMS (including Statement of Applicability), aligning with ISO 27001:2022 and NIS2. You ensure clear governance, establish structured decision-making processes, and translate policy frameworks into actionable standards and processes for the organization.
- Risk Management, Audits & Compliance — You initiate and oversee risk analyses, define appropriate control measures with stakeholders, and monitor follow-up actions. Additionally, you take the lead in preparing and supporting internal and external audits, acting as a strong discussion partner for management, auditors, and other stakeholders.
- Privacy & Regulatory Alignment — You work closely with the Senior Information Security Officer and Privacy Officer/DPO on topics such as DPIAs, processor agreements, data minimization, and data subject rights. You ensure alignment between security, privacy, and applicable laws and regulations.
- Awareness & Change Management — You develop and implement awareness programs, training, and communication approaches that sustain focus on safe and responsible behavior. You engage people effectively, create buy-in, and enhance the organization's security maturity.
- Incident Management & Business Continuity — You coordinate incident response, root cause analysis, and evaluations while contributing to strengthening business continuity and resilience. You maintain oversight of the bigger picture, connect relevant parties, and provide clear reporting and escalation as needed.
- Advisory & Security by Design — You advise on security requirements for projects, applications, and cloud platforms (e.g., Microsoft 365/Azure), ensuring security is integrated timely and comprehensively into decision-making, design, and implementation.
- Supplier and Stakeholder Management — You assess suppliers and external parties on security and privacy aspects, establish agreements on control measures, and act as an internal liaison advisor for IT, HR, legal, business, and the board.
- RFP/RFI & Due Diligence — You coordinate complex security questionnaires, client inquiries, and due diligence processes, ensuring high-quality, consistent input in collaboration with business, IT, and privacy colleagues.
Collaboration
You work closely with colleagues from IT, Privacy, HR, business cells, and external partners. Specifically, you coordinate with colleagues such as Martijn to ensure synergy and alignment in tasks related to incident management, continuity, and audits.
Your Profile
- Experience: You have several years of relevant experience in a senior role within information security, risk, compliance, or governance and demonstrable expertise with ISO 27001 (preferably the 2022 version), NIS2, IT security, governance, and privacy (GDPR).
- Seniority: You are capable of independently setting direction, prioritizing, and advising/disputing decisions at various organizational levels. You combine deep substantive knowledge with pragmatism and organizational sensitivity.
- Language: Excellent command of both English and Dutch is a must.
- Context: Experience in an international or multinational environment is a strong plus, as well as the ability to operate in a dynamic stakeholder field.
- Competencies: You are highly analytical, decisive, communicative, and capable of translating complex issues into clear choices, actions, and improvements.
- Pluses: Certifications such as ISO 27001 Lead Implementer/Lead Auditor, CISM, or CISSP are considered a plus; familiarity with NEN 7510 is also welcome.
