Senior IT Auditor & Cybersecurity GRC Specialist (ISO 27001, NIS2, DORA, Cloud Security)

8/2019 – 12/2025

As Head of IT Audit within the bank’s Internal Audit Directorate, I led complex assurance engagements covering information security, IT governance, operational resilience, and regulatory compliance. My role focused on providing independent oversight over IT risk management and evaluating the effectiveness of technical and organisational controls across critical banking environments.

Key responsibilities & focus areas:

— Planned, coordinated, and executed annual IT audit programmes in alignment with international standards (IIA IPPF), ISO/IEC 27001, and national regulatory expectations (BNR, GDPR, and NIS2 emerging requirements).
— Led multi-disciplinary audits covering core banking platforms, digital channels, cloud adoption, IT operations, network security, infrastructure hardening, data protection, and identity & access management.
— Performed independent assessments on the bank’s preparedness for NIS2 and DORA, focusing on governance structures, incident reporting, service resilience, ICT risk management, and oversight of critical third-party dependencies.
— Oversaw deep-dive technical reviews, including vulnerability management effectiveness, patch governance, change & release processes, logging & monitoring maturity, and backup/restore capabilities.
— Evaluated Business Continuity & Disaster Recovery controls (BCM/DRP), including RTO/RPO definition, crisis-management procedures, and alignment with ISO 22301.
— Conducted third-party and supply chain audits, ensuring contractual and operational security controls were implemented and regularly tested.
— Produced high-impact audit reports for the Management Board & Audit Committee, highlighting systemic risks, control gaps, remediation priorities, and risk-based recommendations.
— Provided continuous advisory support to senior leadership during digital transformation and IT modernisation initiatives, ensuring risk transparency and adequate governance.

Result: Strengthened the bank’s overall IT governance and risk visibility, improved remediation effectiveness, and ensured readiness for evolving regulatory frameworks such as NIS2 and DORA.

Cyber Security, Informationssicherheit, IT-Auditor, Incident-Management, It-Governance, ISO / IEC 27001, ISO/IEC 27002, Compliance management, Risikomanagement

11/2015 – 7/2016

Vulnerability Management and Patch Governance

As Vulnerability Management SME, I led the design and rollout of a unified, enterprise-wide vulnerability and patch governance framework across multiple UK and international business units. The engagement included assessing existing vulnerability workflows, consolidating detection tools, defining CVSS-based prioritisation rules, and establishing SLA-driven remediation cycles for critical, high and medium findings. I coordinated with infrastructure, application and cloud teams to standardise patch cadences, implemented an executive dashboard for risk visibility, introduced exception-handling and escalation processes, and delivered monthly cyber-risk briefings to senior leadership. The initiative reduced critical vulnerabilities by 45% in the first quarter and established a repeatable governance model later adopted across additional regions.

Cyber Security, Informationssicherheit, IT-Auditor, It-Governance, ISO / IEC 27001, ISO/IEC 27002, Compliance management, Risikomanagement

1/2014 – 2/2015

As Information Assurance Lead supporting the CISO, I designed and implemented a unified, enterprise-wide Risk Management Framework covering both IT and OT/ICS environments. The engagement focused on aligning the organization’s governance model with ISO/IEC 27001 Annex A controls, ISO/IEC 27005 risk methodology, the UAE Information Assurance Standard, and NIST SP 800-37 (RMF). I conducted a full control assessment across corporate IT, cloud systems, and industrial networks, introduced maturity scoring, and developed the Statement of Applicability alignment guidance.

I created a complete ISO 27005-based risk analysis methodology (asset identification, threat/vulnerability mapping, impact evaluation, likelihood modelling) and integrated risk appetite, tolerance thresholds, and escalation rules. I mapped UAE IA and ISO controls to the NIST RMF lifecycle and designed standardized control-testing procedures.

A centralised GRC risk register was built with automated treatment workflows, evidence traceability, dashboards (heatmaps, overdue actions, control failures), and lifecycle monitoring. The project resulted in a unified and audit-ready risk framework, reduced audit effort by approx. 40%, improved visibility for senior management, and significantly strengthened governance over OT/ICS environments.

Compliance management, Cyber Security, Incident-Management, Informationssicherheit, ISO / IEC 27001, ISO/IEC 27002, IT-Auditor, It-Governance, Risikomanagement