Cybersecurity GRC Consultant
The opportunity
This is an on-site contract role at an EU agency headquarters in Warsaw, focused on cybersecurity governance, risk, and compliance. You'll work across GRC strategy, risk management frameworks, privacy impact assessments, and compliance programmes in a regulated public-sector environment.
Contract details: 12-month initial term with up to 3 annual renewals (maximum 48 months total). ~230 man-days per year (normal working hours). On-site delivery: approx. 30% intra-muros / 70% extra-muros. Security screening must be initiated within the first 45 days of assignment; RESTREINT UE/EU RESTRICTED clearance required.
What you'll do
Ensure compliance with and provide guidance on data privacy and data protection standards, laws, and regulations
Identify and document compliance gaps
Conduct privacy impact assessments; develop, maintain, communicate, and train upon privacy policies and procedures
Enforce and advocate the organisation's data privacy and protection programme
Ensure data owners, controllers, processors, and internal/external partners are informed of their data protection rights and obligations
Act as a key contact point for queries and complaints regarding data processing
Assist in designing, implementing, auditing, and compliance testing activities
Monitor audits and data protection training activities
Cooperate and share information with authorities and professional groups
Contribute to the development of the organisation's cybersecurity strategy, policy, and procedures
Develop staff awareness training to foster a culture of data protection
Manage legal aspects of information security and third-party relations
What you bring
Mandatory:
Minimum Level 7 education (master's degree or equivalent in a relevant field)
English language proficiency at C1 (CEFR) or above
At least 9 years of ICT-relevant professional experience
At least 8 years of experience at a similar position
At least 4 certifications from the following list (or internationally recognised equivalents):
CISA (ISACA Certified Information Systems Auditor)
CISM (ISACA Certified Information Security Manager)
CRISC (ISACA Certified in Risk and Information Systems Control)
CISSP (ISC2)
CGRC (ISC2 Certified in Governance, Risk and Compliance)
CSSLP (ISC2 Certified Secure Software Lifecycle Professional)
CCSP (ISC2 Certified Cloud Security Professional)
CISSP-ISSMP (ISC2)
GSNA (GIAC Certified Systems and Network Auditor)
GCCC (GIAC Certified Critical Controls)
GIAC Certified ISO-27000 Specialist
ISO 27001 Lead Implementer or equivalent
ISO 27001 Lead Auditor or equivalent
ISO 27005 Risk Manager or equivalent
Personal Security Clearance at RESTREINT UE/EU RESTRICTED level (security screening initiated within 45 days of assignment)
Specific experience required:
5+ years in cybersecurity GRC with a clear focus on cybersecurity risk management
Proven experience designing or operationalising a cyber risk management framework
Hands-on experience with ServiceNow GRC (IRM / Risk / Policy and Compliance modules)
Demonstrated experience maintaining and managing a cybersecurity risk register
Experience integrating risk management with vulnerability management, incident management, cloud risk, and third-party risk
Experience contributing to cybersecurity maturity improvement programmes
Knowledge and skills:
Cybersecurity laws, regulations, standards, methodologies, and frameworks
Cybersecurity and privacy policies and legal/regulatory compliance requirements
Privacy impact assessment standards and frameworks
Ability to lead development of cybersecurity and privacy policies aligned to business and legal requirements
Communication of data protection topics to diverse stakeholders
Assessment: Written test (up to 70 points, 70% pass threshold) + interview (up to 100 points, 70% pass threshold). Final evaluation: Technical quality 65% / Price 35%.
Location
Frontex Headquarters, Warsaw, Poland. On-site delivery (approx. 30% intra-muros / 70% extra-muros). No travel foreseen.