IT Risk & Compliance Manager / Information Security Officer (m/w/d)

MEDIAN is part of the MEDIAN Group, one of the leading European providers of medical rehabilitation and mental health. With more than 120 facilities throughout Germany, MEDIAN offers a dynamic and innovative environment for employees in a wide range of treatment areas with diverse entry and development opportunities. As a specialist for rehabilitation and participation, we accompany our patients on the way to recovery and return to society – according to our guiding principle “Life Life”.

We are looking for you as IT Risk & Compliance Manager / Information Security Officer (m/w/d).

Ensuring and further developing an ISO 27001 certified ISMS Responsibility for operation, continuous optimization and successful re-certification of an existing Information Security Management System according to ISO/IEC 27001 for a MEDIAN company. Building a Group-wide ISMS Support in building and implementing an ISMS for Group IT in the context of digital transformation. Identification of opportunities and risks in a changing environment and monitoring of the change process with structured risk management. Ensure regulatory and internal compliance Ensuring compliance with relevant legal requirements, industry-specific standards and internal guidelines with regard to IT risks, data protection and information security. Management of the complete ISMS documentation cycle (directives, processes, versioning). IT Risk Management & Governance Creation, maintenance and implementation of safety directives, guidelines and concepts including derivation and monitoring of technical and organisational measures. Establishment, maintenance and monitoring of an IT-specific risk register and a central control library. Planning and implementation of risk analyses, including documentation and communication of results to relevant stakeholders. Support for risk and compliance assessments as part of system acquisitions, software releases and projects. Categorisation of application-related risks, monitoring critical thresholds and communication to application managers. Audit Management & Certification Preparation Organisation and coordination of internal and external audits (e.g. ISO 27001). Follow-up and management of outstanding recommendations of external audits. Ensure complete documentation and provision of necessary evidence. Monitoring, Incident & Business Continuity Management monitoring safety-relevant events and incidents; Coordination of security incidents. Implementation of structured post-analysis and initiation of countermeasures. Support in IT-Service Continuity Management and maintenance of appropriate restart and emergency plans. Establish suitable reaction and restart plans. metrics & reporting Support in the development, maintenance and monitoring of relevant KPIs for controlling IT security. Suppliers & third-party risks / third-party risk management Monitoring and evaluation of security-relevant requirements for external service providers as part of a third-party risk management (TPRM). performing due diligence checks, performance monitoring and external access management. Examination and documentation of privileged accesses and their authorization. Regular reporting on risk management in the context of third-party providers and service providers. Support for IT procurement & software releases Managing an “Approved Software List” and monitoring the software release processes. Support in the evaluation of IT risks in the context of tendering and tendering procedures and technical due diligence processes. Competence Management & Awareness Participation in the planning and implementation of training and awareness measures to promote safety awareness within the organisation.

Qualifications & training A completed study in the field (economic) and/or computer science or a comparable qualification. Ideally certified as ISO/IEC 27001 lead implementer or ISO/IEC 27001 lead auditor or comparable qualification. Holders of a recognised professional qualification in the field of risk management, compliance or audit and/or completed university studies, ideally in risk management, business management or a related field. Expertise & skills At least 5 years of professional experience in IT with a focus on IT security. Knowledge in the areas of information security, regulatory compliance and data governance best practices in the business environment. Comprehensive knowledge and experience in the context of IT security and related standards, standards and laws (e.g. ISO 2700x, NIS2, EU-AI Act, BSI IT-Grundschutz und IT-Sicherheitsgesetz). Practical experience in risk management within regulated industries, with sound knowledge of risk frameworks, assessment methods and risk mitigation measures. Clear understanding of the change from pure “checkbox compliance” to an integrated, risk-based governance approach and what is needed to implement this transition operationally. Detectable passion for risk management with the focus of firmly anchoring risk awareness in the organisation's daily operations and decision-making processes. Loadable, integer and detailed, with a high level of accuracy and compliance excellence. Safe in handling multiple tasks simultaneously in a dynamic and fast working environment. Excellent administrative and organizational skills, safe handling of MS Excel, PowerPoint, Word as well as experience with project and governance tools. Experience in creating reports and presentations for top management. Technically versed and able to deal with IT and cybersecurity concepts – no deep technical expertise required, but the willingness and ability to understand technologies and their risk importance in the company. Outstanding interest in cybersecurity, IT support (ITIL) and governance practices. Self-motivated and proactive, with the ability to work independently as well as effectively communicate across departments, including regular collaboration with executives, directors and business partners. Secure handling of MS applications (Word, Excel, PowerPoint) and willingness to work into new ITSM and project management tools. Experience Experience in work within a project management structure, including work according to targets and results, as well as regular reporting on progress and team status. Proven experience in providing high-quality, value-oriented results in the areas of risk, compliance or governance. Tested experience in IT risk and compliance features with proven ability to work effectively with IT departments and cross-functional technical teams. Deep understanding of ISO standards and regulatory compliance frameworks, including ISO 27001, NIS2 and GDPR (GDPR). Practical experience in the implementation and ongoing support of an ISO 27001-compliant information security management system (ISMS). Knowledge of risk assessment methods, scoring systems and risk reporting processes. Experience in defining, tracking and reporting GRC key figures (Governance, Risk, Compliance KPIs), including data collection and analysis to support reporting requirements. sound basic understanding of technical IT concepts and IT architectures; even if the role is administratively oriented, a fundamental understanding of the IT domains is essential. Experience in the implementation of IT risk analyses and Gap analyses, including the ability to identify and evaluate compliance gaps with frameworks such as ISO 27001 and relevant legal requirements. Safe planning and implementation of audit plans and internal audits according to the requirements of ISO 27001/27002. Detectional ability to document and communicate IT concepts, procedures and administrative processes clearly and precisely. Communication Excellent communication skills with the ability to flexibly adapt the communication style depending on the audience and message. Experience in building and maintaining relationships over distance. Communication with a variety of (often confidential) topics. Regular handling of challenging and demanding situations as well as a variety of internal and external stakeholders, which requires a high degree of pronounced communication and social competence. Communication at all levels: interaction with employees of different hierarchical levels to collect and disseminate information about email and digital communication platforms. Safe knowledge of German and English in word and writing. Working environment The presence of the IT office is scheduled for at least two days a week, depending on the operational requirements. The complexity and change within the IT department can sometimes go beyond the level of a standardized role and pose a challenge for some people. It is therefore important that the person continuously develops their knowledge of the operating environment in order to better understand the higher-level context.

A permanent employment relationship with competitive remuneration Exciting and responsible position in a dynamically growing company with a large design space. A friendly and professional team. Flat hierarchies, short decision paths and open corporate culture Mobile and flexible work from home or the headquarters in Berlin incl. Trust work time, notebook and mobile phone for optimal compensation of family and profession Individual training and further development opportunities within the department, as well as specialisation in selected topics - we offer you external training opportunities and support you in continuing vocational training. Occupational pension with employer subsidy, corporate benefits and regular fresh fruit in the office A modern and barrier-free ergonomically equipped workplace in the centrally located office in Berlin-Charlottenburg with a very good underground and bus connection, there lockable bicycle parking spaces and free parking spaces in the areaFirmen Celebrations and team events JOBV1_EN