Information Security Governance Expert

Beschreibung:

At Roche you can show up as yourself, embraced for the unique qualities you bring. Our culture encourages personal expression, open dialogue, and genuine connections, where you are valued, accepted and respected for who you are, allowing you to thrive both personally and professionally. This is how we aim to prevent, stop and cure diseases and ensure everyone has access to healthcare today and for generations to come. Join Roche, where every voice matters.

The Position

As an Information Security Governance Expert, you drive the integrity and resilience of Roche's Information Security Management System (ISMS). You are responsible for ensuring the organization maintains its yearly security certifications and remains compliant with evolving global regulations such as the US DOJ, NIS2 and RCE/CER, GMP Annex 11. You combine deep information security experience with sound regulatory knowledge and project management skills, to lead external audits & inspections and strategic security initiatives across the group. Your goal is to ensure that the security framework is not only compliant but also scalable and effective in protecting Roche's critical assets in a highly regulated environment. You have a proven track record of turning information security governance into a business enabler.

The Information Security & Privacy Governance team provides the framework for Roche to identify, assess, and mitigate information risks. The area is organized around three pillars:
* Governance & ISMS: Maintaining Roche Global ISMS framework and certification (ISO/IEC 27001).
* Regulatory Compliance: Ensuring adherence of Roche global ISMS to US DOJ/NIS2, RCE/CER, GMP Annex 11 and global healthcare/medical device regulations.
* Audit & Assurance: Support Roche affiliates during external inspections, demonstrating their commitment to compliance.

Job Responsibilities

ISMS Strategy & Framework Management

* Global ISMS Ownership: Own and maintain the Roche ISMS framework, ensuring full alignment with ISO/IEC 27001:2022 and integration with other quality management systems.
* Continual Improvement: Drive the ISMS "Plan-Do-Check-Act" (PDCA) cycle to ensure the framework evolves with the threat landscape and business needs, maintaining successful yearly certification continuity.
* Policy Governance: Define and maintain enterprise-level security policies, standards, directives and procedures, ensuring they are fit-for-purpose, actionable and measurable.
* Risk Monitoring: Monitor the global risk landscape to identify adaptations required to the governance framework.

Regulatory & Compliance Orchestration
* Regulatory Translation: Integrate complex global requirements (NIS2, HIPAA, US DOJ) into Roche Global ISMS.
* Product & Services: Collaborate with product teams to ensure "Security by Design" integration into their culture, skillset, processes and projects.
* Control Mapping: Maintain a unified control framework that maps internal Roche controls to multiple external regulatory requirements to validate coverage of the Roche Global ISMS.
* Consulting: Act as a consultant to Roche affiliates, guiding them toward compliance with regional or functional security directives.

Audit & Inspection Support

* External Audit & Inspection Support: Support legal entities of the Roche Group & functions during external audits and regulatory inspections.
* Risks Treatment Oversight: Coordinate remediation plans for audit and inspection findings and track progress to closure.
* Third-Party Governance: Oversee the security governance framework for critical supply chain partners and Cloud Service Providers.

Stakeholder & Change Management

* Strategic Advisory: Serve as a bridge between senior leadership, legal, privacy and quality to communicate information security risks and maturity milestones.
* Culture & Awareness: Support the Information Security networks by providing high-level governance guidance and strategic direction.

Qualifications

Experience

* Experience: 7+ years in Information Security Governance, ISMS management, or IT Audit leadership within a global, regulated industry (Pharma or MedTech preferred).
* Audit Expertise: Proven track record of leading successful ISO 27001 certification cycles and managing regulatory inspections.
* Regulatory Knowledge: Deep understanding of NIS2, GxP (Annex 11), and GDPR.

Education

* Bachelor's or advanced degree in Information Technology, Cybersecurity, or a related field.
* Deep knowledge of Information Security frameworks (ISO 27001, NIST) and European regulations (NIS2, RCE/CER).
* Professional certification such as ISO 27001 Lead Auditor/Implementer (required), CISM, CISA, or CRISC (highly preferred).
* Understanding of system validation and GxP requirements in a regulated IT environment.

Technical & Business Skills

* Security Framework Mastery: Expert-level understanding of ISO/IEC 27001:2022, together with NIST CSF & SPs and CIS, specifically the ability to design and maintain a Statement of Applicability (SoA), a Risk Assessment and Treatment Plan (RATP) and an Improvement Plan (IP) across a global enterprise.
* Regulatory Architecture: Advanced ability to map international regulations-such as NIS2, RCE/CER, and HIPAA-directly into actionable internal controls.
* Governance Platform Expertise: Proficiency in leveraging ServiceNow IRM/GRC modules to provide enterprise-wide visibility into risk and compliance posture.
* Training: Practical experience with LMS (Cornerstone) and QMS (Veeva) tools highly appreciated. Capacity to create training materials about security and governance, to help efficiently propagate knowledge to end-users.
* Security tools: Practical experience with tools supporting a Zero Trust implementation is valued.
* Systems Thinking: A deep understanding of how specific operational delays or control failures impact the downstream security posture of a global organization.
* Operational Orchestration: A "Chef d'Orchestre" mindset-meticulous about timing and cross-functional follow-ups to ensure all global parties meet certification deadlines.
* AI & Emerging Tech Governance: Intellectual curiosity and practical knowledge of governing GenAI/LLMs within a secure framework, ensuring innovation doesn't compromise data integrity.
* GxP & Validation Fluency: Foundational knowledge of system validation and GxP requirements (e.g., GMP Annex 11) to ensure IT security controls meet rigid healthcare manufacturing standards.
* Self Development: Capacity to learn on the job and to self educate is essential in a context where new concepts must be understood, quickly assessed and adequately integrated.

Leadership Skills

* Strong ability to build trust and explain complex concepts & process requirements to a diverse global audience.
* Ability to navigate complexity, manage ambiguity, and drive clarity in delivery.
* Ability to drive delivery outcomes across cross-functional teams without direct authority.
* Intellectual curiosity and a passion for applying GenAI/LLMs to improve productivity and automate manual tasks.

#RDT2026

Who we are

A healthier future drives us to innovate. Together, more than 100'000 employees across the globe are dedicated to advance science, ensuring everyone has access to healthcare today and for generations to come. Our efforts result in more than 26 million people treated with our medicines and over 30 billion tests conducted using our Diagnostics products. We empower each other to explore new possibilities, foster creativity, and keep our ambitions high, so we can deliver life-changing healthcare solutions that make a global impact.

Let's build a healthier future, together.

Roche is an Equal Opportunity Employer