E&IT Compliance Sr. Director

Job Summary:

The E&IT Compliance Sr. Director will serve as a lead on all audit and compliance for Engineering and IT. This role will define and implement IT policies and procedures to ensure that Engineering and Information Technology (E&IT) adheres to its standards and other relevant controls. This role will drive compliance within E&IT that supports enterprise risk management at the overall organization level, and aligns with information security risk management. The ideal candidate has in depth knowledge of the ISO/IEC 27000 family of standards, and strong experience in information security risk management frameworks such as the NIST CSF, compliance, and audit processes within a technology-driven environment. This role will serve as a critical bridge between technical teams, business stakeholders, and executive leadership to drive a culture of security, compliance, and continuous improvement.

Key Responsibilities & Duties:

• Implement the ISO/IEC 27000 family of standards within the organization, and ensure the organization’s Information Security Management System (ISMS) is in compliance with the standards.
• Develop and lead the organization’s initial ISO/IEC 27000 certification and recertification efforts as our internal auditor and manage remediation plans to address compliance gaps.
• Serve as the internal subject matter expert (SME) on ISO/IEC 27000 family and interface with internal and external auditors, certification bodies, and regulatory agencies.
• Assess information security risks in alignment with the InfoSec team and business objectives.
• Create and maintain a library of E&IT policies, guidelines, process and controls to align with ISO/IEC 27000 standards and NIST CSF framework.
• Own the document governance and lifecycle of E&IT policies, guidelines, process and controls, ensuring they are audited and reviewed.
• Collaborate with Planning, Risk Management, Legal, Engineering, Operations, and Business functions to integrate ISO-aligned standards and controls into business operations.
• Regularly interact with senior business leaders to establish strategic plans and objectives.
• Ensure all E&IT systems comply with security, regulatory, and governance standards, minimizing risks to business operations.
• Monitor changes in the ISO 27000 family of standards and other relevant regulatory frameworks (e.g., NIST, SOC 2, GDPR) to adapt organizational policies accordingly.
• Present reports and strategic insights to executive leadership, including risk assessments, audit outcomes, and compliance posture.
• Build and lead a high-performing compliance and risk management function within E&IT and in collaboration with ICANN business functions.
• Facilitate the development of a significant knowledge base in others; may define role of staff members
• Other duties as assigned or requested within the scope of compliance, risk management, and audit.

Required Knowledge, Skills, and Abilities (KSAs):
(Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions)

• Deep understanding of the ISO/IEC 27000 family of standards, including principles, controls, structure, and best practices and experience in building a high-performing compliance and risk management program within a technical function.
• Knowledge of how information security risk management frameworks, specifically NIST CSF, can crosswalk to ISO/IEC 27000 family of standards.
• Knowledge of how to perform risk assessments to identify vulnerabilities, threats, and impacts, and how to create risk treatment plans.
• Knowledge of how to design and implement risk mitigation strategies, control measures, and residual risk evaluation.
• Understanding of Compliance and Legal requirements around data privacy and contractual obligations.
• Expertise in preparing for both internal and external audits, ensuring that controls and systems are compliant with ISO/IEC 27000.
• Ability to develop, implement, and maintain information security policies, procedures, and guidelines.
• Understanding of how information security fits into the larger governance framework of an organization.
• Knowledge of incident response processes and business Continuity Planning (BCP) and disaster recovery plans that are in line with ISO/IEC 27000 standards.
• Ability to work cross-functionally and influence stakeholders at all levels.
• Strong interpersonal communication skills and the ability to maintain effective working.
• Ability to effectively facilitate meetings.

Education and Experience Requirements:

• Bachelor’s or Master’s degree in Computer Science, IT, Engineering, or significant work experience in a related field.
• Minimum twelve (12) years of experience in information security, compliance, or IT governance roles.
• ISO/IEC 27000 Lead Auditor, CISSP, CISM, or similar certifications preferred.

Language

• Fluency, both written and spoken, in English is required.
• ICANN is a global organization that values diversity; preference will be given to candidates with demonstrated skills in additional languages besides English.

Working Conditions & Physical Requirements:

• Work is performed in a normal office environment with limited privacy and some exposure to background noise
• While performing the duties of this job, the employee is frequently required to stand and walk. The employee regularly is required to sit. The employee is frequently required to talk or hear; use hands and arms to reach, handle or feel. Specific vision abilities required by this job include close vision, color vision, and ability to adjust focus.
• The employee may occasionally lift and/or move up to 25 pounds.