Consultant Expert in Auditing of IS Governance, Risk Management and Compliance, OIO

The Organizational Setting

The International Civil Aviation Organization (ICAO[1]) is funded and directed by 193 national governments to support their diplomacy and cooperation in air transport as signatory states to the Chicago Convention. ICAO’s mission is to serve as the global forum of States for international civil aviation. In that regard, ICAO develops policies and standards, undertakes compliance audits, performs studies and analyses, provides assistance and builds aviation capacity through many other activities and the cooperation of its Member States and stakeholders.

The mandate of the Office of Internal Oversight (OIO) is to assist the Secretary General and the ICAO Governing Body in ensuring that ICAO is managed effectively, efficiently and economically and in conformity with the applicable regulations and rules, and to provide independent and objective assurance, advice, insight and foresight through performing internal audits, evaluations, and other oversight assignments as appropriate. The Office provides an annual report of its internal audits and evaluations to the ICAO Council.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Major duties and Responsibilities

The consultant will work under the overall guidance of the Chief, Office of Internal Oversight and report to the Internal Audit Specialist. The consultant will contribute to an audit of Information Systems Governance, Risk Management and Compliance (GRC) at ICAO. 

The objectives of this audit are to:

• Evaluate the adequacy and effectiveness of the organization’s Information Systems governance framework; and assess the extent of alignment between elements of information security governance and the ICT strategy. 
• Assess whether the organization’s ICT risk management processes effectively identify, analyze, and mitigate risks.
• Determine whether internal controls support the confidentiality, integrity, and availability of ICT systems and data; and assess compliance with regulatory requirements and adherence to best practices in information and cyber security.

The consultant will carry out the work in adherence with the Global Internal Auditing Standards (of the Institute of Internal Auditors).  

Function 1 (incl. Expected results)

The consultant will carry out the following specific tasks as part of the audit of information security.

• Network Security Assessment: Conducting audit to assess the security of the organization's network infrastructure, including firewalls, intrusion detection/prevention systems (IDS/IPS), and wireless security protocols. 
• Network Segmentation and Traffic Monitoring: Assess the effectiveness of network segmentation strategies in limiting the impact of security breaches and assessing the adequacy of traffic monitoring controls for detecting and responding to suspicious activity. 
• Remote Access Security: Assessing the security of remote access mechanisms, including VPNs, multi-factor authentication, and access controls, to ensure secure connectivity for remote users. 
• Patching and Vulnerability Management: Assessing the effectiveness of the organization's processes for identifying, prioritizing, testing, and deploying security patches and managing vulnerabilities in a timely manner. 
• Incident Response and Business Continuity: Assessing the adequacy and effectiveness of the organization's incident response plan for handling security breaches and incidents, including detection, containment, eradication, recovery, and lessons learned. 
• Integration with Business Continuity and Disaster Recovery: Assessing the integration of information security considerations into the organization's overall business continuity and disaster recovery plans to ensure the resilience of critical operations in the event of a disruption.
• Other tests as per the finalized audit work programme.

Function 2 (incl. Expected results)

Conduct the fieldwork including, collection and analysis of documents and data, and conduct of interview.

The consultant will collect and review all the relevant supporting documentation and sources of information relevant to the Information Security framework and any other materials that the consultant considers useful for supporting the audit fieldwork. Furthermore, the consultant, with the support of the Internal Audit Specialist, will:

• Collect data from the existing ICAO information systems
• Collect information and data through face to face or virtual interviews and other data collection methods from ICAO 
• Prepare working papers such as interview notes, data analysis, policy reviews and benchmarks to identification of gaps and control deficiencies or best practices supporting the audit findings and conclusions
• Keep effective and clear communication with the audit focal point, timely communicate on significant audit findings
• Develop audit findings 

Result of Service

• Documented Results of the assessment of governance, risks and controls including (i) network security assessment, (ii) network segmentation and traffic monitoring, (iii) remote access security, patching and vulnerability analysis, (iv) incident response and business continuity, (v) incident response plan testing and maintenance and (vi) integration of information security considerations in the business continuity plan. The results of the assessment should be backed by sufficient, reliable and relevant audit evidence.
• Detailed documentation of all the working papers, interview notes, audit analyses.

QUALIFICATIONS AND EXPERIENCE Education

An advanced level university degree (Masters’ degree or equivalent) in Information Security, ICT, risk management, or related areas supplemented with one or more professional certification such as CISSP, CISM, CISA, CEH or equivalent. A first-level university degree in combination with additional years of qualifying experience may be accepted in lieu of the advanced university degree. 

Professional experience and knowledge

Essential:

• A minimum of 10 years of professional experience in auditing or managing IS / InfoSec Governance, information security, risk management and information Security controls like vulnerability assessments, network controls, IAM, etc..
• Experience in auditing information security management
• Strong knowledge of frameworks like ISO/IEC ISMS 27001, NIST 2.0, and COBIT
• Practical experience in network security, intrusion detection, network segmentation, vulnerability management, incident response and business continuity. 
• Experience in report writing
• Excellent communication and interview skills.
• Excellent report writing skills; and

Desirable:

• Lead Auditor certification in ISO/IEC 27001 or an equivalent certification
• Experience in working at a management level or in an advisory capacity in areas related to information security and risk management

Languages

Essential:

•     Fluent reading, writing and speaking abilities in English.

Desirable:

•     A working knowledge of any other language of the Organization (Arabic, Chinese, French, Russian, or Spanish).

Conditions of Employment

The consultant will be held to the highest ethical standards and are required to sign a Code of Conduct and an individual declaration of independence (or statement of confidentiality) upon acceptance of the assignment. This audit shall be conducted in accordance with Global Internal Auditing Standards.

The selected consultant is expected to be employed within the period of 1 July to 31 July 2025 for 20 working days. 

 How to apply

Interested candidates must complete an on-line application form. To apply, please visit ICAO's e-Recruitment website at: ICAO Career Website.

Notice to Candidates

ICAO does NOT charge any fees or request money from candidates at any stage of the selection process, nor does it concern itself with bank account details of applicants. Requests of this nature allegedly made on behalf of ICAO are fraudulent and should be disregarded.