Senior Cyber Security GRC (Governance, Risk and Compliance) Specialists

Job Description

Cyber Security GRC (Governance, Risk and Compliance) unit plays a crucial role embedding defined standards and regulatory frameworks within information and IT security to H&M Group, as well as ensuring risk supervision and business continuity. This includes e.g. a responsibility for auditing compliance, as well as overseeing the identification, assessment and mitigation of technology and cyber security risks.    

We work determinedly within the following areas:  

Governance: Ability to build a structured way of working with cyber security by aligning processes and functions in order to achieve organizational objectives and improve the security culture.  

Risk: Ability to identify, address, assess, mitigate and follow-up on cyber security and technology risks.  

Compliance: Ability to meet global and local existing and new laws, standards and other regulatory requirements within cyber security.  

Resilience: Ability to continue delivering intended outcomes despite experiencing challenging cyber events.   

We collaborate closely with other departments within the organization and constantly commit to enhancing our services and processes.     

Our goal is to have a unified, systematic and risk-based way of working that helps H&M Group to reach a robust and resilient cyber security that comply to all applicable regulations. The benefits include e.g. reduced costs, less duplicate work, greater visibility into risks, increased data accuracy and consistency, and more alignment across stakeholders. 

For the GRC unit, we are looking for four new senior team members with the following focus areas. In this role, you will report directly to the Unit Manager for Cyber Security GRC. 

Risk Officer:  
Strategically responsible for keeping H&M Group’s Cyber Security Risk Management Framework up to date on a global market, as well as driving the continuous risk work on an enterprise and operational level within BT Cyber Security.   

Compliance Officer:  
Strategically responsible for keeping H&M Group’s Cyber Security Common Control Framework (CCF) and its related exception and exemption management processes up to date for all applicable markets, as well as strategically designing the annual Audit Plan and Program for H&M Group and our vendors.  

Resilience Officer:  
Strategically responsible for keeping H&M Group’s Cyber Security Resilience Work up to date for all applicable parts of the organization, including a systematic risk-based approach with Business Continuity, Disaster Recovery and Crisis & Incident Management.   

GRC Officer:  
Working within all GRC areas, assisting in the day-to-day work as well as with specific improvement initiatives and projects.  

All four roles are expected to:  

• Defining policies, processes and procedures, as well as creating and maintaining instructions, guidelines and templates.  

• Closely collaborating with internal and external stakeholders within the area of responsibility.  

• Incessantly looking for opportunities to introduce more effective and efficient controls and ways of working within cyber security. 

Qualifications

You must be an expert with 5-10 years of experience within cyber security in general and/or GRC-related work in specific. This includes e.g. having documented knowledge for the focus area that you’re applying to:  

Risk Officer:  
Implement risk management associated with cyber security, including identification, analyses and mitigation plans on both an enterprise and operational level.  

Compliance Officer:  
Comply with legal requirements, best practices and standards associated with cyber security, and work with Qualified Security Assessors (QSA) and auditors.  

Resilience Officer:  
Build a robust and resilient cyber security environment with the help from business continuity and disaster recovery strategies as well as expedient incident and crisis management systematics.  

GRC Officer:  
A general experience from GRC-related work tasks.   

To succeed in the role, we see that you have:  

• Strong experience in helping a global organization to adopt a robust, resilient and maintainable approach to modern tech or cyber security.   

• Very high knowledge of legal regulations, international standards and best practice within cyber security risk management, such as ISO 27000/22301/31000, NIST 800, PCI-DSS, GDPR, NIS2, DORA.  

• Strong experience of implementing and operating cyber security focused controls.  

• Strong experience of working within Qualified Security Assessors (QSA) and auditors to deliver useful independent audits of an organization or division.  

• You must be a great team player, as this role works closely with several internal and external stakeholders. 

Skill requirements: 

We use the Chartered Institute of Information Security (CIISEC) roles framework. You can find out more about the skills and levels on their website (www.ciisec.org):  

• Governance (5<)   

• Legal & regulatory environment & compliance (5<)  

• Policy & standards (5<)  

• Information risk management (5<)   

• Risk assessment (5<)  

• Incident management, incident investigation & response (5<)  

• Innovation & business improvement (5<)  

• Communication & knowledge sharing (5<) 

To stand out, we believe you have some of the following skills/ qualifications:  

• Information security strategy (5<)   

• Business skills (5<)  

• Management, leadership & influence (5<)  

• Behavioral change (5<)  

• Third party management (5<) 

Additional Information

These are fulltime permanent positions. They are based in our office in Stockholm, Sweden and we have a hybrid work structure. 
Apply by sending in your CV in English as soon as possible. Due to data policies, we only accept applications through career page.

What the team offers:  

• A trendy work within one of the world’s largest fashion groups.  

• A high-level possibility to improve cyber security on a global market.  

• High possibilities to gain professional and personal development through e.g. educational programs, networks and conference attending 

Benefits

We offer all our employees at H&M Group attractive benefits with extensive development opportunities around the globe. All our employees receive a staff discount card, usable on all our H&M Group brands in stores and online. Brands covered by the discount are H&M (Beauty and Move included), COS, Weekday, Monki, H&M HOME, & Other Stories, ARKET, Afound. In addition to our staff discount, all our employees are included in our H&M Incentive Program – HIP. You can read more about our H&M Incentive Program here. 

In addition to our global benefits, all our local markets offer different competitive perks and benefits. Please note that they may differ between employment type and countries. 

Inclusion & Diversity 

At H&M Group, we’re determined to create and maintain inclusive, diverse and equitable workplaces throughout our organisation. Our teams should consist of a variety of people that share and combine their knowledge, experience and ideas. Having a diverse workforce leads to a positive impact on how we address challenges, on what we perceive possible and on how we choose to relate to our colleagues and customers all over the world. Hence all diversity dimensions are taken into consideration in our recruitment process.  

We strive to have a fair and equal process and therefore kindly ask you not to attach a cover letter in your application as they often contain information that easily can trigger unintentional biases. 

Company Description

H&M Group is a family of brands; H&M, COS, Weekday, Monki, H&M HOME, & Other Stories, ARKET and Afound. At H&M Group, our people are the driving force behind our commitment to creating meaningful growth and more sustainable lifestyles. Help us re-imagine fashion and together we will re-shape our industry. Learn more about H&M Group here.