Information Security Governance Expert

Bei Roche kannst du ganz du selbst sein und wirst für deine einzigartigen Qualitäten geschätzt. Unsere Kultur fördert persönlichen Ausdruck, offenen Dialog und echte Verbindungen. Hier wirst du für das, was du bist, wertgeschätzt, akzeptiert und respektiert. Dies schafft ein Umfeld, in dem du sowohl persönlich als auch beruflich wachsen kannst. Gemeinsam wollen wir Krankheiten vorbeugen, stoppen und heilen und sicherstellen, dass jeder Zugang zur Gesundheitsversorgung hat – heute und in Zukunft. Werde Teil von Roche, wo jede Stimme zählt.

Die Position

As an Information Security Governance Expert, you drive the integrity and resilience of Roche's Information Security Management System (ISMS). You are responsible for ensuring the organization maintains its yearly security certifications and remains compliant with evolving global regulations such as the US DOJ, NIS2 and RCE/CER, GMP Annex 11. You combine deep information security experience with sound regulatory knowledge and project management skills, to lead external audits& inspections and strategic security initiatives across the group. Your goal is to ensure that the security framework is not only compliant but also scalable and effective in protecting Roche's critical assets in a highly regulated environment. You have a proven track record of turning information security governance into a business enabler.

The Information Security& Privacy Governance team provides the framework for Roche to identify, assess, and mitigate information risks. The area is organized around three pillars:

Governance& ISMS: Maintaining Roche Global ISMS framework and certification (ISO/IEC 27001).

Regulatory Compliance: Ensuring adherence of Roche global ISMS to US DOJ/NIS2, RCE/CER, GMP Annex 11 and global healthcare/medical device regulations.

Audit& Assurance: Support Roche affiliates during external inspections, demonstrating their commitment to compliance.

Job Responsibilities

ISMS Strategy& Framework Management

Global ISMS Ownership: Own and maintain the Roche ISMS framework, ensuring full alignment with ISO/IEC 27001:2022 and integration with other quality management systems.

Continual Improvement: Drive the ISMS "Plan-Do-Check-Act" (PDCA) cycle to ensure the framework evolves with the threat landscape and business needs, maintaining successful yearly certification continuity.

Policy Governance: Define and maintain enterprise-level security policies, standards, directives and procedures, ensuring they are fit-for-purpose, actionable and measurable.

Risk Monitoring: Monitor the global risk landscape to identify adaptations required to the governance framework.

Regulatory& Compliance Orchestration

Regulatory Translation: Integrate complex global requirements (NIS2, HIPAA, US DOJ) into Roche Global ISMS.

Product& Services: Collaborate with product teams to ensure "Security by Design" integration into their culture, skillset, processes and projects.

Control Mapping: Maintain a unified control framework that maps internal Roche controls to multiple external regulatory requirements to validate coverage of the Roche Global ISMS.

Consulting: Act as a consultant to Roche affiliates, guiding them toward compliance with regional or functional security directives.

Audit& Inspection Support

External Audit& Inspection Support: Support legal entities of the Roche Group& functions during external audits and regulatory inspections.

Risks Treatment Oversight: Coordinate remediation plans for audit and inspection findings and track progress to closure.

Third-Party Governance: Oversee the security governance framework for critical supply chain partners and Cloud Service Providers.

Stakeholder& Change Management

Strategic Advisory: Serve as a bridge between senior leadership, legal, privacy and quality to communicate information security risks and maturity milestones.

Culture& Awareness: Support the Information Security networks by providing high-level governance guidance and strategic direction.

Qualifications

Experience

Experience: 7+ years in Information Security Governance, ISMS management, or IT Audit leadership within a global, regulated industry (Pharma or MedTech preferred).

Audit Expertise: Proven track record of leading successful ISO 27001 certification cycles and managing regulatory inspections.

Regulatory Knowledge: Deep understanding of NIS2, GxP (Annex 11), and GDPR.

Education

Bachelor’s or advanced degree in Information Technology, Cybersecurity, or a related field.

Deep knowledge of Information Security frameworks (ISO 27001, NIST) and European regulations (NIS2, RCE/CER).

Professional certification such as ISO 27001 Lead Auditor/Implementer (required), CISM, CISA, or CRISC (highly preferred).

Understanding of system validation and GxP requirements in a regulated IT environment.

Technical& Business Skills

Security Framework Mastery: Expert-level understanding of ISO/IEC 27001:2022, together with NIST CSF& SPs and CIS, specifically the ability to design and maintain a Statement of Applicability (SoA), a Risk Assessment and Treatment Plan (RATP) and an Improvement Plan (IP) across a global enterprise.

Regulatory Architecture: Advanced ability to map international regulations—such as NIS2, RCE/CER, and HIPAA—directly into actionable internal controls.

Governance Platform Expertise: Proficiency in leveraging ServiceNow IRM/GRC modules to provide enterprise-wide visibility into risk and compliance posture.

Training: Practical experience with LMS (Cornerstone) and QMS (Veeva) tools highly appreciated. Capacity to create training materials about security and governance, to help efficiently propagate knowledge to end-users.

Security tools: Practical experience with tools supporting a Zero Trust implementation is valued.

Systems Thinking: A deep understanding of how specific operational delays or control failures impact the downstream security posture of a global organization.

Operational Orchestration: A "Chef d’Orchestre" mindset—meticulous about timing and cross-functional follow-ups to ensure all global parties meet certification deadlines.

AI& Emerging Tech Governance: Intellectual curiosity and practical knowledge of governing GenAI/LLMs within a secure framework, ensuring innovation doesn't compromise data integrity.

GxP& Validation Fluency: Foundational knowledge of system validation and GxP requirements (e.g., GMP Annex 11) to ensure IT security controls meet rigid healthcare manufacturing standards.

Self Development: Capacity to learn on the job and to self educate is essential in a context where new concepts must be understood, quickly assessed and adequately integrated.

Leadership Skills

Strong ability to build trust and explain complex concepts& process requirements to a diverse global audience.

Ability to navigate complexity, manage ambiguity, and drive clarity in delivery.

Ability to drive delivery outcomes across cross-functional teams without direct authority.

Intellectual curiosity and a passion for applying GenAI/LLMs to improve productivity and automate manual tasks.

#RDT2026

Wer wir sind

Eine gesündere Zukunft treibt uns zur Innovation an. Mehr als 100.000 Mitarbeiter weltweit arbeiten gemeinsam daran, wissenschaftliche Fortschritte zu erzielen und sicherzustellen, dass jeder Zugang zur Gesundheitsversorgung hat – heute und für zukünftige Generationen. Durch unser Engagement werden über 26 Millionen Menschen mit unseren Medikamenten behandelt und mehr als 30 Milliarden Tests mit unseren Diagnostik-Produkten durchgeführt. Wir ermutigen uns gegenseitig, neue Möglichkeiten zu erkunden, Kreativität zu fördern und hohe Ziele zu setzen, um lebensverändernde Gesundheitslösungen zu liefern.

Gemeinsam können wir eine gesündere Zukunft gestalten.

Roche ist ein Arbeitgeber, der die Chancengleichheit fördert.