IT Risk Management

8-10 years
a month ago
Job Description

Job description

  • Participate in the Risk and Control Self-Assessment (RCSA) and Control Framework (CF) development and review workshops / processes to provide updates on Information Risk Policy, related minimum standards, views on IT / cyber risks and information system controls, and challenge the first line-of-defence functions on risks and key remediation controls during the RCSA and/or CF revisit workshops
  • Monitor the new and/or updated IT / cybersecurity laws, regulations, and international standards and review the existing Information Risk Policy, and related minimum standards to identify gaps and propose the required action plans
  • Work with team members to review and update Information Risk Policy and related minimum standards according to the defined periodic review cycle to ensure compliance with laws, regulations and in line with international standards or frameworks
  • Review and update the contents on e-learning platform for the annual cyber risk awareness training delivery to all staff and concerned parties
  • Provide supports to the subordinate specialist team members for the execution of Annual Key Control Testing (KCT) - Quality Assurance (QA) Plan, and review the quality of works done by the subordinate team members as part of KCT QA plan execution
  • Coordinate with all relevant parties for IT Non-Financial Risk Committee (IT NFRC) quarterly meeting readiness preparation
  • Attend the meetings and provide consult and/or views on IT risk / cyber risk and information system controls to the business units that are product / service owner in the initiative / strategic projects.
  • Be the coordinator and provide supports to the Compliance and Internal Audit functions in the annual self-assessment programs and/or IT audits.
  • Be the coordinator and provide supports to the regulators e.g., in the Annual IT Examination visit by Bank of Thailand (BOT) and to the external auditors in the independent reviews
  • Participate the annual Business Continuity and/or IT Disaster Recovery plans exercises
  • Manage special assignments (if any)


  • Master or bachelor's degree in computer related or equivalent fields
  • 8-10 years of professional experienced in Information Security related fields
  • 5-10 years of working experienced in banking or financial service industry
  • Knowledge and skills in the areas of IT governance, IT / cyber risk, and information systems control
  • Knowledge and skills in the areas of system development life cycle,
  • Good knowledge and understanding in IT and/or Cybersecurity related laws and regulations such as BOT's IT Risk Management Implementation, BOT's Cyber Resilience Assessment Framework (CRAF), Computer Crime Act, Personal Data Protection Act (PDPA), etc.
  • Good knowledge and understanding in international standards such as NIST 800-53, ISO 27000 series, ISO 22301, PCI DSS, COBIT, ITIL, etc.
  • Certified Information Security Manager (CISM), Certified in Risk and Information System Control (CRISC), Certified Information Systems Auditor (CISA) or Certified Information System Security Professional (CISSP) is an advantage
  • Good English communication skills are required
  • Good consulting skills and managerial skills, can work under pressure or manage multiple assignments simultaneously to provide deliverables on time
  • In depth technical knowledge of: Data Centre Resilience (TIA-942), IT Security (ISO 27001), BCM (ISO 25999), Computer Networks
  • Proven management experience on departmental and project level.






system development life cycle
Data Centre Resilience (TIA-942)
IT / cyber risk
ISO 27000 series
BCM (ISO 25999)
information systems control
NIST 800-53
IT Security (ISO 27001)
Job Source:

People Also Considered