Governance, Risk and Compliance (GRC) (M/K)

Rossmann is a leader in the drugstore market with 17,000 employees and 1,700 stores across Poland. The company focuses on innovative sales solutions and adheres to global standards such as ISO 27001, NIST CSF 2.0, CSA, and CIS Controls for information security. Rossmann runs the largest passion development program in Poland and offers extensive employee benefits.

• Knowledge and experience with information security laws (NIS2, UKSC, CRA, AI ACT, RED) and industry standards (ISO 27001, NIST, CSA)
• Basic knowledge of cybersecurity systems and related concepts
• Knowledge of risk management methodology in information security
• Knowledge of information security incident management methodology
• Basic knowledge of cybersecurity auditing
• Understanding technical documents and standards and ability to apply them in practice
• Ability to create clear and concise documentation defining company security rules
• Ability to conduct meetings and explain complex topics to non-IT personnel
• Openness to collaboration with other departments
• Certifications related to risk management and compliance (e.g., CISA, CISSP, CRISC, LA 27001) or technical cybersecurity certifications (e.g., CompTIA CySA+/Security+, SC-900, SSCP, CIC)

• Creating, implementing, and updating processes, procedures, instructions, or guidelines in information security with support from IT experts
• Assessing risks related to the protection of the company's information systems
• Collaborating in the process of responding to cybersecurity events and incidents
• Evaluating suppliers regarding the maturity of information security processes
• Analyzing contracts and internal regulations for compliance with cybersecurity standards
• Identifying non-compliance areas and implementing corrective or preventive actions
• Conducting internal audits or coordinating external audits in information security
• Cooperating with data protection areas
• Cooperating with business continuity and crisis management areas
• Collaborating in training and building employees' cyber-awareness
• Working based on legal requirements and standards such as ISO (27001, 22301), NIST (800-53), and other cybersecurity methodologies