Group Security: Information Security Risk Consultant

Location France, France
Experience level Experienced Hire
Job details sector Information Technology
Apply before Permanent offer

If you are interested in this opportunity, please apply directly through the tool.





Level of priority     

  • Necessary: The responsibility/objective is necessary and must be considered as medium priority
  • Important: The responsibility/objective is important and must be considered as high priority.
  • Crucial: The responsibility/objective is crucial and must be considered as top priority.



Technical competencies


  • E1 Awareness: Understands the skill and its application. Has acquired and can demonstrate basic knowledge associated with the skill. Understands how the skill should be applied but may have no practical experience of its application.


  • E2 Basic application: Understands the skill and applies it to basic tasks under some supervision. Has acquired the basic knowledge associated with the skill, for example has acquired an academic or professional qualification in the skill. Understands how the skills should be applied. Has experience of applying the skill to a variety of basic tasks. Determines when problems should be escalated to a higher level. Contributes ideas in the application of the skill. Demonstrates awareness of recent developments in the skill.


  • E3 Skillful application: Understands the skill and applies it to complex tasks with no supervision. Has acquired a deep understanding of the knowledge associated with the skill. Understands how the skill should be applied. Has experience of applying the skill to a variety of complex tasks. Demonstrates significant personal responsibility or autonomy, with little need for escalation. Contributes ideas in the application of the skill. Demonstrates awareness of recent developments in the skill. Contributes ideas for technical development and new areas for application of the skill.


  • E4  Expert: An authority who leads the development of the skill. Is an acknowledged expert by peers in the skill. Has experience of applying the skill in circumstances without precedence. Proposes, conducts, and/or leads innovative work to enhance the skill.




Behavioural competencies


  • Novice: Demonstrates the ability primarily under supervision and displays competence in some situations
  • Intermediate: Demonstrates the ability with some guidance and is able to leverage competency in multiple situations
  • Mastery: Demonstrates the ability independently and is able to leverage the competency in all types of situations with consistency




Required technical competencies



**Level: E1=Awareness, E2=Basic application, E3=Skilful application, E4=Expert




Information Security Management (E3)

A1 – Governance

A2 – Policy & Standards

A3 – Information Security Strategy

A4 – Innovation & Business Improvement

A5 – Information Security Awareness and Training

A6 – Legal & Regulatory Environment

A7 – Third Party Management


Information Risk Management (E3)

B1 – Risk Assessment

B2 – Risk Management


Implementing Secure Systems (E2/E3)

C1 – Security Architecture

C2 – Secure Development


Information Assurance Methodologies and Testing (E3)

D1 – Information Assurance Methodologies

D2 – Security Testing


Operational Security Management (E2)

E1 – Secure Operations Management

E2 – Secure Operations & Service Delivery

E3 – Vulnerability Assessment


Incident Management (E1)

F1 - Incident Management

F2 - Investigation

F3 – Forensics


Audit, Assurance & Review (E2/E3)

G1 – Audit and & Review


Business Continuity Management (E2)

H1 - Business Continuity Planning

H2 - Business Continuity Management


Business skills and competences (E3)

J1 – Teamwork and Leadership

J2 – Delivering

J3 – Managing Customer Relationships

J4 – Corporate Behavior

J5 – Change and Innovation

J6 – Analysis and Decision Making

J7 – Communication and Knowledge Sharing




Required soft skills & Behavioral competencies


**Level: Novice, Intermediate, Mastery



Leadership (Intermediate)

  • Creates an environment for developing and fostering leadership excellence
  • Effectively communicates the group vision and goals and the benefits in achieving the same
  • Recognizes potential leaders and provides them with challenging assignments/stretch goals
  • Takes calculated risks in decision-making and seeks inputs from the team / stakeholders for the same.
  • Creates mechanisms to recognize individual/group contribution and achievements
  • Can effectively mentor others to acquire this competency



Strategic Thinking (Intermediate)

  • Articulates a vision, develops organizational goals and strategies
  • Maintains a wider perspective, aligns actions and contributes to the enhancement of the overall organizational strategy, including outputs from benchmarking activities and reviews
  • Understands and articulates the projected direction of the organization and how changes to it might impact the group
  • Is aware of trends in the external environment and key differentiators vis-a-vis competition and uses this information to anticipate how these changes would impact the organization



Problem solving (Mastery)

  • Recommends solutions relevant to the complexity, scope, risk and magnitude of the problem



Planning (Intermediate)

  • Plans up to 2-5 years ahead (particularly when preparing budgets and resource requirements) in accordance with the project/program portfolio to ensure its successful delivery
  • Provides input into planning and prioritization of project activities
  • Required to analyze and critically evaluate information as well as formulate plans based on multiple sources of information
  • Forward planning required e.g. target setting and forecasting trends
  • Ability to manage action plans, review progress and make adjustments where required



Decision making (Intermediate)

  • Advises on decisions regarding strategy, policy, and structures
  • Quick to assimilate and integrate new information for informed decision making
  • Monitor changes in the operating environment, quick to act upon potential opportunities.
  • Able to quickly evaluate a situation or issue and take the initiative within limits of authority.




Coaching and Mentoring (Intermediate)

  • Coaching: The process of assisting individuals to set goals then supports the execution of the goals through establishing strategy and providing feedback, insight and guidance to enable the individual to reach their fullest potential.
  • Mentoring: The process in which an experienced colleague is assigned to an inexperienced individual and assists in a training and development or general support role



Interpersonal skills (Intermediate)

  • Assertiveness, empathy, active listening
  • Oral communication, persuasive skills







  • Bachelor degree in Computer Science, Engineering, or related field
  • An MSc Information Security would be desirable but is not essential




  • Information Security and /or Information Technology industry certification (CISSP, CISM,CRISC, GIAC, ISO27001 Lead Auditor or equivalent) strongly preferred
  • Member of IISP or have the qualification, skills and experience to become a member



Overall work experience in the field

  • Experience in Information Security field > 5 years
  • Experience in technical Information Security solution design and conducting technical risk assessments > 5 years
  • Experience in articulating IS risks in business language and advising on the appropriate risk management strategy for a technical solution > 5 years
  • Experience in project management and related methodologies > 5 years
  • Experience in ITIL is an advantage
  • Experience in multinational companies is an advantage



Skills / abilities

  • Ability to function effectively in a matrix structure
  • Operate comfortably at management level
  • Good facilitation, negotiation and conflict resolution skills
  • Proficient risk assessment, interpretation and analytical skills
  • Good networking skills
  • Team player
  • Fluent in English





Job purpose


  • Work closely with the business to perform information security risk assessments of new project initiatives, the production environment, merger and acquisition activity and third parties

  • Identify and assess information security risks and recommend appropriate controls and measures to enable effective management of risk

  • Provide advice and guidance to AXA’s information security and risk community, and support local business engagement where required
  • Contribute to the continuous improvement activity of the information security risk management methodology and processes
  • Support the establishment of the organization’s information 'risk appetite'





  • Job title: Information Security Risk Consultant
  • Business unit: AXA Group Information Security


Reporting structure         

  • Reports to: Information Security Risk Lead
  • Functional reports to: N/A
  • Direct reports: N/A



Work related relationships        

  • Internal actors: Expected to interact with Group Risk Management, Group Legal & Compliance, Business stakeholders, Business Information Security Teams, IT Leadership & Group Internal Audit
  • External actors: Expected to interact with vendors and professional organizations, peers



Key responsibilities – accountabilities


**Level: necessary, important, crucial



  • Conduct risk assessment on projects, the production environment, merger and acquisition activity and third parties (Crucial)
  • Identify and analyze information security risks and recommend appropriate controls and measures in clear, business-intelligible language (Crucial)
  • Conduct third party assessments to ensure Group IS policies/standards are met and information security risks are identified and managed (Crucial)
  • Contribute to and maintain the Group Information Security Risk Register, ensuring actions are completed (Crucial)
  • Contribute to, implement, operate and maintain a risk assessment and management framework (Crucial)
  • Review risk acceptance forms and provide robust challenge to ensure appropriate management of risk (Important)
  • Identify, plan and direct specific group-wide initiatives designed to mitigate information security risks (Important)
  • Provide information security risk assessment and subject matter expertise (Important)





Company Statement


With over 102 million customers in 56 countries, AXA's strong global franchises and three lines of expertise - Property & Casualty, Life & Savings and Asset Management - provide a distinctive business portfolio. As a company whose business is to protect people, we have a responsibility to leverage our skills, resources and risk expertise to build a stronger and safer society. To achieve our mission, we are committed to redefining the standards of our business so that we truly differentiate ourselves and earn the trust of our key stakeholders.  AXA is setting-up a Group Information Security practice in order to reinforce its short-term risk reduction strategy, aligned with AXA strategy & culture and based on the industry standards.


Business Unit Statement


To support our business strategy and digital transformation, AXA is building a new Group Information Security Practice to ensure a coordinated response to the increasing cyber security threat, enable risk decisions to be made consistently across the organization and establish sustainable security capabilities that are integrated with the business.  Our vision for Information Security is to ‘protect our stakeholders by securing our information assets, managing our cyber risk and enabling business strategies in an efficient and effective way, fully supported by executive leadership and underpinned by all AXA employees’.