Job Description

Please note that this vacancy is only open to eligible staff members who have been individually notified of their eligibility to apply for positions advertised in the Accelerated Posting Compendium.

June 12, 2026

H (no hardship)

Family

PR4

Professional

Reason

Regular > Regular Assignment

2026-06-01

Senior Information Security Officer

Organizational Setting and Work Relationships

Under the supervision of Chief Information Officer (CIO) and Director of the Information Technology Service (ITS), the Senior Information Security Officer (Senior ISO) supports and contributes to the implementation of UNHCR’s information security policies and strategies to ensure that information assets and associated technology, applications, systems, infrastructure and processes are adequately protected in the digital ecosystem in which we operate. The Senior ISO is also analysis and advice on legal and regulatory, IT, and cybersecurity risks to information assets, keeping these risks aligned with the organization’s evolving strategic priorities as well as operational requirements. A key element of the Senior ISO's role is supporting UNHCR’s senior management to determine acceptable levels of risk for the organization in the context of Information Security.

The size and scope of the UNHCR Senior ISO role requires a leader who brings an expert knowledge of cybersecurity technologies covering the corporate systems as well as the broader digital ecosystem and quickly develops a sound knowledge of UNHCR’s core business needs. The incumbent supports and coordinates the implementation of information security program, working across diverse stakeholders and functions, and contributing to consistent and effective application of security controls without direct line authority.

The Senior ISO proactively works with UNHCR’s divisions and regional bureaux and external partners to support compliance monitoring with agreed-on policies and standards for information security. S/he supports the coordination and provides technical input into cybersecurity and risk management activities related to IT to ensure the achievement of the organization’s operational outcomes where the process is dependent on technology. S/he articulates the impact of cybersecurity on UNHCR’s systems supporting operations, be able to efficiently communicate this to the CIO and other senior stakeholders.

The Senior ISO supports second‑line assurance activities related to confidentiality, integrity and availability, in accordance with established governance frameworks. Access to information systems and records is exercised in line with applicable rules, procedures and delegated authorizations. The role requires the consistent application of professional judgment and contributes to good practice through collaboration with relevant stakeholders and networks.

All UNHCR staff members are accountable to perform their duties as reflected in their job description. They do so within their delegated authorities, in line with the regulatory framework of UNHCR which includes the UN Charter, UN Staff Regulations and Rules, UNHCR Policies and Administrative Instructions as well as relevant accountability frameworks. In addition, staff members are required to discharge their responsibilities in a manner consistent with the core, functional, cross-functional and managerial competencies and UNHCR’s core values of professionalism, integrity and respect for diversity.

Duties

Information Security Governance

• Support and coordinate the information security governance function within UNHCR to promote consistent and high‑quality information security management in support of business objectives.
• Contribute to the development and refinement of the information security approach and operating model in consultation with relevant stakeholders.
• Monitor the global application of UNHCR’s information security policy.
• Facilitate governance processes and support the functioning of relevant coordination bodies, including preparing inputs and documentation.
• Prepare regular reporting on the status of the information security activities, risks, and compliance for management and stakeholders.
• Liaise with the vendor management and procurement functions to ensure that information security requirements are included in contracts.
• Understand and interact with related disciplines to ensure the consistent application of policies and standards across all technology projects, systems and services, including privacy, risk management, compliance and business continuity management.
• Provide clear risk-mitigating directives for projects with components in IT, including the mandatory application of controls.
• Support the coordination of a cost-efficient information security organization consisting of dotted line reports of individuals across the organization, and in the other ITS services.
• Contribute to procedures for examination of data breaches (jointly with the Chief DPO).
• Provide technical advice on specific technical and organizational measures for the security of personal data processed by UNHCR.

Security Planning and Programme Implementation

• Contribute to the development of UNHCR’s information security vision and strategy in close collaboration with the CIO and other stakeholders.
• Coordinate the implementation and monitor an organization-wide information security programme to support confidentiality, integrity, availability, safety, privacy and recovery of information assets.
• Support divisions, regional bureaux and field offices to conduct information security risk assessments and applying risk management measures. Identify, evaluate, track and report on cybersecurity risks and vulnerabilities and provide direction on solutions and treatments.
• Assist with the identification of non-ITS managed IT systems and services in use throughout UNHCR, facilitate a corporate IT onboarding programme to bring these services into the scope of the IT function, and apply standard controls and rigour to these services; where this is not possible, ensure that ownership of this information security risk is clear and is reduced to the appropriate levels.

Information Security Frameworks and Controls

• Contribute to the development and maintenance of an information security management framework based on the International Organization for Standardization (ISO) 2700X, and COBIT/Risk IT, where applicable.
• Maintain and update a coherent information security control framework to integrate and normalize the wide variety and ever-changing requirements. Draft and develop administrative instructions and guidance to ensure that information assets and associated technology, applications, systems, infrastructure, and processes are adequately protected, based on risk and available resources.
• Manage and maintain a document framework of continuously up-to-date information security Administrative Instructions, standards and guidelines and SOPs. Oversee the approval and publication of these information security documents and practices.
• Support the development and clarification of roles and responsibilities related to information ownership, classification, accountability and protection of information assets.
• Develop and maintain metrics and reporting tools to measure the efficiency and effectiveness of the programme, facilitate appropriate resource allocation, and increase the maturity of the information security, and review it with stakeholders at the executive and board levels.

Awareness, Collaboration and Communication

• Provide technical input for the IT section of the organization's code of conduct.
• Develop supporting guidance and tools to support HQ, regional bureaux and country offices in executing their information security accountabilities, and to advance protection of information assets.
• Coordinate the delivery of t information security awareness training programme for all employees, contractors and approved system users, and establish metrics to measure the effectiveness of this security training programme for the different audiences.
• Collaborate with internal stakeholders (line-of-business executives, corporate compliance, audit, physical security, legal and HR) to promote alignment of information security practices.
• Participate in external networks consisting of industry peers, ecosystem partners, vendors and other relevant parties to address common trends, findings, incidents and cybersecurity risks.
• Liaise with other UN entities, external agencies and partners, and other advisory bodies, as necessary, to ensure that the organization maintains a strong security posture and is kept well abreast of the relevant threats identified by these agencies.
• Liaise with the enterprise architecture team to build alignment between the security and enterprise (reference) architectures, thus ensuring that information security requirements are implicit in these architectures and security is built in by design.
• Lead risk assessments and discussions with team(s) to proactively manage risks and seize opportunities impacting objectives. Ensure that risk management principles are integrated in decision-making both at strategic and operational levels. Allocate resources for planned treatments with resource requirements in Strategic Plans. Ensure that risks are managed to acceptable levels and escalate, as needed. If a Risk Owner, designate the Risk Focal Point and certify that the annual risk review is completed and ensure that the risk register is updated during the year, as needed.
• Perform other related duties as required.

Minimum Qualifications

Years of Experience / Degree Level

For P4 - 9 years relevant experience with Undergraduate degree; or 8 years relevant experience with Graduate degree; or 7 years relevant experience with Doctorate degree

Field(s) of Education

Information Technologies, Information & Communications Technologies,

Computer Science, Information Systems,

or other relevant field.

Certificates and/or Licenses

Certified Information Systems Security Professional (CIPPS), Certified Information Systems Auditor (CISA)

(Certificates and Licenses marked with an asterisk* are essential)

Relevant Job Experience

Essential

Substantial experience in a combination of risk management, information security and IT jobs. Sound knowledge of business management and a working knowledge of information security risk management and cybersecurity technologies, including up-to-date knowledge of methodologies and trends in both business and IT. Proven experience contributing to the development and implementation of information security policies, procedures and programmes. Knowledge of common information security management frameworks, such as ISO/IEC 27001, ITIL, COBIT, as well as those from NIST, including 800-53 and Cybersecurity Framework. Knowledge and understanding of key international legal and regulatory requirements, such as GDPR, Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry/Data Security Standard. Strong ability to influence stakeholders and support informed decision-making in complex organizational environments. Must be a critical thinker, with strong problem-solving skills, and with poise and ability to act calmly and competently in high-pressure, high-stress situations. Excellent analytical skills, the ability to manage multiple projects under strict timelines, as well as the ability to work well in a demanding, dynamic environment and meet overall objectives. High level of personal integrity, as well as the ability to professionally handle confidential matters and show an appropriate level of judgment and maturity. High degree of initiative, dependability and ability to work with little supervision while being resilient to change. Excellent written and verbal communication skills, interpersonal and collaborative skills, and the ability to communicate information security and risk-related concepts to technical and nontechnical audiences at various hierarchical levels, ranging from senior leadership to technical specialists; experience of implementing and managing corporate ICT Security Policies, Guidelines, and Standards.

Desirable

Professional security management certification is desirable, such as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA) or other similar credentials. Project management skills: financial/budget management, scheduling and resource management. Experience with contract and vendor negotiations. Experience in decentralized IT operations in globally, including developing countries.

Functional Skills

*IT-IT Systems and Standards;

*IT-IT Security Management;

IT-IT Service Delivery Management;

IT-Microsoft Office Productivity Software;

IT-Management of external service providers for IT infrastructure maintenance and support;

IT-IT Operations Management;

(Functional Skills marked with an asterisk* are essential)

Language Requirements

For International Professional and Field Service jobs: Knowledge of English and UN working language of the duty station if not English

For National Professional jobs: Knowledge of English and UN working language of the duty station if not English and local language

For General Service jobs: Knowledge of English and/or UN working language of the duty station if not English

Competency Requirements

All jobs at UNHCR require 6 core competencies and may also require managerial competencies and/or cross-functional competencies. The 6 core competencies are listed below.

Core Competencies

Accountability

Communication

Organizational Awareness

Teamwork & Collaboration

Commitment to Continuous Learning

Client & Result Orientation

Managerial Competencies

Empowering & Building Trust

Judgement & Decision Making

Leadership

Managing Performance

Managing Resource

Cross-Functional Competencies

Analytical Thinking

Technological Awareness

Planning & Organizing

All UNHCR workforce members must individually and collectively, contribute towards a working environment where each person feels safe, and empowered to perform their duties. This includes by demonstrating no tolerance for sexual exploitation and abuse, harassment including sexual harassment, sexism, gender inequality, discrimination, and abuse of power.

As individuals and as managers, all must be proactive in preventing and responding to inappropriate conduct, support ongoing dialogue on these matters and speaking up and seeking guidance and support from relevant UNHCR resources when these issues arise.

The ideal candidate for a Senior Information Security Officer (P4) role is an experienced security professional who combines strong technical depth with practical governance, risk, and stakeholder management skills. This profile emphasizes hands-on expertise in protecting enterprise systems and data, translating risk into actionable controls, and working effectively with technical teams, business owners, and senior management in a complex international environment.

Essential Attributes:
-Advanced professional experience in information security, cybersecurity, or related ICT security functions, including progressive responsibility in enterprise environments.
-Strong knowledge of information security governance, risk management, and internal control frameworks, with the ability to develop, implement, and monitor security policies, standards, and procedures.
-Proven experience in conducting security risk assessments, identifying threats and vulnerabilities, prioritizing remediation actions, and tracking risk treatment plans.
-Hands-on experience of key security domains, including identity and access management, network security, endpoint security, cloud security, data protection, vulnerability management, and secure configuration practices.
-Experience supporting or coordinating incident detection, investigation, response, and post-incident improvement actions.

Desirable skills/experience:
-Ability to advise project and operational teams on security requirements and embed security controls into systems, services, and business processes.
-Demonstrated capacity to communicate complex security risks and recommendations clearly to both technical and non-technical audiences.
-Strong stakeholder management, collaboration, and influencing skills, including the ability to work across functions and gain buy-in without relying solely on formal authority.
-Experience contributing to compliance, audit, assurance, or regulatory activities related to information security and data protection.
-High level of judgment, discretion, resilience, and organization, with the ability to manage multiple priorities in a high-pressure and risk-sensitive environment.
-Professional certifications such as CISSP, CISM, CRISC, ISO/IEC 27001 Lead Implementer/Auditor, or comparable security qualifications.
-Experience with international organizations, humanitarian operations, or geographically dispersed environments with elevated threat exposure.
-Knowledge of security operations practices, including SIEM, threat intelligence, logging and monitoring, and coordination with security operations teams.
-Experience in third-party security, vendor risk management, and review of contractual or technical security requirements.
-Familiarity with business continuity, disaster recovery, and crisis management planning from an information security perspective.
-Experience designing or delivering security awareness, training, and behavioral change initiatives.
-Knowledge of secure software development, DevSecOps, application security testing, or security architecture review processes.
-Working knowledge of another UN language would be an asset.

,

,

,

,

Operational context

Occupational Safety and Health Considerations:

To view occupational safety and health considerations for this duty station, please visit this link: https://wwwnc.cdc.gov/travel

Nature of Position:

The Senior Information Security Officer within UNHCR's Information Technology Service (ITS) in Geneva contributes to the protection of the organization's digital assets and the resilience of its information systems by supporting the implementation and continuous improvement of information security measures. The incumbent provides senior-level technical advice and operational support on cybersecurity risks, controls, and standards, helping to ensure that security practices are aligned with UNHCR's operational needs and humanitarian mandate.

The position requires strong communication and coordination skills, as the Senior Information Security Officer must translate technical security requirements into practical guidance for colleagues across technical and non-technical functions. The role supports awareness-building, promotes good security practices, and contributes to clear reporting on risks, incidents, and mitigation measures for relevant stakeholders, including management and field operations.

The Senior Information Security Officer works closely with other security professionals, infrastructure and application teams, and operational counterparts to support the rollout of security controls, monitoring activities, and incident response processes. The incumbent may provide technical guidance to junior colleagues or project teams and contributes to the delivery of priority cybersecurity initiatives across the organization.

Close collaboration with ICT, Legal, Compliance, risk management, and other relevant teams is required to help maintain a coherent and practical approach to information security across UNHCR. The Senior Information Security Officer also supports engagement with external service providers and partners to help verify adherence to applicable security requirements. The role calls for sound judgement, analytical strength, and a proactive approach to identifying emerging risks and recommending improvements that strengthen UNHCR's overall security posture.

Living and Working Conditions:

Geneva is a category H Duty Station. All modern conveniences are available including international schools.

Additional Qualifications

Skills

Bachelor of Arts: Computer Science, Bachelor of Arts: Information and Communication Technology, Bachelor of Arts: Information Systems, Bachelor of Arts: Information Technology

Certifications

Certified Information Systems Auditor - Other, Certified Information Systems Security Professional - Other

Competencies

Accountability, Analytical thinking, Client & results orientation, Commitment to continuous learning, Communication, Empowering & building trust, Judgement & decision making, Leadership, Managing performance, Managing resource, Organizational awareness, Planning & organizing, Teamwork & collaboration, Technological awareness

https://icsc.un.org/Home/SalaryScales

Compendium

Accelerated Posting Compendium 2026 - Part B

Additional Information

This position doesn't require a functional clearance