Senior GRC ISO 27001 Program Lead [Freelance]

About Equativ

Equativ is a leading independent advertising platform that connects advertisers and publishers to deliver seamless video and audiovisual experiences a data-driven ecosystem the trust and security of our infrastructure are at the core of our value proposition.

Your mission

Reporting to the VP IT & Security you will take direct ownership of the ISO 27001 certification program to be delivered within a tight 12-month timeframe. You will design and execute the roadmap end-to-end: scoping risk analysis controls deployment ISMS implementation internal audit and certification audit management.

The tight timeline requires a senior autonomous profile operational from day one able to make decisions mobilize cross-functional teams (Tech Product Sales Ops Legal HR) and bring the entire company on board.

Key responsibilities

ISO 27001 program management (12 months)

• Define and own the certification roadmap: milestones deliverables dependencies workload plan.

• Build and operate the Information Security Management System (ISMS): policies procedures Statement of Applicability (SoA) risk treatment plan.

• Manage the full audit cycle: internal pre-audit final certification audit (stages 1 and 2) then annual surveillance and renewal audits. Selection and management of the certification body.

• Regular reporting to the VP IT & Security and the Executive Committee (KPIs / KRIs progress blockers).

Risk analysis and management

• Conduct and maintain risk assessments on critical assets using a recognized methodology (EBIOS RM ISO 27005 or equivalent operational mastery of at least one method is required).

• Analyze risks related to AI agents deployed within the company: map use cases assess risks (data leakage prompt injection hallucinations system access third-party dependencies) define mitigation measures and associated controls.

• Define track and challenge remediation plans with technical and business teams.

Audit control and continuous improvement

• Implement permanent controls and the ISMS internal audit program.

• Run recurring operational tasks (access reviews configuration reviews logical and physical access controls) in direct collaboration with application and system owners.

• Manage penetration tests and the exploitation of their results.

• Lead management reviews and continuous improvement loops.

Engage the company and collaborate cross-functionally

• Translate security topics for non-technical audiences (Sales Marketing Finance HR).

• Design and roll out the security awareness and training plan.

• Own the responses to security questionnaires within RFPs and be the primary point of contact for third-party audits conducted by clients.

• Work in close collaboration with all departments: Legal / DPO (GDPR alignment contracts AI Act) R&D / Product (security by design architecture reviews AI) Finance (vendor risk analysis security budget) HR (awareness access management onboarding/offboarding) Ops and Cloud teams.

Leverage AI to drive efficiency

• Make daily use of generative AI tools (assistants agents automations) to accelerate documentation gap analysis controls mapping customer questionnaire handling and reporting.

• Promote AI usage best practices within the security perimeter in line with confidentiality requirements.

Candidate profile

Experience

• Minimum 8 to 12 years in cybersecurity / GRC including significant experience leading an ISO 27001 certification end-to-end (ideally already achieved under a comparable time constraint).

• Experience in international environments ideally SaaS AdTech media or data-driven companies.

Technical and methodological skills

• In-depth mastery of ISO 27001 / 27002 and the ISMS.

• Operational mastery of at least one risk analysis methodology (EBIOS RM or ISO 27005).

• Ability to conduct risk analysis on AI agents deployed internally (frameworks such as ISO/IEC 42001 NIST AI RMF OWASP Top 10 for LLM AI Act).

• Solid knowledge of complementary frameworks (SOC 2 NIST CSF); knowledge of TCF v2.2 (AdTech) is a plus.

• Cross-functional understanding of Cloud security sufficient to interact effectively with technical teams.

Soft skills (decisive)

• Outstanding communication skills: proven ability to engage tech and non-tech audiences to arbitrate and challenge without alienating.

• Cross-functional teamwork: confirmed ease working with Legal R&D Finance Product HR and Ops counterparts.

• Cross-functional leadership political acumen ability to drive a program in a matrixed environment.

• Pragmatic business and delivery-oriented mindset comfortable with tight deadlines.

Languages

• Fluent in French and English both written and spoken (non-negotiable requirement daily international context).

AI-first culture

• Daily and advanced use of AI tools to automate and accelerate ones own work.

Practical information

• Start date: ASAP (certification target within 12 months)

• Location: Paris (headquarters) on-site presence required