Information Security Auditor (Consulting | AI & Automation)

We’re looking for an Information Security Auditor (Consulting) to help our clients assess, improve, and evidence their security posture—especially where automation, AI solutions, cloud platforms, and modern engineering practices (CI/CD, DevSecOps) are involved.

This role is client-facing and combines audit execution, security assurance, and advisory. You will lead and contribute to security audits, control assessments, and compliance readiness engagements (e.g., ISO 27001, NIST, SOC 2), and you’ll partner with delivery teams to embed security controls into automation and AI-enabled processes.

• Plan and execute risk-based security audits and control assessments for clients (internal controls, cloud, apps, DevOps, automation platforms, and third parties).

• Define audit scope, objectives, criteria, testing approach, and sampling aligned to standards and frameworks such as:

• Control design & operating effectiveness testing

• Evidence gathering, interviews, walkthroughs

• Access reviews, logging/monitoring validation, change management testing

• Vulnerability & patch management review

• Data protection controls verification (where relevant)

• Support client readiness for ISO 27001 certification, surveillance audits, and customer assurance requests.

• Assess regulatory and contractual security requirements relevant to client context (e.g., GDPR security requirements; NIS2 applicability depending on sector).

• Provide pragmatic remediation guidance:

• Prioritized improvement plans

• Control roadmaps & quick wins

• Evidence pack design for audits / customer questionnaires

• Conduct follow-up and verify remediation closure.

• Assess how security is implemented in automation and AI/ML-enabled workflows, including:

• Secure automation (RPA / workflow orchestration), bot identities, credential vaulting, segregation of duties

• AI governance & risk controls (data lineage, model risk, prompt/data access controls, monitoring)

• Secure SDLC / DevSecOps controls: CI/CD, code scanning, secrets management, artifact integrity

• Review controls for:

• Cloud environments (Azure/AWS/GCP), M365 security posture

• API security and integration patterns used in automation

• Identity & Access Management (IAM), privileged access, MFA, conditional access

• Logging, monitoring, SIEM integration, incident response runbooks

• Perform supplier/third-party security assessments (questionnaires + evidence-based validation).

• Help clients establish third-party assurance models and risk scoring approaches.

• Support vendor onboarding security checks and contract security clauses alignment.

• Produce crisp, executive-ready deliverables:

• Audit reports with findings, risk ratings, impact, and recommendations

• Control matrices, evidence trackers, remediation plans

• Board/CISO/CIO-ready summaries

• Present results to client stakeholders and facilitate workshops to align on remediation plans.

• Support pre-sales by contributing to:

• Proposals and statements of work (SoWs)

• Effort estimates, delivery plans, and approach decks

• Discovery sessions and scoping calls

• Help build our service offering: templates, accelerators, audit checklists, automation of evidence collection, and knowledge base.

• IAM/PAM, logging/monitoring, incident response, vulnerability management, change management, backups/BCDR

• Comfortable in client-facing environments: workshops, interviews, challenging respectfully, influencing.

• Strong report writing and the ability to translate technical issues into business risk.

• Excellent organization, time management, and ability to handle multiple engagements.

• English (professional fluency required).

• Portuguese is a strong plus (or required if your client base is PT-centric).

• Certifications:

• CISA, ISO 27001 Lead Auditor, CISSP, CRISC, CCSP, GIAC (e.g., GSEC)

• Experience with:

• Cloud posture reviews (Azure/AWS/GCP), Kubernetes security

• Microsoft security stack (Defender, Sentinel, Purview)

• DevSecOps / CI/CD auditing and secure SDLC

• Third-party risk management programs

• Exposure to AI governance frameworks, model risk, or security aspects of AI systems.