Skip to main content

Business Information Security Officer (BISO)


Opening date
European Defence Agency
  • EDA - European Defence Agency
Vacancy Type
  • Public
Type of Contract
  • Temporary Staff
  • AD10
  • Brussels, Belgium

Target audience

To be considered eligible to take part in this selection procedure, on the closing date for the submission of applications candidates must satisfy all the eligibility criteria as specified below:

  • be a national of a Member State participating in the Agency;
  • be entitled to his/her full rights as a citizen;
  • have fulfilled any obligations imposed on him/her by the laws concerning military service;
  • produce the appropriate character references as to his/her suitability for the performance of his/her duties (extract from the “judicial record” or certificate of good conduct will be requested prior to recruitment);
  • be physically fit to perform his/her duties;
  • have a thorough knowledge (minimum level C1 oral and written) of one of the languages of the participating Member States and a satisfactory knowledge (minimum level B2 oral and written) of another of these languages to the extent necessary to discharge his/her duties;
  • have no personal interest (financial, family relationship, or other) which could be in conflict with disinterested discharge of his/her duties within the Agency;
  • hold, or be in a position to obtain, a valid Personnel Security Clearance Certificate (national or EU PSC at SECRET UE/EU SECRET level). Personnel Security Clearance Certificate (PSCC) means a certificate issued by a competent authority establishing that an individual is security cleared and holds a valid national or EU PSC, and which shows the level of EUCI to which that individual may be granted access (SECRET UE/EU SECRET), the date of validity of the relevant PSC and the date of expiry of the certificate itself. Note that the necessary procedure for obtaining a PSCC can be initiated on request of the employer only, and not by the individual candidate;
  • have a level of education which corresponds to completed university studies attested by a diploma when the normal period of university education is four years or more, or a level of education which corresponds to completed university studies attested by a diploma and appropriate professional experience of at least one year when the normal period of university education is at least three years or be a graduate of a national or international Defence College; or where justified in the interests of the service, professional training of an equivalent level.

Only diplomas that have been awarded in EU Member States or that are the subject of equivalence certificates issued by the authorities in the said Member States shall be taken into consideration. In the latter case, the authority authorised to conclude contracts of employment reserves the right to request proof of such equivalence.

For diplomas awarded in non-EU countries, a NARIC recognition is required:

Qualifications/diplomas awarded until 31/12/2020 in the United Kingdom are accepted without further recognition. For diplomas awarded after this date (from 01/01/2021), a NARIC recognition is required.

For native English speakers, your ability to communicate in another EU language will be tested during the selection process. To assess your foreign language levels, see:…

Only applications meeting all essential selection criteria will be assessed.

(1) Professional

Candidates will be required to demonstrate the following qualifications:

  • a consistent track record of successful project delivery in a military or civilian organisation handling classified and unclassified information on a daily basis;
  • a minimum of eight (8) years of experience in information security, in roles of responsibility;
  • a minimum of eight (8) years of experience in managing information security projects, including associated budgets and contracts;
  • at least two (2) years of experience in Security Accreditation of classified systems;
  • hands-on experience in building, managing and designing information management systems for public and/or private organizations following standards such as ISO-27001, NIST-800-53, etc.;
  • hands-on knowledge of a formal project management methodology (PMI or PM2 are preferred);
  • proven ability to advise on information security policy in complex organisations;
  • extensive experience with organisational change management and business transformation in complex organisations;
  • good understanding of IT system architectures, classified system accreditation processes in the EU public sector;
  • a very good knowledge of written and spoken English.

(2) Personal

All staff must be able to fit into the Agency's way of working (see para. 2). Other attributes important for this post include:

  • high sense of accountability;
  • ability to cover the wide span from conceptualisation to implementation and hands-on follow through, in close day-to- day cooperation with colleagues;
  • ability to address technical issues with a problem-solving attitude;
  • strong contract and financial management skills;
  • excellent people networking skills, capable of identifying and establishing successful relationships with key stakeholders and decision-makers;
  • proven ability to establish effective relations at CXO level with senior decision-makers, from both civilian and military environments;
  • excellent communication and presentational skills, both written and oral;
  • ability to work independently and collaboratively;
  • ability to work effectively in a multicultural environment;
  • proven ability to present complex information in an easily understandable way, communicating in plain English and avoiding unnecessary jargon;
  • flexibility and innovativeness; a genuine commitment to the Agency's objectives.


The following will be considered an advantage:

  • one or more formal certifications in information security, such as CISSP (Certified Information Systems Security;
  • hold a valid Personnel Security Clearance Certificate (national or EU PSC at SECRET UE/EU SECRET level);
  • proven knowledge or certified knowledge of information system governance frameworks (e.g. COBIT5/COBIT2019, CGEIT) and functions;
  • very good knowledge of ICT and cyber-security market's structure, challenges, players and state-of-the-art technologies and business models;
  • excellent knowledge of the ICT cybersecurity regulatory and certification landscape in the EU, including EU cybersecurity certification schemes;
  • proven experience in EU Data Protection regulations (GDPR, EUDPR, etc.) and how they apply to complex organisations.

Why we are consulting

We are looking for a Business Information Security Officer (BISO).

Under the operational supervision of the Deputy Chief Executive (the EDA Security authority) and administratively placed within the Corporate Services Directorate (CSD), the Business Information Security Officer (BISO) will have the following responsibilities:

Business & operational tasks

  • ensure day-to-day coordination and collaboration with the IT and the Security Units to maintain coherence, unity of action, effectiveness and efficiency when implementing activities and projects in the domain of information security management;
  • ensure, through coordination with relevant internal stakeholders (i.e. Legal Unit/DPO), that the applicable legal
    framework is complied with by design in all activities and projects affecting the security of information;
  • manage the information security activities and projects as a portfolio in line with the Agency’s strategic objectives &
    priorities with a view to upholding cybersecurity as a business enabler;
  • perform the role of project manager for the design, deployment, maintenance and further development of Information Security and EUCI solutions and services for the Agency;
  • manage budgets and contracts associated to Information Security EUCI activities and projects;
  • translate business requirements into actionable technical specifications (i.e. usable to launch public procurement procedures);
  • scout available technologies and business models with a view to identifying and recommending solutions that are suitable to the scale, risk exposure/appetite and operational needs of the Agency;
  • contribute to strengthening the Agency’s cybersecurity posture through regular and effective awareness raising activities.

Policy & advisory tasks

  • support informed decision-making on security information management through assessments and recommendations;
  • maintain and manage the implementation of EDA’s information security policy in accordance with other EU-wide policies as well as industry best practices;
  • carry out periodic in-house cybersecurity maturity assessments and oversee/support third party assessments as required by the current regulatory and legal framework;
  • implement audit recommendations affecting information security management;
  • manage cybersecurity risks within the Agency’s risk management framework, including business continuity / disaster recovery, in accordance with the applicable legal framework and industry best practices;
  • act as the Agency integrator for all activities related to EUCI handling; this includes proactively liaising with counterparts in other EU institutions (in particular the EU Council, identified as the Security Accreditation Authority for any information security system in EDA), Member States, third parties of public nature, industry, etc.;
  • oversee classification / declassification of information in accordance with the applicable legal framework;
  • manage information security incident management procedures in the EUCI domain;
  • manage business relationships, including requirement elicitation, with internal and external user communities;
  • network and exchange good practices with peers within the EU public sector.

Duties may evolve according to the development of EDA’s structure and activities, and the decisions of EDA management.

Additional information

The Business Information Security Officer (BISO) will be appointed by the Chief Executive.

Recruitment will be as a member of the temporary staff of the Agency for a four-year period. Renewal is possible within the limits set out in the EDA Staff Regulations. The successful candidate will be recruited as Temporary Agent, grade AD10.

The pay for this position consists of a basic salary of 10.518,29€ supplemented with various allowances, including as applicable expatriation or family allowances. The successful candidate will be graded on entry into service according to the length of his/her professional experience. Salaries are exempted from national tax, instead an Agency tax at source is paid. For further information on working conditions please refer to:

Failure to obtain the requisite security clearance certificate before the expiration of the probationary period may be cause for termination of the contract.

Candidates are advised that part of the recruitment process includes medical analyses and physical check-up with the Agency’s Medical Adviser.

Applications are invited with a view to establish a reserve list for the post of Business Information Security Officer (BISO) at EDA. This list will be valid until 31/12/2025, and may be extended by decision of the Chief Executive. During the validity of the reserve list, successful candidates may be offered a post in EDA according to their competences in relation to the specific requirements of the vacant post. Inclusion on the reserve list does not imply any entitlement of employment in the Agency.

The Business Information Security Officer (BISO) will be required to make a declaration of commitment to act independently in the Agency’s interest and to make a declaration in relation to interests that might be considered prejudicial to his/her/their independence.

EDA is an equal opportunities employer and accepts applications without distinction on the grounds of age, race, political, philosophical or religious conviction, sex or sexual orientation and regardless of disabilities, marital status or family situation.

Please note that EDA will not return applications to candidates. The personal information EDA requests from candidates will be processed in line with Regulation (EU) N° 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) 45/2001 and Decision No. 1247/2002/EC.

The purpose of processing personal data which candidates submit is to manage applications in view of possible pre-selection and recruitment at EDA. More information on personal data protection in relation to selection and recruitment can be found on the EDA website: