The Organizational Setting
The International Civil Aviation Organization (ICAO[1]) is funded and directed by 193 national governments to support their diplomacy and cooperation in air transport as signatory states to the Chicago Convention. ICAOโs mission is to serve as the global forum of States for international civil aviation. In that regard, ICAO develops policies and standards, undertakes compliance audits, performs studies and analyses, provides assistance and builds aviation capacity through many other activities and the cooperation of its Member States and stakeholders.
The mandate of the Office of Internal Oversight (OIO) is to assist the Secretary General and the ICAO Governing Body in ensuring that ICAO is managed effectively, efficiently and economically and in conformity with the applicable regulations and rules, and to provide independent and objective assurance, advice, insight and foresight through performing internal audits, evaluations, and other oversight assignments as appropriate. The Office provides an annual report of its internal audits and evaluations to the ICAO Council.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Major duties and Responsibilities
The consultant will work under the overall guidance of the Chief, Office of Internal Oversight and report to the Internal Audit Specialist. The consultant will contribute to an audit of Information Systems Governance, Risk Management and Compliance (GRC) at ICAO.ย
The objectives of this audit are to:
- Evaluate the adequacy and effectiveness of the organizationโs Information Systems governance framework; and assess the extent of alignment between elements of information security governance and the ICT strategy.ย
- Assess whether the organizationโs ICT risk management processes effectively identify, analyze, and mitigate risks.
- Determine whether internal controls support the confidentiality, integrity, and availability of ICT systems and data; and assess compliance with regulatory requirements and adherence to best practices in information and cyber security.
The consultant will carry out the work in adherence with the Global Internal Auditing Standards (of the Institute of Internal Auditors). ย Function 1 (incl. Expected results)
The consultant will carry out the following specific tasks as part of the audit of information security.
- Network Security Assessment: Conducting audit to assess the security of the organization's network infrastructure, including firewalls, intrusion detection/prevention systems (IDS/IPS), and wireless security protocols.ย
Conduct the fieldwork including, collection and analysis of documents and data, and conduct of interview.
The consultant will collect and review all the relevant supporting documentation and sources of information relevant to the Information Security framework and any other materials that the consultant considers useful for supporting the audit fieldwork. Furthermore, the consultant, with the support of the Internal Audit Specialist, will:
Collect data from the existing ICAO information systems Collect information and data through face to face or virtual interviews and other data collection methods from ICAOย Prepare working papers such as interview notes, data analysis, policy reviews and benchmarks to identification of gaps and control deficiencies or best practices supporting the audit findings and conclusions Keep effective and clear communication with the audit focal point, timely communicate on significant audit findings Develop audit findingsย Result of Service Documented Results of the assessment of governance, risks and controls including (i) network security assessment, (ii) network segmentation and traffic monitoring, (iii) remote access security, patching and vulnerability analysis, (iv) incident response and business continuity, (v) incident response plan testing and maintenance and (vi) integration of information security considerations in the business continuity plan. The results of the assessment should be backed by sufficient, reliable and relevant audit evidence. Detailed documentation of all the working papers, interview notes, audit analyses. QUALIFICATIONS AND EXPERIENCE EducationAn advanced level university degree (Mastersโ degree or equivalent) in Information Security, ICT, risk management, or related areas supplemented with one or more professional certification such as CISSP, CISM, CISA, CEH or equivalent. A first-level university degree in combination with additional years of qualifying experience may be accepted in lieu of the advanced university degree.ย Professional experience and knowledge
Essential:
Desirable:
Lead Auditor certification in ISO/IEC 27001 or an equivalent certification Experience in working at a management level or in an advisory capacity in areas related to information security and risk management LanguagesEssential:
โข ย ย ย ย Fluent reading, writing and speaking abilities in English.
Desirable:
โข ย ย ย ย A working knowledge of any other language of the Organization (Arabic, Chinese, French, Russian, or Spanish).
Conditions of Employment
The consultant will be held to the highest ethical standards and are required to sign a Code of Conduct and an individual declaration of independence (or statement of confidentiality) upon acceptance of the assignment. This audit shall be conducted in accordance with Global Internal Auditing Standards.
The selected consultant is expected to be employed within the period of 1 July to 31 July 2025 for 20 working days.ย
ย How to apply
Interested candidates must complete an on-line application form. To apply, please visit ICAO's e-Recruitment website at: ICAO Career Website.
Notice to Candidates
ICAO does NOT charge any fees or request money from candidates at any stage of the selection process, nor does it concern itself with bank account details of applicants. Requests of this nature allegedly made on behalf of ICAO are fraudulent and should be disregarded.