Context

Digit’Eaux is the reference partner for water sector players in Wallonia for their digital transformation projects, supporting notably SWDE, SPGE, and several Approved Sanitation Organizations (OAA).

Recognized as an essential entity within the meaning of the NIS2 directive, Digit’Eaux is involved in the design, coordination, and implementation of structuring IT projects, while also supporting its cooperators upstream in defining their governance and IT risk management strategies.

Within this context, the Digit’Eaux Cybersecurity division wishes to enlist the services of an experienced GRC Manager, tasked with structuring and leading governance, risk management, and compliance initiatives (NIS2, ISO 27001) for Digit’Eaux and cooperators in the water sector (sanitation and drinking water).

The consultant will join the internal cybersecurity team and work closely with the CISO as well as the teams and subcontractors of Digit’Eaux.

Mission

As part of bringing Digit’Eaux and its cooperator clients into compliance with NIS2 regulatory requirements and the ISO 27001:2022 standard, the Cybersecurity GRC Manager will strengthen the security team led by the CISO.

He/She will be responsible for operational governance, risk management, and compliance (GRC) activities, directly supporting the CISO and interfacing with clients in the MSP portfolio:

• Lead and draft the documentation for the Information Security Management System (ISMS): policies, procedures, risk treatment plans.
• Support clients in their ISO 27001 certification process, from gap analysis to the certification audit.
• Ensure preparation for internal and external audits, follow-up on non-conformities, and ongoing updating of the ISMS.
• Contribute to the implementation of NIS2 compliance for essential and important entities within scope.
• Use and administer the GRC tool CISO Assistant (or equivalent) for monitoring controls, risks, and action plans.

Skills

Soft Skills

Documentary rigor: Ability to produce precise, coherent, and sustainable documentation—policies, procedures, risk treatment plans drafted unambiguously.

Oral and written communication: Ability to clearly express oneself to various stakeholders (management, Comex, technical teams, client business managers) and to write summaries and presentations for governing bodies. Capability to adapt language level according to the audience—simplifying without oversimplifying.

Active listening and relational intelligence: Ability to understand the real constraints of clients and subcontractors, to rephrase their needs, and to establish a climate of trust conducive to co-constructing security procedures and processes.

Negotiation and influence without hierarchical authority: Ability to advance compliance topics with stakeholders who are not under the direct authority of Digit’Eaux—cooperator clients, third-party providers, external IT teams. Know how to defend a security requirement while remaining constructive and solution-oriented.

Educational skills: Ability to make ISO 27001 and NIS2 requirements accessible to non-specialist operational staff, to lead collaborative working sessions (risk workshops, document reviews, awareness sessions), and to engage stakeholders in the compliance process.

Managing resistance and change management: Ability to handle organizational reluctance towards compliance requirements, to identify the right internal contacts at the client, and to turn regulatory constraints perceived as obstacles into operational improvement levers.

Autonomy and proactivity: Ability to progress independently on GRC workstreams, regularly reporting to the CISO and escalating blocking issues at the right moment.

Result-oriented: Focus on concrete deliverables: policies written, audits prepared, non-conformities closed.

Adaptability: Comfortable in a multi-client MSP environment with high operational responsibility, able to juggle multiple organizational contexts and varying security maturity levels.

Governance Skills

• Mastery of the PDCA cycle applied to an ISMS (ISO 27001).
• Ability to draft and maintain a Statement of Applicability (SOA) with contextualized justifications.
• Knowledge of NIS2 requirements (essential/important entities, notification obligations, security measures).
• Experience in conducting risk analyses (ISO 27005 or equivalent).
• Ability to interact with client CISOs and to position Digit’Eaux as an extended operational security team.
• Awareness of GDPR obligations and how they intersect with ISO 27001/NIS2 requirements.

Technical Skills (functional/management level)

ISO 27001:2022: mastery of the 93 measures in Annex A, clauses 4 to 10, and audit requirements.

Document drafting: security policies, operational procedures, risk treatment plans, audit reports.

Project management: planning compliance milestones, tracking action plans, Comex reporting.

GRC tools: CISO Assistant, or any equivalent GRC platform (OneTrust, ServiceNow GRC, Archer, etc.).

IT culture and infrastructure security: solid understanding of information system and network security fundamentals, necessary to assess the relevance of controls and effectively communicate with technical teams.

• Knowledge of MSP environments and critical IT architectures (OT/IT, water sector or equivalent appreciated).
• Use of complementary frameworks: CIS Controls, IEC 62443, ANSSI sectoral guides.

Experience

• Minimum 3 to 5 years’ experience in a GRC, IT Compliance, or Information Security role.
• Proven experience in leading or supporting ISO 27001 certification (participation in at least one full cycle: preparation, dry run audit, certification audit); a Lead Implementer ISO 27001 certification is a plus.
• Experience in an MSP, consulting firm, or multi-client environment appreciated.
• Exposure to regulated sectors (critical infrastructure, water, energy, health, finance) considered an asset.
• Good written French (extensive documentation production); technical English is a plus.

The mission is subject to renewal based on client assessment.