ICT Security - Risk Assessments Consultants

Experis is Norway’s largest consultancy and recruitment company with 850 consultants. We offer highly qualified consultants, recruiting and project solutions within the fields of Engineering, Finance and IT. Our Experis Executive Division recruits leaders and key personnel in the private and public sector. Among our clients you will find over 90 percent of Norway’s leading companies. Experis is a company in ManpowerGroup and is voted one of the world’s most ethical companies.


As a consultant in Experis, you will have instant access to a wide range of challenging positions and project assignments. With us, you can build your career and we will help you achieve your goals on short and long term through our national and global network. Visit us at www.Experis.no 

Experis is collaborating with a large E&P oil and gas operator to strenghten their capabilities in Risk Assessment for this we are seeking two consultants to become part of the existing team at client to deliver risk assessments.


You will be expected to be able to handle risk assessment requests from start to finish, and to collaborate well with the existing team members.


Current risk assessment methodology is based on Information Security Forum’s “Information Risk Assessment Methodology 2"

The Contractor will be expected to deliver risk assessments according to companies established methodology

You will be provided training on how to deliver risk assessments using preferred methodology


The Work shall be structured in six phases:


  • Scoping – Define and agree the scope of the environment to be assessed
  • Business impact assessment – Assess potential business impact to client should the information assets be compromised
  • Threat profiling – Profile and prioritize all threats that are relevant to the environment being assessed. Identify the potential ways the highest priority threats could manifest to cause harm to the environment being assessed
  • Vulnerability assessment – Assess the vulnerabilities associated with each in-scope threat event for the environment being assessed. Assess the degree of vulnerability of each component in the environment being assessed to the in-scope threat events
  • Risk evaluation – Derive the risk rating for each risk using clients’s established scales for business impact, threats, and vulnerabilities.
  • Risk treatment – Determine a risk treatment approach for each identified risk.


Typical delivery:

Request: Receive customer risk assessment request. Typically ordered via e-mail, phone, mailboxes or internal service catalogue;

  • Set start up meeting

Scoping: Establish the scope of the assessment. What information is managed by the solution(s) to be evaluated?;

  • Written scope description

Business impact assessment: Describe the consequences of a successful attack. How valuable is the information that we’re trying to protect?

  • Written impact description

Threat assessment: Clarify threat agents in scope for the assessment

  • Threat agent list (including scoring)

Threat events: Develop high-level scenarios

  • Scenario description

Vulnerability assessment: Evaluate and analyse existing security controls to uncover weaknesses and strengths

  • Vulnerability scoring for individual scenarios

Risk evaluation: Determine risk scoring for scenarios based on impact, threat and vulnerabilities

  • Risk scoring

Delivery: Presentation of the report to the customer

  • Risk assessment report and documented sign-off from risk owner

Follow-up: Clarify potential need for further involvement in risk mitigation activities

  • Agreement on future involvement


Areas for risk assessments includes, but not limited to:

  • Cloud solutions
  • Business support systems
  • Industrial control systems
  • Office locations
  • Off- and onshore plants


In addition you will be expected to participate in further maturing and professionalizing established risk assessment services.

This includes improvement of individual risk assessments phases as well as tweaking and bettering our underlying risk management methodology.


Competence Requirements:

  • Relevant experience with Risk Assessments
  • Understanding of Information Security Forum’s “Information Risk Assessment Methodology 2” (or similar best practice risk assessment methodologies such as ISO 27005 or NIST SP 800-30).


We offer:

  • Follow up by a an organization rewarded as one of the most ethical in the world the last 9 years from a dedicated advisor
  • Access to HjemJobbHjem program




Experis is very interested in dialogue with potential partners on this project.

Do not hesitate to reach out for more information




Please register at www.experis.no to apply.

Question can be directed to Jørgen Lohne Morken - jorgen.lohne.morken@no.experis.com / 90702517




Antall stillinger: 2
Industri: IT
Fagfelt: Engineering (Ingeniøryrker), IT
Underkategori: IT
Stillingstype: Fast, Engasjement/Vikariat, Fulltid
Arbeidssted: Hordaland
Rolle: Fagperson, Rådgiver

Søk på stillingen

Publisert: 08.03.2019
Søknadsfrist: 19.03.2019
Ref. nr.: 1029163
Søk på stillingen


Jørgen Lohne Morken
Telefon +4790702517

Andreas Kverneland