Senior Third-Party Risk Manager (Freelance possible)

📋 Tasks and responsibilities

The Third-Party Risk Manager (TPRM) is responsible for setting up, managing, overseeing and mitigating information security risks associated with third-party vendors, suppliers, service providers and contractors, in alignment with the NIS2 Directive. This role ensures that external partners meet the organisation's security standards and policies, comply with NIS2 obligations, and do not introduce unacceptable risks to business operations.

The role sits within the procurement function and focuses on building and maintaining strong relationships with third parties, facilitating risk assessments, and collaborating with internal stakeholders to strengthen business resilience against information security threats.

Key responsibilities

• Third-party supplier security governance
  • Define and implement the governance and processes needed to manage third-party supplier information security risks.
  • Evaluate and classify third parties based on their criticality and risk to essential services.
  • Support the CISO and procurement in the development and maintenance of security policies and procedures for supplier security.
• NIS2 compliance
  • Ensure all third-party relationships comply with the cybersecurity requirements of the NIS2 Directive, including risk management, incident reporting and supply chain security.
• Third-party risk assessment & management
  • Conduct thorough security due diligence and risk assessments for existing and prospective third-party vendors, with a focus on their ability to meet NIS2 standards.
  • Maintain an up-to-date risk register and treatment plans for third parties and their risk status, as required by NIS2.
  • Establish risk-scoring methodologies and criteria for vendor categorisation.
  • Establish and monitor security performance metrics for key vendors.
  • Manage the full third-party risk lifecycle, from onboarding to contract termination.
• Contract and procurement support
  • Collaborate with procurement and the CISO to ensure contracts with third parties include robust cybersecurity clauses, clear incident notification requirements and audit rights as mandated by NIS2.
  • Review and approve cybersecurity clauses in third-party agreements.
  • Ensure data protection and privacy requirements are incorporated into vendor contracts.
  • Support contract negotiations on security terms and risk allocation.
  • Manage security-related service level agreements and penalties.
• Supply chain security
  • Develop and maintain processes to identify, monitor and mitigate risks affecting cyber resilience in the supply chain, ensuring that vendors implement appropriate technical and organisational measures.
  • Continuously monitor vendor dependencies.
• Monitoring & reporting
  • Oversee the continuous monitoring of third-party compliance, including KPIs, SLAs, regular reviews, audits and follow-up on remediation actions.
  • Develop and maintain third-party risk dashboards and reporting mechanisms.
  • Prepare regular reports for management, risk stakeholders and procurement on third-party risk posture, compliance status and remediation progress, highlighting any NIS2-related issues.
  • Track and report on risk mitigation activities and their effectiveness.
• Incident management and notification
  • Coordinate with third parties to ensure timely reporting and effective management of security incidents or breach notifications, in line with NIS2 incident notification timelines.
• Stakeholder engagement
  • Liaise with internal teams such as ICT, risk and procurement, as well as external partners, to promote a shared understanding of NIS2 requirements and best practices in third-party risk management.
  • Facilitate regular security review meetings with critical suppliers.
• Awareness & training
  • Oversee the development and delivery of training and awareness programmes for third parties on NIS2 obligations and supply chain security, as well as the organisation's relevant information security policies.

Qualifications and experience

• Experience with ISO/IEC 27001 standard clauses regarding supplier relationship security.
• At least 4 years of experience in third-party risk management, cybersecurity or compliance, preferably in a regulated or governmental environment.
• Familiarity with the NIS2 Directive and its requirements for essential entities.
• Experience with supply chain security, vendor assessments and contract negotiations.
• Knowledge of other information security standards is an advantage, such as NIST, CIS Controls and CCB CyberFundamentals.
• Relevant certifications such as CISM, CISSP, CRISC, ISO 27001 Lead Implementer or third-party risk management certifications are an advantage.
• Experience with public tenders is a strong advantage.
• Familiarity with critical infrastructure protection or the EU Cyber Resilience Act is a plus.
• Experience with GRC platforms is an asset, in particular ServiceNow.
• Excellent communication, negotiation and stakeholder management skills.

Key competencies

• Deep understanding of regulatory compliance, especially NIS2.
• Strong analytical and risk assessment skills.
• Experience in conducting and maintaining supplier risk assessments.
• Ability to translate information security requirements into contractual clauses.
• Ability to influence and collaborate with internal and external stakeholders.
• Proactive, detail-oriented and committed to continuous improvement.

📝Your profile

Experience as: Confirmed Risk Manager

Skills

• Information Security Management
• Risk Management

Languages

• Dutch or French
• English

💼 Offer

You will be part of a growing Belgian SME where initiative and personal development are encouraged. We will provide you with an enjoyable work environment with fun colleagues. We will work out a career plan with you, with attention and a budget for extra education/certification. You can count on an attractive salary, supplemented with extra-legal benefits, including a company car.
(Freelance is also possible)