Senior GRC / ISO 27001 Program Lead [Freelance] chez Equativ : offre

About

Equativ is an independent ad tech company offering an advertising monetization platform for the most important websites in the world.

Our objective? Disrupt the digital advertising industry through high-performance solutions, innovative formats, and exceptional quality.

Based in the heart of Paris (IXᵉ), and NYC (Midtown), the company continues to expand internationally with offices in locations including Singapore, Dubai, Mexico City, Sao Paulo, Montreal, London, and Tokyo). We have been recognized in the "Champions de la Croissance" rankings by Les Echos, the"Fast 500 EMEA" by Deloitte, and were selected as a part of the “French Tech Next40” in 2024.

Our pride? A team of over 700 employees who flourish through a corporate culture advocating ownership and who live through 3 essential values: Be brave, Be thoughtful, Be together.

Job Description

About Equativ

Equativ is a leading independent advertising platform that connects advertisers and publishers to deliver seamless video and audiovisual experiences worldwide. In a data-driven ecosystem, the trust and security of our infrastructure are at the core of our value proposition.

Your mission

Reporting to the VP IT & Security, you will take direct ownership of the ISO 27001 certification program, to be delivered within a tight 12-month timeframe. You will design and execute the roadmap end-to-end: scoping, risk analysis, controls deployment, ISMS implementation, internal audit, and certification audit management.

The tight timeline requires a senior, autonomous profile, operational from day one, able to make decisions, mobilize cross-functional teams (Tech, Product, Sales, Ops, Legal, HR) and bring the entire company on board.

Key responsibilities

ISO 27001 program management (12 months)

Define and own the certification roadmap: milestones, deliverables, dependencies, workload plan.
Build and operate the Information Security Management System (ISMS): policies, procedures, Statement of Applicability (SoA), risk treatment plan.
Manage the full audit cycle: internal pre-audit, final certification audit (stages 1 and 2), then annual surveillance and renewal audits. Selection and management of the certification body.
Regular reporting to the VP IT & Security and the Executive Committee (KPIs / KRIs, progress, blockers).

Risk analysis and management

Conduct and maintain risk assessments on critical assets using a recognized methodology (EBIOS RM, ISO 27005 or equivalent — operational mastery of at least one method is required).
Analyze risks related to AI agents deployed within the company: map use cases, assess risks (data leakage, prompt injection, hallucinations, system access, third-party dependencies), define mitigation measures and associated controls.
Define, track and challenge remediation plans with technical and business teams.

Audit, control and continuous improvement

Implement permanent controls and the ISMS internal audit program.
Run recurring operational tasks (access reviews, configuration reviews, logical and physical access controls…) in direct collaboration with application and system owners.
Manage penetration tests and the exploitation of their results.
Lead management reviews and continuous improvement loops.

Engage the company and collaborate cross-functionally

Translate security topics for non-technical audiences (Sales, Marketing, Finance, HR).
Design and roll out the security awareness and training plan.
Own the responses to security questionnaires within RFPs and be the primary point of contact for third-party audits conducted by clients.
Work in close collaboration with all departments: Legal / DPO (GDPR alignment, contracts, AI Act), R&D / Product (security by design, architecture reviews, AI), Finance (vendor risk analysis, security budget), HR (awareness, access management, onboarding/offboarding), Ops and Cloud teams.

Leverage AI to drive efficiency

Make daily use of generative AI tools (assistants, agents, automations) to accelerate documentation, gap analysis, controls mapping, customer questionnaire handling and reporting.
Promote AI usage best practices within the security perimeter, in line with confidentiality requirements.

Candidate profile

Experience

Minimum 8 to 12 years in cybersecurity / GRC, including significant experience leading an ISO 27001 certification end-to-end (ideally already achieved under a comparable time constraint).
Experience in international environments, ideally SaaS, AdTech, media or data-driven companies.

Technical and methodological skills

In-depth mastery of ISO 27001 / 27002 and the ISMS.
Operational mastery of at least one risk analysis methodology (EBIOS RM or ISO 27005).
Ability to conduct risk analysis on AI agents deployed internally (frameworks such as ISO/IEC 42001, NIST AI RMF, OWASP Top 10 for LLM, AI Act).
Solid knowledge of complementary frameworks (SOC 2, NIST CSF); knowledge of TCF v2.2 (AdTech) is a plus.
Cross-functional understanding of Cloud security, sufficient to interact effectively with technical teams.

Soft skills (decisive)

Outstanding communication skills: proven ability to engage tech and non-tech audiences, to arbitrate and challenge without alienating.
Cross-functional teamwork: confirmed ease working with Legal, R&D, Finance, Product, HR and Ops counterparts.
Cross-functional leadership, political acumen, ability to drive a program in a matrixed environment.
Pragmatic, business and delivery-oriented mindset, comfortable with tight deadlines.

Languages

Fluent in French and English, both written and spoken (non-negotiable requirement, daily international context).

AI-first culture

Daily and advanced use of AI tools to automate and accelerate one's own work.

Practical information

Start date: ASAP (certification target within 12 months)
Location: Paris (headquarters) — on-site presence required

Reports to: VP IT & Security

Additional Information

Contract Type: Freelance
Location: Paris
Possible partial remote

Apply Now

See Other Equativ Job Listings