Information Security Engineer
Own Ardena Oss’s ISMS journey as Information Security Engineer: lead ISO 27001, drive risk controls, and safeguard GMP IT across sites with independent ownership and real-world impact.
About Ardena
Ardena is a global Contract Development and Manufacturing Organisation (CDMO) and Contract Research Organisation (CRO) specialising in precision medicine development. Ardena supports pharmaceutical and biotechnology companies in bringing innovative, complex molecules from discovery to market.
The Ardena Group operates from five sites across Europe and the United States, employing more than 750 professionals. Ardena European sites are located in Oss and Assen (the Netherlands), Ghent (Belgium), and Pamplona (Spain). Ardena US facility is based in Somerset, New Jersey.
Ardena provides integrated services spanning drug substance development, drug product formulation, GMP manufacturing, bioanalytical services, clinical logistics, fill and finish, and CMC regulatory support.
For the Ardena site based in Oss, we are looking for an
Information Security Engineer.
Information security has been part of the IT organisation and is being handled alongside everything else that keeps our infrastructure and systems running. As our organisation grows and the regulatory and cyber landscape becomes more demanding, it is time for IT security to have its own dedicated focus.
This role is not a junior position. We are looking for someone who can own our information security programme, run it independently, and develop it further. You will work closely with the IT Operations Director and have direct visibility across the organisation, but we expect you to drive the agenda, not wait for it.
WHAT YOU WILL DO
ISO 27001 & ISMS
• Own and maintain the Information Security Management System (ISMS) in line with ISO 27001 amongst other ISO standards.
• Drive the implementation roadmap, perform gap analyses, create risk treatment plans, policy framework, and controls.
• Prepare for and manage external certification and surveillance audits.
• Conduct internal audits and track corrective actions to closure.
• Identify process improvements and increase cybersecurity awareness.
Risk & Compliance
• Maintain the information security risk register and ensure risks are assessed, accepted, or treated.
• Monitor compliance with internal policies and applicable regulations (NIS2, GDPR from an IT security angle).
• Provide security input to new IT projects, system implementations, and vendor assessments.
Operational Security
• Manage vulnerability assessments, patch compliance tracking, and penetration testing cycles.
• Own the incident response process for security events — detection, containment, reporting, post-incident review.
• Oversee access management principles and periodically review user rights.
• Coordinate security awareness training and phishing exercises across the organisation.
Stakeholders & Reporting
• Report on security posture and KPIs to IT management and where relevant to senior leadership.
• Act as the point of contact for information security questions from internal stakeholders, clients, and auditors.
WHAT WE ARE LOOKING FOR
Background & Education
• Bachelor's degree in IT security, cybersecurity, computer science, or a related field from a university of applied sciences (HBO).
• ISO 27001 Lead Implementer or Lead Auditor certification is a strong plus; solid working knowledge of the standard is a must.
Experience
• 3 to 5 years of hands-on experience in an information security or IT security role; this means not just advisory work, but actual implementation and operations.
• Demonstrated experience running or contributing to an ISO 27001 programme (gap analysis, audits, controls, risk assessments).
• Comfortable working in complex, multi-site IT environments with a mix of on-premise and cloud infrastructure.
Technical Understanding
• Solid understanding of IT systems — networks, servers, endpoints, Active Directory, cloud services — at a level that lets you have a credible technical conversation.
• Familiarity with vulnerability management tooling, SIEM concepts, and endpoint security.
• Able to read and interpret security logs, understand firewall rules, and assess access configurations.
How you work
• You take ownership. You see what needs to be done and you do it — without needing someone to walk alongside you every step of the way.
• You can translate technical risk into plain language for management and non-technical stakeholders.
• You are structured, thorough, and comfortable in a regulated environment where documentation and auditability matter.
• Fluent in English; Dutch is an advantage for day-to-day interaction with colleagues.
• You are prepared to travel to Ardena sites on an occasional basis (approximately 5% of your time)
Nice to have
• Additional certifications such as CISSP, CISM, CEH, or CompTIA Security+.
• Experience in a GxP-regulated environment (pharmaceutical, medical device, food) — you do not need to know GxP, but if you do, great.
• Familiarity with the NIS2 Directive and its implications for critical infrastructure operators.
• Experience with cloud security (Microsoft Azure / M365 security stack).
WHAT WE OFFER
A role with real scope and visibility in a growing, international CDMO. You will not be part of a large security team processing tickets, you will be the person shaping the information security programme. The work is varied, the environment is professional and regulated, and there is room to build something that lasts.
A challenging and impactful leadership role in a learning organisation that supports professional growth.
A collaborative, international working environment with engaged and knowledgeable colleagues.
An open corporate culture with short communication lines.
Attractive employment conditions.
Flexible working hours to support work–life balance.
HOW TO APPLY
Ready to start your career path with Ardena? Click the application button and join us in shaping the future of drug development!
Only candidates eligible to work in the EU will be considered for the position. Unfortunately, given the high volume of applications we receive for our vacancies, these professionals (not entitled to work in the European Union) will not be given a status update. Agency calls will not be appreciated.