Senior Information Security Auditor (Technical) – TISAX, NIST & CMMC (GTO, Montreal, Ottawa)

AuditFull TimeCanadaHybrid

Senior Information Security Auditor (Technical) – TISAX, NIST & CMMC (GTO, Montreal, Ottawa)

Seratos is seeking an experienced Senior Information Security Auditor to join our growing consulting practice. This client-facing role is focused on delivering information security auditing, compliance assessments, and certification readiness services across multiple security frameworks, with particular emphasis on ISO/IEC 27001:2022, TISAX® (VDA ISA), NIST Cybersecurity Framework (CSF), NIST SP 800-171, and Cybersecurity Maturity Model Certification (CMMC).

The successful candidate will lead ISMS audits, conduct technical and governance assessments, perform gap analyses, facilitate readiness activities, and support clients throughout certification and regulatory audit processes. This role requires a strong technical understanding of information security controls, risk management, secure system architectures, and compliance frameworks.

Key Responsibilities

Information Security Audits

  • Lead and conduct internal audits and independent assessments against information security frameworks including:
    • TISAX (VDA ISA)
    • NIST Cybersecurity Framework (CSF)
    • NIST SP 800-171
    • CMMC Level 1 and Level 2 requirements
    • ISO/IEC 27001:2022
    • SOC 2 Trust Services Criteria
  • Evaluate the effectiveness of administrative, technical, and physical security controls.

Gap Assessments & Compliance Readiness

  • Perform detailed gap assessments and maturity evaluations.
  • Develop practical remediation recommendations and prioritized action plans.
  • Assess control implementation, evidence quality, and operational effectiveness.

TISAX and CMMC Readiness Programs

  • Support clients preparing for TISAX assessments and CMMC certification efforts.
  • Conduct readiness reviews, mock assessments, and evidence validation exercises.
  • Assist clients in implementing corrective actions and strengthening control environments.

Security Governance & Risk Management

  • Evaluate information security governance structures, risk management processes, supplier security programs, and incident response capabilities.
  • Review policies, procedures, standards, and technical documentation for compliance and effectiveness.

Incident Response & Tabletop Exercises

  • Design and facilitate tabletop exercises and cyber incident simulations.
  • Assess organizational preparedness and provide recommendations for improvement.

Third-Party Audit Support

  • Support clients during certification audits, customer assessments, regulatory reviews, and external examinations.
  • Act as a trusted advisor during audit preparation, evidence collection, and auditor interactions.

Reporting & Client Advisory

  • Prepare comprehensive audit reports, executive summaries, risk assessments, and remediation roadmaps.
  • Present findings and recommendations to client leadership, technical teams, and stakeholders.

Stakeholder Engagement

  • Build strong client relationships and serve as a trusted advisor on information security and compliance matters.
  • Collaborate with cross-functional teams including IT, Engineering, Legal, Quality, and Executive Leadership.

Required Qualifications

Experience

  • Minimum of 5 years of experience in information security auditing, compliance consulting, cybersecurity governance, or risk management.
  • Demonstrated experience conducting assessments against one or more of the following:
    • TISAX (VDA ISA)
    • NIST CSF
    • NIST SP 800-171
    • CMMC
    • ISO/IEC 27001
    • SOC 2
  • Experience supporting organizations through external audits, certification assessments, or regulatory reviews.

Technical Knowledge

Strong understanding of:

  • Information Security Management Systems (ISMS)
  • Risk assessment methodologies
  • Security architecture and technical controls
  • Identity and Access Management (IAM)
  • Endpoint and infrastructure security
  • Cloud security environments (AWS, Azure, Google Cloud)
  • Incident response and business continuity
  • Supplier and third-party risk management

Certifications

Required (one or more):

  • ISO/IEC 27001 Lead Auditor
  • Certified Information Systems Auditor (CISA)

Strongly Preferred Technical Background

  • Hands-on experience in cybersecurity engineering, cloud security, DevOps, infrastructure operations, software development, security operations (SOC), industrial control systems (ICS/SCADA), operational technology (OT), IoT security, or enterprise architecture.
  • Experience implementing or managing security controls rather than solely auditing them.
  • Ability to evaluate both the design and operational effectiveness of technical security controls across complex environments.
  • Experience in regulated industries including automotive, aerospace, defense, manufacturing, critical infrastructure, or technology.

Certifications:

  • Certified Information Security Manager (CISM)
  • CISSP
  • Certified CMMC Professional (CCP)
  • Certified CMMC Assessor (CCA)
  • TISAX Assessor qualification or direct TISAX assessment experience
  • ISO 22301 Lead Auditor
  • ISO 9001 Lead Auditor

Professional Skills

  • Excellent written and verbal communication skills.
  • Strong analytical and investigative capabilities.
  • Ability to translate complex technical findings into actionable business recommendations.
  • Experience leading client engagements and managing multiple projects simultaneously.
  • Strong presentation and stakeholder management skills.

Education

  • Bachelor's degree in Cybersecurity, Information Systems, Computer Science, Engineering, or a related technical discipline.
  • Equivalent combination of education, certifications, and relevant experience will be considered.

Preferred Industry Experience

Experience working with organizations in one or more of the following sectors is highly desirable:

  • Automotive and Mobility
  • Defense and Aerospace
  • Manufacturing
  • Technology and Software
  • Critical Infrastructure
  • Government Contractors

Why Join Seratos?

At Seratos, we believe the best auditors are those who have built, operated, secured, and assessed real-world systems. We are not looking for professionals whose experience is limited to reviewing documentation and checklists. We are seeking experienced technical practitioners who understand how security controls are implemented in practice and can evaluate their effectiveness in complex environments.

Our clients operate in industries where security is deeply integrated into technology, engineering, and operations. As a result, our auditors regularly assess environments involving:

  • Cloud and DevOps platforms
  • Software development and secure SDLC programs
  • Industrial Control Systems (ICS) and Operational Technology (OT)
  • IoT and connected-device ecosystems
  • Automotive cybersecurity environments
  • Manufacturing and engineering systems
  • Critical infrastructure and defense supply chains
  • Enterprise and hybrid cloud architectures

Unlike large consulting organizations where professionals are often confined to narrow roles, Seratos provides opportunities to work across multiple frameworks, industries, and technical environments. Our consultants and auditors work directly with clients, senior leadership, and subject matter experts to solve complex security and compliance challenges.

We value practical experience and technical credibility. Candidates with hands-on backgrounds in cybersecurity engineering, DevOps, cloud security, software development, infrastructure engineering, industrial security, IoT security, or security operations are strongly encouraged to apply.

Professionals who thrive at Seratos are those who enjoy bridging the gap between technical implementation and compliance requirements, helping organizations achieve meaningful security outcomes rather than simply passing audits.