Role: Information Security Consultant
Level: Senior
Location: Stockholm, Sweden
Remote work: Up to 25%
Duration: 9 March 2026 to 30 November 2026
Weekly hours: 40

About the assignment

This role sits within the Governance, Risk and Compliance area of cyber security. The focus is on keeping the organization’s security posture strong, adaptable and aligned with business needs. The work spans three main areas: setting up clear governance structures, managing cyber and technology risks throughout their lifecycle, and ensuring the company meets relevant laws, standards and regulatory expectations globally.

You’ll be part of a team that makes sure security practices are consistently applied across all H&M markets. The position involves close collaboration with teams throughout the organization and contributes to ongoing improvements in both processes and services.

The role takes the lead in shaping and maintaining the governance framework, overseeing risk management activities, ensuring compliance with international standards, and supporting resilience through continuity and crisis-related work. It requires deep understanding of cyber security principles and the ability to translate strategy into concrete action across the H&M Group.

Responsibilities

In this role, you will:

• Help develop and refine the organization’s cyber security GRC frameworks.

• Ensure governance models and security policies are accessible, clear and adopted across all parts of the business.

• Lead and support cyber risk assessments at both enterprise and operational levels, maintaining central risk registers.

• Create audit and control-testing plans, and evaluate compliance and control performance.

• Promote continuous improvement by identifying more effective controls and streamlined processes.

• Work closely with internal teams and external partners, including vendors, to manage cyber risks and ensure alignment with internal requirements and contracts.

• Act as a visible representative for cyber security, making complex topics understandable to non-specialists.

Qualifications

• Around 5+ years of experience in cyber security within a global environment.

• Approximately 3+ years working specifically with governance, risk and compliance.

• Relevant education in GRC or information/cyber security (university degree, vocational diploma or equivalent experience).

• Solid understanding of regulatory compliance in an international context.

• Strong knowledge of cyber security standards and frameworks such as ISO 27001, ISO 31000, ISO 22301, NIST CSF or C2M2.

• Demonstrated experience in risk management and reporting for global organizations.

• Background in designing and maintaining cyber security frameworks.

• Experience collaborating with auditors and QSAs in assessments and certification processes.

• Excellent English communication and collaboration skills.

• Experience promoting security awareness and contributing to a positive security culture.

• Strong change-management capabilities.

Preferred certifications

• CISM, CISSP, CCISO or similar information/cyber security certifications.

• ISO 27001 credentials, such as Lead Implementor or Lead Auditor.

Required skills

• Regulatory compliance and audit experience

• Strong stakeholder-management and communication abilities

• Cybersecurity risk management

• Governance and framework development

• Security culture and change-management experience

• Knowledge of security standards and best practices

• Security control design and testing

• Familiarity with ISO 27001, ISO 31000, ISO 22301, NIST CSF

• Proficiency in English

Recruitment Partner: Sperton

This position is exclusively managed by Sperton, a global talent partner connecting high-performing professionals with leading organizations worldwide.