Arvid Berndtsson
Back to experiences

Head of Information Security

Vertiseit Group

iso-27001 security-governance risk-management soc2 compliance ai-governance incident-response vendor-risk

Head of Information Security at Vertiseit Group

Role Overview

I lead and strengthen information security across governance, compliance, technical controls, customer trust, and day-to-day security operations at Vertiseit Group.

The role builds on my earlier work as a software developer at Vertiseit, which gives me a practical bridge between policy, engineering, product teams, and customer-facing security requirements. A lot of the work is about turning requirements into practical routines: controls people can follow, evidence that can be trusted, technical safeguards that reduce risk, and security processes that fit how teams work.

This page is intentionally detailed. I use it as a living record of the work I have contributed to in the role.

Governance, Compliance, And ISMS Work

During my first year in the role, I led work around ISO 27001 certification and continued the follow-through into SOC 2 Type II and TISAX readiness. That work has included developing the Information Security Management System, setting up control ownership, structuring evidence collection, and making sure that policies, procedures, and recurring control activities are understandable enough for people outside the security function to use.

I rewrote and coordinated re-approval for the security policy framework, and connected those policies to supporting processes, procedures, and instructions. This includes risk management guidance, grading instructions, risk assessment routines, review cycles, exception handling, and practical instructions for how teams should follow the controls in their daily work.

I set up Vanta as the platform for managing controls and evidence across ISO 27001, SOC 2, and future framework work. This supports clearer ownership, better follow-up, and a stronger connection between documented controls and day-to-day operations. I have also prepared security status material for leadership meetings, including control status, risk, progress, and follow-up actions.

Risk management is a major part of the role. I am responsible for the risk register, not only for information security risk, but also for supporting business and enterprise risk work together with executive management and departments across the organization. That work includes corporate, financial, sustainability, operational, and compliance-related risks. I help departments identify and assess their own risks, define risk owners, document treatment plans, and apply risk acceptance routines based on risk score and decision level.

The governance work has also included vendor risk, where I have completed a large number of vendor assessments. Those assessments are important not only for compliance, but for understanding service dependencies, risk exposure, and the contractual, technical, and operational controls around third-party services.

I have also helped build and maintain an asset and data inventory that connects applications, ownership, access, and data types. That work supports compliance, access governance, vendor reviews, and a clearer view of how information moves through the organization.

Secure Development And Technical Controls

I have worked on security rules and routines for how developers should work, including code review expectations, vulnerability review, and secure development habits. I have introduced and supported tools for code review and vulnerability scanning, and I have helped remediate vulnerabilities and security issues across product and cloud environments.

One of the larger technical projects has been repository consolidation. I was responsible for migrating thousands of repositories into GitHub from several different environments, including Azure DevOps, GitLab, Bitbucket, other GitHub instances, and related setups. That work created a stronger foundation for standardizing access, review workflows, visibility, and developer security controls.

I set up the GitHub enterprise environment and introduced security baselines for developer workflows. This includes enterprise-level repository controls, stronger review requirements, SSO and MFA enforcement, security scanning, dependency visibility, and SBOM-related work.

I also introduced vulnerability remediation expectations and SLA tracking, with prioritization based on severity and business context. This gives teams clearer expectations and gives security a better way to follow remediation progress across the organization.

I have also worked with Microsoft security configuration, device compliance, and Defender-related work, including follow-up on security alerts and endpoint posture. In parallel, I have supported daily security questions around data minimization, account risk, technical controls, and how teams should handle specific security decisions in practice.

Identity, Access, And Operational Cleanup

Access control has been a major part of the role. I have led larger access reviews for important systems and worked on processes for continuously identifying inactive users so they can be removed when access is no longer needed. That work supports both cost control and reduced account risk.

I have helped define periodic access review routines where critical and high-risk systems are reviewed more frequently, medium-risk systems are included based on priority, and lower-risk systems are reviewed on a recurring cycle. I have also worked on joiner, mover, and leaver routines, single sign-on patterns for existing systems, and permission and user-management models for new tools and applications.

External user governance has also been part of the work. In Microsoft Entra, I helped introduce routines for following up on inactive guest accounts and ended customer projects, so external access can be reviewed and removed when it is no longer needed.

Incident Readiness, Backup Testing, And Response

I have worked on incident readiness by creating an incident tabletop template and running tabletop exercises with the organization. I also helped define incident severity levels, escalation paths, role expectations during incidents, and post-incident review routines.

Business continuity and disaster recovery have also been part of the role. I have helped coordinate business continuity and disaster recovery planning, led backup testing, and helped validate restore readiness across systems.

The role has also included active response work. I have helped handle and mitigate security issues across environments, supported follow-up when new vulnerabilities or threat activity affected relevant systems, and helped coordinate internal response when fast cross-functional action was needed.

Security Awareness, Policies, And People Processes

I have helped make security policies more operational by ensuring that people read and acknowledge them. I also implemented security training in an existing awareness system and later evaluated and signed a new tool for cyber security training and phishing simulation.

Security awareness has included both training and phishing simulation work. I helped reach full completion of mandatory security training across the organization and prepared for a broader, more frequent awareness and phishing program through the new platform.

The people side of security has included setting up a background screening process before people start working, supporting HR-related security routines, and making sure that training and policy work is not only documented for audits but actually reaches the organization.

Customer Trust And Procurement Support

Customer trust is a large part of the work. I have answered a large volume of security questions from customers across several products, supported procurement processes, and participated in customer and subsidiary discussions where security needed to be explained clearly and accurately.

This work often sits between security, sales, product, legal, and engineering. The goal is to give customers good answers without overpromising, to make sure internal teams understand what has been committed, and to turn repeated customer questions into better documentation, controls, and trust material.

I built the Vertiseit Trust Center using Vanta and created reusable security questionnaire material for customers. The trust center makes it easier to share relevant documentation based on customer needs and approved access, while the standardized questionnaire material helps answer recurring security questions more efficiently.

Customer security work has supported procurement and larger customer discussions. I have been involved in security conversations for group companies and customer processes where clear security answers, documentation, and follow-up are important parts of the business relationship.

I have also migrated and configured status pages for group companies so that customers can monitor service status and availability. That work supports transparency, SLA follow-up, and customer confidence when something happens.

AI Governance And AI-Assisted Development

I have been part of the AI Task Force and have taken responsibility for the security side of internal AI usage and AI-assisted applications. That work includes usage guidance, security and privacy review of AI vendors, approval paths for new AI tools, advising on new AI services, and helping make sure that tools are configured in a way that matches our security expectations.

I have worked on access and configuration decisions for internal AI tooling and supported permission and user-management patterns for AI-assisted development platforms. I have also helped implement authentication solutions for AI-assisted applications so that new internal tools can move quickly without ignoring identity and access control.

Part of this work is making AI governance enforceable. That means working closely with internal IT and other stakeholders so that purchasing, licensing, access, and approved usage paths support the guidelines in practice.

How I Think About The Role

The role is broad, but the common thread is making security useful. Compliance frameworks, audits, tools, policies, access reviews, training, customer questionnaires, incident exercises, and technical remediation matter most when they support how the organization actually works.

My focus is to connect those pieces: to make security understandable for leadership, practical for engineering, credible for customers, usable for employees, and grounded enough that it still works when something breaks.