PRF No.: CS — Personnel Requisition Form No. PR-HR, Revision 03
Date: 24 February 2026
Reason for Vacancy: Addition (new position)

• Capacity Constraints: Current IT/Engineering staff are at 100% utilization with core operations, R&D (Synx Scheduler/Facilities Management), and client services. Justin Aquino currently absorbs CISO/DPO duties (saving company costs) but urgently needs an assistant to scale.
• Business Requirement: Escalating pressure from key enterprise clients (Globe, Ayala, Finance sector) requiring ISO 27001 certification for sensitive network engineering projects.
• Strategic Advantage: Will position Comfac as the exclusive ISO 9001/27001 partner for principals like Netgate, TrueNAS, and Frappe.
• Group Synergy & ROI: Cornersteel directly benefits from a secured, certified IT infrastructure. The assistant will handle Security and ISO 9001 for Comfac and CTO. The PHP 1–2M annual compliance cost will be offset by integrating the value of accredited services into client pricing models.

The Security and Compliance Assistant (SCA) supports the Chief Information Security Officer (CISO), Data Protection Officer (DPO), and ISO Management Representative in executing their delegated responsibilities for ISO 9001, ISO 27001, Business Continuity, and Process Integration. The SCA acts as the organizational bridge between compliance requirements and daily operations — capturing problem statements, conducting risk analyses across all departments, and planning incremental tasks to close security and quality gaps. Furthermore, the SCA maintains the continuous business plan for real-time compliance tracking, leads ongoing security programs, and transforms internal training materials into open-source knowledge bases for the company and partner communities.

• Contextualizing Challenges. Documents current organizational challenges and compliance requirements. Captures exact problem statements in the context of Quality Processes (ISO 9001), Information Security (ISO 27001), and Business Continuity Plans.
• Team Coordination. Works directly with various departmental teams to capture and consolidate their operational realities, ensuring that the processes they use actually meet international standard requirements without breaking their workflow, as well as planning and change management.

• Risk and Opportunity Management. Works closely with all organizational sections to conduct comprehensive risk analyses. Identifies, evaluates, and documents both risks and opportunities to strengthen the organization's overall security posture and quality management.
• Continuous Business Planning. Maintains a live, continuous tracker of the department's Business Plan. Logs and updates all ongoing projects, compliance programs, and Key Result Areas (KRAs) throughout the year, ensuring that leadership always has an up-to-date, accurate picture of the organization's current state of compliance.
• Gap Analysis & Incremental Execution. Analyzes compliance requirements to formulate actionable plans. Breaks down large ISO or Security mandates into schedulable, bite-sized tasks, allowing the organization to incrementally close gaps.

• Process Writing. Assists leadership in researching and writing work instructions, standard operating procedures (SOPs), research topics, and best practices. Ensures that documentation is clear, traceable, and easily auditable.

• Leading Initiatives. Leads specific security and compliance projects and ongoing continuous improvement programs.
• Resource Management. Personally executes tasks or delegates and guides Project Staff, Interns, or Capstone Students assigned to help achieve compliance and security goals.

• Security Testing. Coordinates with external vendors for required compliance activities, such as scheduling and managing third-party Penetration Testing.
• Technology Sourcing. Evaluates and coordinates the acquisition or deployment of new technologies needed to maintain compliance, security posture, and business continuity.

• Internalizing Training. Takes raw training materials provided by leadership (such as Anki decks and raw technical manuals) and converts them into structured internal organizational knowledge.
• Wiki & Open-Source Management. Manages the company's internal and external Wiki. Transforms internal learnings into "open-source" company best practices to be shared with stakeholders, partner academes, and external security communities.

• Technology & Security Mastery. Engages in continuous personal improvement and training. Actively researches and learns new technologies, emerging security threats, and modern compliance practices to keep the organization's defenses and processes up to date.
• Audit Training. Undergoes continuous training to become a proficient Internal Auditor. Learns to independently lead security and process auditing programs to evaluate the company's ongoing compliance.

• Other tasks that the CISO, DPO, or Management Representative may assign from time to time.

• Job Descriptions — All job descriptions index
• SCA Program Plan 260320 — Full program plan defining the SCA's Improvement Cycle cadence, department documentation sequence, and ISO 9001/27001 audit model
• 2026 MIS IT KRA KPI Biz Plan — IT KRA/KPI targets and QO performance tracking
• Procedure: CC-Blast Data Breach Prevention — Data breach prevention SOP within scope of this role
• Business Continuity — Business continuity procedures within scope of this role
• 8D (Eight Discipline) Problem Solving Procedure — CAPA framework used in this role