Cybersecurity Auditor - GRC

Job Title: Cybersecurity Auditor / GRC Specialist

Experience Level: Mid-Level (3+ Years)

Location: Pune/Mumbai

Employment Type: Full-time

We are seeking a detail-orientated and analytical Cybersecurity Auditor to join our Governance, Risk, and Compliance (GRC) team. The ideal candidate has a minimum of 3 years of hands-on experience in information security auditing. You will be responsible for ensuring our organisation (and/or clients) maintains robust security standards, specifically focusing on ISO 27001 certification, SOC 2 attestation, and adherence to CERT-In (Indian Computer Emergency Response Team) guidelines.

1. Compliance & Audit Management (ISO 27001 & SOC 2)

• Plan and execute internal audits against ISO 27001:2022 standards and SOC 2 Trust Services Criteria (TSC) (Security, Availability, Confidentiality, Processing Integrity, and Privacy).
• Conduct gap assessments to identify non-conformities and work with IT/Engineering teams to implement remediation plans.
• Manage the evidence collection process for external audits and serve as a point of contact for external auditors.
• Maintain the Information Security Management System (ISMS) documentation, including policies, procedures, and risk registers.

2. Regulatory Compliance (CERT-In)

• Ensure organisational compliance with CERT-In directions, specifically regarding cyber incident reporting timelines (6-hour rule), log retention (180 days), and subscriber data handling.
• Monitor and update internal protocols based on the latest advisories and vulnerabilities published by CERT-In.
• Assist in the preparation of root cause analysis (RCA) reports for any security incidents as required by regulatory bodies.

3. GRC & Risk Management

• Conduct periodic Risk Assessments (RA) and Data Protection Impact Assessments (DPIA).
• Monitor third-party vendor risk by reviewing their security posture and compliance (TPRM).
• Track and report on key GRC metrics and Key Performance Indicators (KPIs) to senior management.

Education & Experience:

• Bachelor's degree in Computer Science, Information Technology, Cybersecurity, or a related field.
• Minimum of 3 years of proven experience in IT Audit, GRC, or Information Security compliance.

Technical Competencies:

• Deep knowledge of ISO 27001 (Lead Implementer or Auditor knowledge preferred).
• Hands-on experience with SOC 2 Type I and Type II preparation and auditing.
• Familiarity with CERT-In cyber security directions, DPDPA 2023 and the IT Act, 2000 (India).
• Understanding of IT infrastructure (cloud security, firewalls, endpoint security) to effectively audit technical controls.

Certifications (Preferred but not mandatory):

• CISA (Certified Information Systems Auditor)
• ISO 27001 Lead Auditor / Lead Implementer
• CompTIA Security+ or CRISC

Soft Skills:

• Strong documentation and technical writing skills.
• Ability to communicate complex compliance requirements to non-technical stakeholders.
• Analytical mindset with high attention to detail.