We are looking for a detail-oriented and proactive GRC professional with hands-on experience in SOC 2 Type 1 and Type 2, NIST CSF, NIST SP 800-53 and ISO 27001 controls.
Job Responsibilities:
- Lead and support the implementation, maintenance, and continuous improvement of information security compliance programs, specifically focusing on SOC 2 Type 1 and Type 2, NIST Cybersecurity Framework (CSF), NIST Special Publications (SP 800-53), and ISO 27001.
- Develop, review, and update security policies, procedures, and guidelines to align with relevant compliance frameworks and regulatory requirements.
- Conduct risk assessments and gap analyses against SOC 2, NIST, and ISO 27001 controls to identify areas for improvement and ensure audit readiness.
- Prepare and compile documentation, evidence, and responses for audit requests efficiently and accurately.
- Support the identification, assessment, and mitigation of information security risks in accordance with established risk management frameworks (e.g., NIST RMF).
- Contribute to risk assessments and business impact analysis.
- Maintain comprehensive documentation of security controls, compliance activities, and remediation plans.
- Prepare regular reports on compliance status, key metrics, and areas of concern for management and stakeholders.
- Perform comprehensive third-party risk assessments to evaluate vendor compliance with information security policies.
- Develop and maintain TPRM processes to monitor and mitigate risks associated with external vendors.
- Ensure effective communication and documentation of third-party risk assessments.
- Assist in drafting and updating organizational policies and procedures for governance and compliance.
Requirements
Job Specifications:
1. Qualification:
- Bachelor's degree in Engineering or closely related coursework in technology development disciplines
- Certifications Security+, CEH, ISO 27001 Lead Implementer/Lead Auditor, CISA, CISM (good to have, but not mandatory)
2. Experience:
- Total Experience (1): 5-8 years
- Total Experience (2): 2-4 years
Knowledge and Experience:
- Demonstrable experience with the implementation and/or auditing of SOC 2 Type 1 and Type 2.
- Solid understanding and practical experience with NIST Cybersecurity Framework (CSF) and NIST Special Publications (e.g., SP 800-53).
- Knowledge of various security domains such as network security, application security, data privacy, and vulnerability management.
- Strong understanding of information security principles and related compliance controls. Ability to articulate the relevance of the security controls
- Experience in delivery of Information Security risk and compliance advisory services
- Experience in management consulting and information security audits
- Experience around technology risk assessments
- Hands-on experience in GRC projects
- Proficient in preparation of reports, dashboards and documentation
- Ability to research and develop new risk-based security offerings
- Comfortable working in a project based / client serving model
