Lead - Governance, Risk & Compliance

Role

We are building our information security function from the ground up. As our first Information Security Manager / GRC Lead, you will be the operational owner of Flam's entire compliance programme and working hands-on in Scrut.io to drive ISO 27001:2022 and SOC 2 Type I certification within 3–4 months. This is a high-impact, high-visibility role at a company whose core product is AI — meaning you will be helping define what responsible AI security looks like in practice, not just checking boxes.

What You'll Own

ISO 27001 & SOC 2 Implementation

• Drive end-to-end implementation of ISO 27001:2022 across all 88 applicable Annex A controls and SOC 2 Trust Service Criteria, using Scrut.io as the single source of truth

• Own the Statement of Applicability (SoA), risk register, risk treatment plan, and all ISMS documentation

• Coordinate evidence collection across Engineering, DevOps, HR, Finance, and Sales — translating control requirements into actionable tasks for each team

• Manage the internal audit cycle, prepare for Stage 1 and Stage 2 ISO 27001 audits, and coordinate with the external CPA firm for SOC 2

• Track all 239 Scrut controls to completion, assign owners, and chase evidence deadlines

Policy & Documentation

• Draft, review, and get management approval for all ISMS policies — Access Control, Incident Response, Data Classification, BCP/DR, Vendor Management, Acceptable Use, and more

• Maintain the legal and regulatory register covering CCPA/CPRA (California) and applicable federal requirements

• Ensure all policies are published, acknowledged, and kept current in Scrut

Risk Management

• Conduct and maintain the organisation's information security risk assessment — identifying threats, scoring likelihood and impact, and producing a risk treatment plan

• Maintain the risk register in Scrut and present findings at quarterly ISG meetings and annual

Management Review Meetings (MRM)

• Conduct Data Protection Impact Assessments (DPIAs) for new product features, particularly those involving personal data

Vendor & Third-Party Security

• Own the vendor security assessment programme — completing questionnaires and reviews for GCP, Modal.com, and all critical SaaS tools

• Ensure security clauses are present in all vendor contracts and customer MSAs

• Maintain the third-party inventory in Scrut with classification and review cadence

Security Awareness & Culture

• Launch and manage the company-wide security awareness training programme for 100+ employees — track completion in Scrut

• Run quarterly phishing simulations and document results

• Build a security-first culture — be the person people come to with questions, not the person who sends scary emails

Incident Response & Monitoring

• Own and maintain the Incident Response Policy and Playbook

• Coordinate tabletop exercises before audit milestones

• Monitor and triage security events in collaboration with the DevOps and IT teams

What We're Looking For

Must Have

• 3–5 years of experience in information security, GRC, or compliance roles

• Hands-on experience implementing or maintaining ISO 27001 — you have been through at least one certification cycle end-to-end

• Solid understanding of SOC 2 Trust Service Criteria and what auditors look for

• Experience using a GRC platform (Scrut.io, Vanta, Drata, Tugboat Logic, or equivalent)

• Ability to translate technical security controls into plain-English policies and evidence tasks that non- security teams can execute

• Strong project management skills — you are comfortable owning deadlines, chasing stakeholders, and escalating blockers

• Familiarity with cloud security concepts — GCP or AWS — and what shared responsibility model means in practice

Nice to Have

• ISO 27001 Lead Implementer or Lead Auditor certification (PECB, BSI, or equivalent)

• CISSP, CISM, or CISA certification

• Experience with AI/ML product companies or platforms handling sensitive personal data

• Familiarity with CCPA/CPRA data protection requirements

• Experience with DPDP Act 2023 (India) — useful given our India operations

• Prior startup experience — comfortable building programmes with limited resources