About the Role
We are looking for a sharp, automation-first Compliance Engineer to join our Governance, Risk & Compliance (GRC) team. In this role, you will own the technical side of our compliance programme — designing and operating systems that continuously verify our security controls, collect evidence automatically, and keep us audit-ready at all times.
You will work at the intersection of security engineering and regulatory compliance, leveraging AI-powered and agentic tooling to replace manual, point-in-time audit work with real-time, scalable assurance. If you love turning compliance from a periodic scramble into an always-on engineering discipline, this role is built for you.
Key Responsibilities
Compliance Automation & Continuous Assurance
- Design, build, and maintain automated pipelines for controls testing across SOC 2 Type II, ISO 27001, and other applicable frameworks.
- Develop scripts, integrations, and workflows that continuously collect, validate, and store compliance evidence from cloud infrastructure, SaaS tools, CI/CD pipelines, and endpoint systems.
- Implement AI and agentic tools (e.g., LLM-based classification, autonomous agents) to interpret data, flag control deviations, and draft audit narratives — reducing manual effort.
- Build and maintain a compliance-as-code library so controls are versioned, testable, and auditable.
Frameworks & Audit Readiness
- Serve as an internal SME for SOC 2 (Trust Services Criteria) and ISO 27001 / 27701 control mapping.
- Maintain a continuously updated control inventory and evidence repository ready for external auditor review at any point in the year.
- Coordinate with external auditors during annual assessments; own the evidence pack preparation and auditor Q&A.
- Identify control gaps through automated gap assessments and drive remediation with engineering and product teams.
GRC Programme Development
- Contribute to the design and evolution of the company's internal assurance programme, including risk assessment methodologies and control effectiveness metrics.
- Develop dashboards and executive-level reporting that show real-time compliance posture across all frameworks.
- Advise on vendor and third-party risk assessments, including security questionnaire automation.
- Stay current on emerging regulations and integrate new requirements into the automation stack.
Required Qualifications
Experience
- 5+ years of experience in information security, with a minimum of 3 years focused on GRC, compliance engineering, or security assurance.
- Demonstrable experience designing or operating a SOC 2 or ISO 27001 compliance programme, including evidence collection and audit support.
- Hands-on experience writing automation scripts (Python, NodeJS, or similar) to interact with cloud APIs (AWS, GCP, or Azure), SaaS platforms, or SIEM/log aggregation tools.
- Experience integrating AI or ML tooling into operational workflows — including working with LLM APIs, prompt engineering, or building agentic pipelines using frameworks.
Certifications (at least one required)
- CISSP — Certified Information Systems Security Professional
- CISA — Certified Information Systems Auditor
- CISM — Certified Information Security Manager
- ISO 27001 Lead Auditor or Lead Implementer
- CompTIA Security+ or equivalent (acceptable as a secondary certification)
Technical Skills
- Proficiency in Python for automation; familiarity with REST APIs, webhooks, and data pipelines.
- Working knowledge of cloud-native security services (AWS Config, AWS Security Hub, Azure Policy, GCP SCC) and how they map to compliance controls.
- Experience with GRC platforms (Vanta, Drata, Tugboat Logic, OneTrust, or equivalent) — and ideally extending them via API or custom integrations.
- Understanding of IAM, encryption, logging, vulnerability management, and change management controls in a cloud-first environment.
Preferred Qualifications
- Experience building agentic workflows where an AI system autonomously gathers evidence, tests controls, and surfaces exceptions with minimal human intervention.
- Background in a high-growth SaaS, fintech, or B2B technology company where compliance was a commercial differentiator.
- Experience with Infrastructure-as-Code tools (Terraform) and how policy guardrails integrate with deployment pipelines.
