Compliance Consultant – GRC Practice

About The Position

Requirements

• Minimum bachelor's degree in information systems, computer science, business, law, or a closely related field, or equivalent demonstrated experience
• Minimum 5 years of experience in compliance, information security, audit, or a directly related advisory function, including at least two years in a consulting or client-facing delivery role
• Demonstrated hands-on experience with at least two of the following: SOC 2, ISO 27001, CMMC 2.0, NIST CSF, HIPAA, PCI-DSS, or FedRAMP
• At least one active professional certification — CISA, CISSP, CISM, CRISC, or CCSFP are most relevant to this role
• Strong written and verbal communication skills, including the ability to convey technical findings to non-technical audiences with clarity and precision

Nice To Haves

• Experience with GRC platforms such as Vanta, Drata, OneTrust, ServiceNow GRC, or Archer
• Exposure to regulated industries — healthcare, defense industrial base, financial services, or government contracting
• Familiarity with cloud security architecture concepts across AWS, Azure, or GCP, and how cloud-native environments affect control design and evidence collection
• Experience in a Big Four or mid-market advisory firm environment
• Minimum 2+ years of consulting experience

Responsibilities

• Lead and execute compliance assessments across one or more regulatory and standards frameworks, including but not limited to SOC 2 Type I/II, ISO 27001, CMMC 2.0, NIST CSF, HIPAA, PCI-DSS, and FedRAMP. This includes scoping engagements, developing project plans, conducting gap analyses, running control testing procedures, drafting findings reports, and presenting results to client leadership. Manage multiple concurrent engagements across different clients and frameworks with minimal supervision.
• Map overlapping frameworks and identify where controls satisfy multiple standards simultaneously. Advise clients on crosswalk strategies that reduce duplicative compliance work, consolidate evidence collection, and rationalize audit schedules. This requires fluency in how frameworks differ in scope, applicability, and control philosophy beyond their surface-level requirements.
• Conduct qualitative and semi-quantitative risk assessments, evaluate control design effectiveness, and recommend compensating or corrective controls appropriate to client operating environments. Evaluate technical controls — access management, encryption, logging and monitoring, vulnerability management — as well as administrative and physical controls. Recommendations must be grounded in both the relevant standard and the practical operational context of the client.
• Draft, review, and revise information security policies, procedures, standards, and control narratives. This work must be tailored to client context rather than template-driven, with clear mapping to applicable framework requirements and operational workflows. Write at a professional level sufficient for board-level consumption and audit artifact use.
• Support clients through external audits and certification processes, serving as the primary liaison between the client and auditors during evidence collection phases. Post-audit, develop and track remediation plans, monitor control implementation progress, and validate remediation effectiveness before closure.
• Contribute meaningfully to the practice's pipeline. This includes participating in proposal development, scoping and estimating new engagements, identifying expansion opportunities within existing client relationships, and representing the practice at industry events or working groups. You will not typically be expected to originate large engagements independently but should be able to identify and advance opportunities through the pipeline with principal-level support.