Governance, Risk, and Compliance Specialist

About The Position

Requirements

• 1–3 years of experience in Information Security, Risk, Compliance, or IT Audit.
• Certified Governance, Risk, Compliance (CGRC), Certified in Risk and Information Systems Control (CRISC), Security+, or agreed certification to be attained within agreed timeframe, or other combinations of experience and relevant certifications preferred.
• Working understanding of SOC 2, NIST 800-53, and ISO 27001 or similar frameworks required. Prior experience with SOC 2 and NIST 800-53 compliance preferred.
• An understanding of AI governance risks (bias, transparency, and data privacy) and familiarity with frameworks such as NIST AI RMF, ISO 42001, and AIUC-1.
• Experience or interest in GRC engineering, including supporting configuration, automation, or workflows.
• Excellent oral and written communication ability, especially for communicating technical risks to a non-technical audience.
• Strong knowledge of the Microsoft Office suite of tools.
• Strong problem-solving, analytical, and critical thinking skills.
• Eagerness to learn and grow.
• Highly organized and ability to manage tasks independently while seeking guidance when appropriate.

Nice To Haves

• Prior experience with vendor management or third-party risk assessments preferred.

Responsibilities

• Conduct technical risk evaluations of third parties’ tools, platforms, and services.
• Perform vendor due diligence and appropriately advise the business on risk response decisions in accordance with SOC 2 and internal standards.
• Prepare and present assessment findings to the GRC Lead and Head of Information Security for final review and approval.
• Make recommendations to strengthen vendor security posture.
• Brainstorm, document, and formulate areas for Information Security improvement that balance risk with business operations and encourage efficiencies or innovation.
• Construct security program content around key areas of corporate and cyber risk.
• Support the development and tracking of KPIs and KRIs to enable effective risk reporting and business insights.
• Maintain and deliver security training for new hires, aligned with company policies.
• Assist in the maintenance and review of ITGRC policies, standards, and procedures, collaborating with policy owners to ensure documents are current and aligned with controls.
• Support responses to information security questionnaires from clients or partners.
• Support evidence collection and communication between auditors and stakeholders for external audits and internal reviews.
• Learn and contribute to broader GRC functions under the guidance of the GRC Lead.