Governance Risk & Compliance (GRC) Manager

About The Position

Requirements

• Bachelor's degree in Information Security, IT Management, Business, or related field.
• 6+ years of experience in governance, risk, compliance, audit, or cybersecurity; at least 2 years in a leadership or program-lead role (preferred).
• Deep understanding of NIST CSF 2.0, NIST 800-171, HIPAA, GDPR, FDA, SEC cyber disclosure requirements, and SOX ITGCs.
• Demonstrated experience managing vendor/third-party risk programs and supply-chain cybersecurity risk.
• Proven track record in translating regulatory requirements into operational controls, evidencing audit readiness.
• Strong analytical, organizational, and documentation skills with high attention to detail.
• Excellent cross-functional communication and collaboration skills; ability to interact with technical, business, legal, and executive stakeholders.
• Hands-on mindset: ability to build templates, map controls, pull evidence, and operate tooling as needed.

Nice To Haves

• Professional certifications: CISA, CISM, CRISC, CIPM/CIPT, or HCISPP (willingness to pursue)
• Experience in a regulated healthcare, medical-device, or life-sciences environment.
• Familiarity with GRC platforms/tools (ServiceNow GRC/IRM, RSA Archer, OneTrust, Drata) and audit evidence-management workflows.
• Experience developing executive/board-level cybersecurity and compliance reports and metrics.

Responsibilities

• Regulatory & Framework Expertise: Strong understanding of regulatory compliance in healthcare, medical-device, and technology sectors (HIPAA, FDA, GDPR, C-SCRM, SOX, SEC disclosures). Hands-on experience with NIST CSF 2.0, NIST 800-171, and other compliance frameworks to drive risk management initiatives and ensure audit readiness. Deep knowledge of medical-device cybersecurity expectations (SBOMs, vulnerability handling, patch management).
• Governance, Risk, & Compliance (GRC) Program Management: Design, implement, and continuously improve a comprehensive GRC program aligned with regulatory requirements, internal policies, and industry best practices. Define and prioritize program goals, manage timelines, track compliance metrics, and ensure full compliance with applicable cybersecurity standards.
• Vendor & Third-Party Risk Management: Lead third-party risk assessments and manage the full lifecycle of vendor risk evaluations, tiering, and continuous monitoring. Collaborate with Procurement and Legal to ensure security terms in contracts and assess risks for all third-party vendors (aligned with NIST C-SCRM). Ensure vendors meet cybersecurity requirements, including documentation and compliance controls, and oversee ongoing vendor audits.
• Audit & Control Testing: Coordinate and execute internal and external audits, including SOC reports, vulnerability assessments, and risk assessments to ensure proper controls are in place. Maintain and manage evidence repositories for audit purposes, ensuring all activities and controls are documented in alignment with SOX ITGC requirements and external auditors. Track and manage CAPAs (Corrective and Preventive Actions) and POA&Ms (Plans of Action & Milestones) for audit remediation.
• Risk Assessment & Cyber Risk Register Management: Own and maintain the cyber risk register, conducting risk assessments for technology systems, cloud infrastructure, and medical devices. Identify and prioritize risks, and ensure the timely execution of risk mitigation activities across the organization. Develop, track, and report on Key Risk Indicators (KRIs), working with business and technology teams to address risk exposures.
• Cross-functional Collaboration & Reporting: Collaborate with senior leadership, IT, Legal, Quality, Product Security, and Finance teams to ensure alignment with overall business goals and compliance objectives. Develop and deliver regular risk and compliance reports to executive leadership and board members, summarizing findings, recommendations, and compliance status. Work closely with internal teams to provide governance over incident management, ensuring regulatory requirements are met during any cybersecurity incidents.
• Technology & Tool Proficiency: Proficient in using GRC tools (e.g., ServiceNow GRC, RSA Archer, OneTrust, Drata) for risk management, evidence collection, and compliance tracking. Familiar with audit management tools and document management systems to ensure compliance and audit readiness.
• Perform other TransMedics tasks and duties as assigned/required.

Benefits

• Medical with Health Reimbursement Account through Blue Cross/Blue Shield of MA
• Dental
• Vision
• Healthcare Flexible Spending Account
• Dependent Care Flexible Spending Account
• Short Term Disability
• Long Term Disability
• 401K Plan
• Pet insurance
• Employee Stock Purchase Plan