GRC Analyst

About The Position

Requirements

• Bachelor’s degree in information security, Risk Management, or a related field.
• 5+ years of experience in security governance, compliance, or vendor risk management roles (legal or professional services industry preferred).
• Proven experience conducting vendor security assessments and managing related compliance workflows.
• Deep understanding of ISO 27001 and common security/privacy frameworks (NIST, SOC 2, CMMC, GDPR, etc.).
• Strong writing, communication, and organizational skills.
• Experience with GRC platforms and vendor risk tools.

Nice To Haves

• Certifications such as ISO 27001 Lead Implementer, Security+ or CISM are a plus.

Responsibilities

• Vendor Risk Management Lead the vendor security review process, including intake, risk assessment, documentation, and re-evaluation cycles.
• Collaborate with IT and Legal to embed security and privacy requirements into contracts and onboarding workflows.
• Maintain the vendor inventory and risk classification system; track remediation items and expiration of security attestations (SOC 2, ISO 27001, etc.).
• Assess cloud platforms, SaaS tools, and third-party services against security, compliance, and privacy requirements.
• Client Trust & Engagement Coordinate responses to client security assessments, due diligence requests, and audits.
• Coordinate with attorneys, business development, and compliance teams to support contractual commitments.
• Maintain a centralized repository of audit evidence and standard responses using tools such as Loopio.
• ISMS & Compliance Operations Support the day-to-day management of our ISO 27001-certified ISMS, including control implementation and documentation.
• Assist in preparation for surveillance and recertification audits and maintain alignment with ISO 27001:2022 control requirements.
• Track risk treatment plans, control testing, and internal audit findings.
• Policy & Control Governance Draft, update, and socialize firmwide security and privacy policies.
• Maintain a control library mapped across multiple frameworks including ISO 27001, NIST 800-171, CMMC, and client-specific standards.
• Support the intake and processing of exceptions to security policies, ensuring proper documentation and leadership awareness.
• Risk Monitoring & Incident Response Support Assist with maintaining the risk register, including identification, analysis, and tracking of risks and mitigations.
• Coordinate with internal teams during security incidents to ensure proper documentation, containment, and reporting.
• Security Awareness & Training Administer employee training programs including mandatory awareness training and role-specific modules.
• Coordinate phishing simulations and follow-up education for at-risk users.
• Partner with Marketing and IT to drive behavior change through campaigns, posters, and communication.
• Program Enablement & Tooling Maintain and optimize the GRC toolset (e.g., UpGuard, KnowBe4, Loopio).
• Drive process improvements in risk assessments, audits, and reporting dashboards.
• Support annual penetration testing coordination and track remediation progress.