GRC Analyst

About The Position

Requirements

• 3+ years of direct experience in IT Audit, Information Security, Privacy Operations, or GRC (Governance, Risk, and Compliance), preferably within a B2B SaaS, FinTech, or cloud technology environment.
• Hands-on experience working with established compliance frameworks (SOC 2, ISO 27001) and navigating global privacy legislation (GDPR, CCPA).
• A solid understanding of cloud computing architectures (AWS, Azure, GCP) and enterprise software environments.
• Proven ability to translate complex regulatory requirements into actionable, practical controls for IT and engineering teams without stifling innovation.
• Outstanding written and verbal communication skills. You must be able to write clear policies, translate technical risks for business leaders, and confidently answer complex customer security questions.
• Bachelor’s degree in Information Systems, Cybersecurity, Business, or a related field.

Nice To Haves

• Familiarity with ERP systems (like NetSuite) is a strong plus.
• Relevant industry certifications such as CISA, CISM, CIPP/E, CIPP/US, or Security+ are highly preferred.

Responsibilities

• Lead the management and continuous scaling of Zone & Co’s core security compliance frameworks, specifically SOC 2 Type II and ISO 27001.
• Govern global data privacy operations to ensure strict, ongoing alignment with GDPR, CCPA/CPRA, and other emerging data protection laws.
• Serve as the primary security liaison for enterprise customers, directly supporting the sales cycle by demonstrating and communicating a robust, mature security posture.
• Manage the organization's internal audit program and oversee the third-party vendor risk lifecycle to proactively identify and mitigate vulnerabilities.
• Coordinate evidence collection, manage project timelines, and partner directly with external auditors during annual compliance assessments.
• Conduct Data Privacy Impact Assessments (DPIAs) for new products and process Data Subject Access Requests (DSARs) within mandated SLAs.
• Accurately and efficiently complete incoming vendor security questionnaires from prospects and maintain up-to-date documentation in our customer-facing Trust Center.
• Design and execute internal audits to test whether technical and administrative controls are operating effectively. Track control gaps and drive engineering/IT remediation efforts.
• Evaluate the security and privacy postures of prospective and existing third-party vendors and sub-processors through comprehensive risk assessments.
• Draft, update, and publish internal security policies, standard operating procedures (SOPs), and incident response plans. Develop and administer engaging company-wide security and privacy awareness training.

Benefits

• Benefits are designed to enrich your life beyond the workplace.
• Prioritize flexibility and balance.
• Comprehensive list of benefits available at Zoneandco.com.