Risk and Compliance Analyst

About The Position

Requirements

• 2–5 years of experience in cybersecurity governance, compliance, risk management, or internal audit.
• Foundational knowledge of ISO 27001, NIST SP 800-171, or CMMC Level 2 requirements.
• Experience with GRC/IRM platforms (e.g., OneTrust, Archer, ServiceNow GRC).
• Strong documentation, writing, organizational, and version-control skills.
• Proficiency with Excel/Sheets for risk scoring, register management, and reporting.
• Ability to coordinate projects and collaborate across multiple functions.
• Excellent written and verbal communication
• Strong organizational skills
• Analytical and critical thinking
• Ability to collaborate across departments
• High ethical standards and professional discretion
• Ability to manage multiple tasks with competing deadlines
• Ability to sit and stand for extended periods.
• Ability to lift up to 20 pounds.

Nice To Haves

• Experience using compliance workflow platforms such as FutureFeed.
• Experience supporting internal or external audits.
• Exposure to vendor risk management processes.
• Experience with internal audit or compliance management tools (e.g., AuditBoard, Workiva).
• Foundational compliance or security certifications (e.g., ISO 27001 Foundations, Security+, CMMC coursework).

Responsibilities

• Risk Management & Governance Maintain and update the firm’s risk register, including risk scoring, treatment tracking, and monitoring for changes. Support formal risk assessments and assist with updates to the Statement of Applicability (SoA). Gather and consolidate risk-related inputs from IT, HR, Legal, SecOps, and business stakeholders.
• Documentation & Policy Governance Manage lifecycle updates for information security policies, standards, and procedures including drafting, reviews, approvals, and version control. Maintain compliance documentation such as SSP updates, POA&M revisions, control narratives, and other required artifacts. Ensure governance documents remain accurate, consistently formatted, and aligned with framework requirements.
• Audit Support Coordinate internal and external audit activities, including scheduling, evidence collection, and communication with SMEs. Track audit findings, corrective actions, and remediation progress. Maintain audit documentation repositories and ensure audit materials are consistently organized and audit-ready.
• Vendor Risk Management Perform intake assessments for vendor security reviews and coordinate security questionnaires with vendors. Collect due-diligence documentation and track remediation or follow-up requirements. Support collaboration between Procurement, Legal, IT, and the GRC Manager.
• Training & Awareness Assist with developing and distributing cybersecurity awareness content. Maintain training completion records and support reporting for required annual or event-driven trainings.
• Business Continuity & Disaster Recovery (BCP/DR) Documentation & Reporting Maintain BCP/DR documentation including plans, Business Impact Analysis (BIA) updates, team rosters, and continuity-related inventories. Coordinate with business units and IT to collect updates for continuity plans and ensure documentation accuracy. Support post-exercise and post-incident reporting, capturing results, action items, and changes required to improve resilience. Organize and maintain evidence of continuity activities for compliance and audit purposes. Assist in coordinating tabletop exercises by managing documentation, capturing observations, and preparing reports for leadership review.
• Cross-Functional Collaboration Work closely with HR, Legal, Procurement, IT, SecOps, and other internal stakeholders to support compliance operations. Support the GRC Manager on firm-wide governance, compliance initiatives, and regulatory readiness activities.