Security Risk and Compliance Analyst

Asana•San Francisco, CA

About The Position

As a Security Risk and Compliance Analyst, you will play a hands-on role in maturing and operating Asana’s compliance and certification program. This role sits at the intersection of traditional GRC work and compliance engineering. You will help maintain our control frameworks and run our audit cycles, while also contributing to the automation initiatives that make our compliance program scalable and repeatable. You will partner closely with Security Engineering, Legal, Privacy, and R&D to ensure our controls are effective, our evidence pipelines are reliable, and our certifications—SOC 2, ISO 27001, and FedRAMP—are maintained with rigor.

Requirements

Experience with SOC 2, ISO 27001, and FedRAMP compliance frameworks.
Familiarity with GRC platforms and evidence collection workflows.
Ability to coordinate evidence requests and liaise with auditors.
Experience in tracking and driving remediation efforts.
Strong working relationships across different teams.
Understanding of controls maturity scoring and reporting.
Experience with FedRAMP Continuous Monitoring (ConMon) package submission.
Ability to maintain a clear calendar of deliverables and flag risks.
Experience documenting procedures for transparency and auditability.

Nice To Haves

Curiosity and initiative in identifying opportunities to automate repetitive evidence-gathering tasks.

Responsibilities

Support the maintenance and continuous improvement of Asana’s control framework, tracking control effectiveness across SOC 2, ISO 27001, FedRAMP Moderate, and other applicable standards.
Proactively engage with a wide range of teams—including Engineering, IT, and People—to work through controls maturity activities, close existing gaps, and drive remediation efforts to completion with clear documentation of progress.
Build strong working relationships across the business so that control owners feel supported and accountability is shared, not siloed within the compliance team.
Contribute to controls maturity scoring and reporting, providing ongoing visibility into program health for senior leadership.
Support external compliance audits end-to-end: coordinating evidence requests, liaising with auditors, and tracking findings through to closure.
Own the monthly FedRAMP ConMon package submission, ensuring it is accurate, complete, and delivered on time every month.
Track and drive completion of all timebound FedRAMP requirements by working closely with Engineering, People, and other responsible teams.
Maintain a clear calendar of FedRAMP deliverables and proactively flag risks to timelines, escalating where needed to ensure nothing slips.
Serve as a day-to-day point of contact for FedRAMP-related queries from internal teams, helping them understand their obligations and what good looks like.
Own evidence collection workflows within our GRC platform, ensuring controls are reliably mapped, evidence is current, and audit artifacts are ready year-round.
Where possible, identify opportunities to automate repetitive evidence-gathering tasks.
Document evidence collection procedures so that processes are transparent, auditable, and maintainable by the broader team.