Senior GRC Analyst

About The Position

Requirements

• 4 to 6 years of experience in Information Security, Governance, Risk, and Compliance
• Demonstrated experience building or operating an enterprise risk management program, including risk assessments, risk registers, and risk treatment planning
• Experience with third-party risk management, including vendor security assessments and due diligence
• Working knowledge of security frameworks and standards including ISO 27001, SOC 2, NIST 800-53, and GDPR
• Familiarity with AI governance concepts and emerging frameworks (ISO 42001, NIST AI RMF) or a demonstrated ability to learn and apply new frameworks quickly
• Experience designing metrics and reporting for GRC programs, including dashboards and executive-level summaries
• Familiarity with cloud environments (AWS, GCP, Azure) and their risk and compliance implications
• Strong written and verbal communication skills with the ability to translate risk and compliance topics for both technical and non-technical audiences
• Track record of building and maturing GRC programs from the ground up, including defining processes, creating documentation, and operationalizing workflows
• Self-motivated with experience thriving in remote-first, fast-paced environments

Nice To Haves

• Relevant industry certifications such as CRISC, CISA, CISSP, or CCSK
• Experience with GRC platforms (Anecdotes, ServiceNow GRC, OneTrust, or similar)
• Experience with automation or scripting for risk management workflows

Responsibilities

• Own and drive the compliance program roadmap, aligning framework requirements (SOC 2, ISO 27001, ISO 27701, ISO 42001) with business objectives and product strategy
• Lead cross-functional compliance initiatives with Engineering, Product, Legal, and IT, serving as the authoritative voice on governance and risk matters
• Design and maintain Docker’s unified control framework, including cross-mapping to NIST 800-53 and identifying control gaps across multiple standards
• Plan and execute internal audits end-to-end: scoping, evidence collection, control testing, findings management, and external auditor coordination
• Advise GRC Engineering on correct integrations to configure and controls that require automated monitoring
• Perform and lead risk assessments across systems, processes, third-party tools, and cloud configurations, translating findings into actionable risk treatment plans
• Own the vendor risk management program, evaluating third-party vendors against compliance and security standards and driving remediation of identified gaps
• Draft, review, and maintain corporate security policies and map them to relevant control standards, ensuring alignment across frameworks
• Establish and report on compliance metrics and KPIs, providing data-driven visibility into program maturity to leadership
• Stay current with evolving regulatory and industry standards (e.g., ISO 27xxx, SOC 2, GDPR, AI governance regulations) and proactively assess their impact on Docker’s compliance posture

Benefits

• Freedom & flexibility; fit your work around your life
• Designated quarterly Whaleness Days plus end of year Whaleness break
• Home office setup; we want you comfortable while you work
• 16 weeks of paid Parental leave (after 6 months of employment)
• Technology stipend equivalent to $100 USD net/month
• PTO plan that encourages you to take time to do the things you enjoy
• Training stipend for conferences, courses and classes
• Equity; we are a growing start-up and want all employees to have a share in the success of the company
• Docker Swag
• Medical benefits, retirement and holidays vary by country
• Remote-first culture, with offices in Seattle and Paris