Job
Description
Department: Information Security Location: Mumbai Reports to: IS GRC Head Employment Type: Full-time Job Purpose: This role is responsible for driving the organization’s Information Security Governance, Risk, and Compliance (GRC) function, Industry standards (ISO 27001, NIST CSF), and regulatory requirements. The candidate will lead internal audits, vendor risk governance, SOC 2 readiness, automation initiatives, client assessments, and security awareness across the enterprise—while managing a team of security professionals. Key Responsibilities: Governance, Risk & Compliance • Implement and maintain a scalable Information Security GRC framework based on ISO 27001, NIST Cybersecurity Framework, and applicable regulatory requirements (RBI, SEBI, IRDAI, DPDPA). • Manage the information security policy lifecycle, risk registers, and control objectives across business units. • Lead the exception management process, including impact assessments, approval workflows, and periodic reviews. Internal Audit & Control Testing • Plan and execute periodic internal audits, control design evaluations, and operational effectiveness testing for IT and cybersecurity controls. • Coordinate external assessments, including SOC 2 readiness, ISO 27001 surveillance audits, and customer/compliance audits. • Track and close audit findings with clear ownership, root cause analysis, and sustainable remediation plans. Vendor Risk Management (End-to-End) • Oversee the Third-Party Risk Management (TPRM) lifecycle: onboarding, risk assessment, security clauses, ongoing monitoring, and exit governance. • Drive continuous oversight of critical vendors based on data exposure and service criticality, using automated tools where feasible. Automation & Tooling • Identify manual GRC activities suitable for automation; perform POCs, evaluate tools, and drive implementation. • Lead automation initiatives for risk assessments, control testing, evidence gathering, and exception workflows. SOC 2 & Compliance Readiness • Lead organizational readiness for SOC 2 Type 1 and Type 2 audits, working with Business SPOC's, application owners and control owners. • Align existing practices to SOC trust service criteria (Security, Availability, Confidentiality). Security Training & Awareness • Develop and deliver cybersecurity training and awareness programs tailored to various stakeholder groups (employees, management, vendors). • Promote a risk-aware culture and drive ongoing compliance awareness campaigns. Incident Response Oversight • Support and enhance the incident response governance process by aligning it with NIST CSF framework. • Ensure roles, responsibilities, and reporting mechanisms are clearly defined and followed during incidents. • Oversee the documentation of lessons learned, RCA, and incorporation of incidents into risk registers. Reporting & Stakeholder Engagement • Prepare and present dashboards, heatmaps, and reports for executive management, audit committees, and the board. • Maintain governance KRIs and provide insights into risk trends, audit closures, and compliance status. • Serve as a key liaison during client assessments, RFP security responses, and due diligence efforts. Team Leadership • Manage, mentor, and upskill a team of GRC analysts and specialists. • Allocate responsibilities, track performance, and foster collaboration across IT, Legal, Procurement, and Business teams. Key Requirements: Qualifications: • Bachelor’s/Master’s in Information Security, Computer Science, or related field. • Professional certifications preferred: CISA, CRISC, ISO 27001 LA, CISSP, CCSK, or equivalent. Experience: • 8+ years of experience in Information Security GRC, IT Risk, and Regulatory Compliance. • Strong expertise in internal audits, control testing, and vendor security governance. • Hands-on experience in managing SOC 2, ISO 27001, or similar frameworks. • Demonstrated leadership in team management and multi-stakeholder coordination. • Exposure to automating GRC functions using platforms like ServiceNow GRC, Archer, OneTrust, or similar. Skills & Competencies: • Strong analytical, documentation, and reporting skills. • Effective communication across technical and business audiences. • High level of integrity, ownership, and stakeholder management.
