Security and Compliance Analyst

Position: Security and Compliance Analyst

Experience Range: 2 to 4 yrs

Job Location: Bangalore

Work Mode: Hybrid (3 days in the office, 2 days remote)

Job Summary

Anumana is seeking a detail-oriented and proactive Security and Compliance Analyst to ensure our organization’s adherence to international security standards and regulatory requirements. The successful candidate will play a key role in the development, implementation, and continuous improvement of Anumana's Information Security Management System (ISMS) in compliance with ISO/IEC 27001, ISO/IEC 27002, and ISO 13485 standards.

This role involves close collaboration with multiple departments—HR, Legal, IT, Engineering, and Quality/Regulatory teams—to maintain a robust security and compliance posture. The Security and Compliance Analyst will also be responsible for managing third-party risk assessments, ensuring compliance with global privacy regulations (such as GDPR), and supporting the overall Information Security Program.

Key Responsibilities

Compliance Management

• Maintain and continuously improve the Information Security Management System (ISMS) to comply with ISO/IEC 27001, ISO/IEC 27002, and ISO 13485 standards.
• Coordinate with the Quality and Regulatory team to align security controls with ISO 13485 requirements for medical device software.
• Develop and update policies, procedures, and documentation necessary for maintaining certification status.
• Conduct internal audits and prepare for external audits, ensuring that all necessary evidence is documented and accessible.

Cross-Department Collaboration

• Work closely with HR, Legal, IT, Engineering, and other departments to ensure that information security requirements are consistently integrated across the organization.
• Provide guidance on security and compliance matters, including secure practices, policy enforcement, and risk mitigation.
• Assist in the development of training materials and conduct regular security awareness sessions for staff.

Third-Party Risk Management

• Respond to third-party risk management questionnaires, ensuring that external parties meet Anumana’s security standards.
• Perform risk assessments on vendors, suppliers, and partners, evaluating their adherence to security requirements.
• Maintain and update a database of third-party risk assessments and ensure regular monitoring of vendor compliance.

Privacy and Confidentiality Management

• Monitor and enforce privacy compliance across the organization, focusing on GDPR, CCPA, and other relevant global data protection regulations.
• Track data protection incidents and coordinate response and remediation activities.
• Work with Legal and HR teams to ensure confidentiality agreements are properly managed and enforced.

Security Program Oversight

• Support the overall information security program by conducting risk assessments, tracking key performance indicators (KPIs), and managing security metrics.
• Develop and maintain security policies, standards, and guidelines based on best practices and relevant frameworks.
• Monitor and assess compliance with organizational policies, industry standards, and applicable regulations.
• Identify areas of improvement in security controls and recommend mitigation strategies.

Audit Preparation & Evidence Management

• Gather, organize, and maintain documentation of control evidence required for internal and external audits.
• Track audit findings, follow up on remediation actions, and ensure they are completed on time.
• Prepare reports summarizing compliance activities, audit results, and risk assessments for management review.

Qualifications Required:

• Bachelor's degree in Information Security, Computer Science, Risk Management, or a related field (or equivalent experience).
• 2+ years of experience in information security, compliance, risk management, or related fields.
• Strong understanding of ISO/IEC 27001, ISO/IEC 27002, and ISO 13485 standards.
• Experience with information security frameworks (e.g., NIST, HITRUST) and best practices.
• Knowledge of data protection regulations, including GDPR, CCPA, and other privacy laws.
• Ability to respond to third-party risk assessments and manage vendor compliance.
• Familiarity with GRC (Governance, Risk, and Compliance) tools and methodologies.

Preferred:

• Professional certifications such as CISSP, CISM, CRISC, CCSK, or ISO/IEC 27001 Lead Auditor/Implementer.
• Experience working in the medical device or healthcare sector, with familiarity in Software as a Medical Device (SaaMD).
• Knowledge of security assessment tools and vulnerability management practices.
• Understanding of secure software development and DevSecOps practices.

Skills:

• Strong analytical and problem-solving skills with attention to detail.
• Excellent communication skills, with the ability to present complex information clearly to technical and non-technical stakeholders.
• Highly organized, with strong project management skills and the ability to prioritize tasks effectively.
• Demonstrated ability to work collaboratively with cross-functional teams.