Job Role: Sr GRC/GRC Analyst
Roles and Responsibilities:
This individual s primary day to day responsibilities is mentioned below (but are not limited to these):
Plan and conduct end-to-end cybersecurity risk assessments for ICT assets (networks, servers, applications, endpoints, cloud), including threat/vulnerability identification, likelihood/impact analysis, risk scoring, and treatment plans.
Lead third-party/vendor risk assessments: due diligence, security questionnaires, evidence reviews, control gap analysis, and ongoing monitoring aligned to ISO 27001 Annex A, SOC 2 trust services criteria, NIST controls, and GDPR requirements.
Map assessment findings to GRC frameworks and regulatory requirements; produce compliance-ready reports, risk registers, and executive summaries.
Collaborate with IT and engineering on security architecture reviews for networks, servers, and cloud; recommend hardening, segmentation, and secure configuration baselines.
Support policy, standard, and procedure development for risk management, vulnerability management, incident response, access control, and asset management.
Prepare materials for internal/external audits (ISO 27001, SOC 2) and respond to client security assessments and RFPs.
Evaluate and secure cloud environments (AWS, Azure, GCP) by conducting cloud-specific risk assessments, reviewing identity and access management, ensuring workload segmentation, and checking adherence to cloud security posture management best practices.
Assess compliance of cloud service providers with frameworks such as ISO 27017/27018, CIS Cloud Benchmarks, and guide the deployment of secure and resilient cloud architectures.
Formulation and testing of Business Continuity and Disaster Recovery Plans; identify ICT risks impacting availability and participate in tabletop and failover exercises to ensure preparedness.
Evaluate the use of cryptographic protocols and encryption solutions for data at rest, in transit, and in use across enterprise systems and cloud assets.
Knowledge of security controls like Authentication, Authorization, Data Security, IAM
Required Qualifications
Bachelors degree in computer science, Information Security, Engineering, or equivalent practical experience.
2+ years of hands-on experience in cybersecurity risk assessments of ICT environments, including VAPT oversight and remediation management.
Strong knowledge of networking (TCP/IP, routing, switching, firewalls, VPNs, proxies), server platforms (Windows/Linux), directory services, virtualization, and cloud basics.
Experience supporting ISO 27001 certification or SOC 2 Type 1/Type 2 readiness and audits.
Demonstrated experience implementing or assessing against GRC frameworks: ISO/IEC 27001/27002, SOC 2, NIST CSF/800-53/800-171, and GDPR security/privacy controls.
Experience with third-party risk management: security questionnaires, SIG/CAIQ or equivalent, due diligence evidence review, and continuous monitoring.
Proficiency with vulnerability management tools and VAPT methodologies; ability to interpret CVEs/CVSS and prioritize remediation.
Strong documentation and reporting skills with the ability to communicate technical risks to non-technical stakeholders.
Understanding of secure configuration benchmarks (e.g., CIS), patching cycles, logging/monitoring fundamentals, and incident response coordination.
Mandatory certifications CEH/Security +
Preferred Qualifications
Certifications: CISM, CISA, ISO 27001 Lead Auditor/Lead Implementer.
Hands-on exposure to SIEM, EDR, SAST/DAST, cloud security posture management, and container security basics.
Tools and Technologies:
o Vulnerability/VAPT: Nessus, Qualys, OpenVAS, Burp Suite, Nmap, Metasploit.
o Governance/Risk/Compliance: risk registers, control libraries, SIG/CAIQ, ISO 27001 documentation suites; ticketing for remediation tracking.
o Infrastructure: Windows/Linux server administration fundamentals, network device configuration review, cloud (AWS/Azure/GCP) security baselines.
o Monitoring: SIEM/EDR exposure for context during risk assessments and validation of remediation.
