We are building our information security function from the ground up. As our first Information Security Manager / GRC Lead, you will be the operational owner of Flam's entire compliance programme and working hands-on in Scrut.io to drive ISO 27001:2022 and SOC 2 Type I certification within 3–4 months. This is a high-impact, high-visibility role at a company whose core product is AI — meaning you will be helping define what responsible AI security looks like in practice, not just checking boxes.
What You'll Own
ISO 27001 & SOC 2 Implementation
-
Drive end-to-end implementation of ISO 27001:2022 across all 88 applicable Annex A controls and SOC 2 Trust Service Criteria, using Scrut.io as the single source of truth
-
Own the Statement of Applicability (SoA), risk register, risk treatment plan, and all ISMS documentation
-
Coordinate evidence collection across Engineering, DevOps, HR, Finance, and Sales — translating control requirements into actionable tasks for each team
-
Manage the internal audit cycle, prepare for Stage 1 and Stage 2 ISO 27001 audits, and coordinate with the external CPA firm for SOC 2
-
Track all 239 Scrut controls to completion, assign owners, and chase evidence deadlines
Policy & Documentation
-
Draft, review, and get management approval for all ISMS policies — Access Control, Incident Response, Data Classification, BCP/DR, Vendor Management, Acceptable Use, and more
-
Maintain the legal and regulatory register covering CCPA/CPRA (California) and applicable federal requirements
-
Ensure all policies are published, acknowledged, and kept current in Scrut
Risk Management :
-
Conduct and maintain the organisation's information security risk assessment — identifying threats, scoring likelihood and impact, and producing a risk treatment plan
-
Maintain the risk register in Scrut and present findings at quarterly ISG meetings and annual
-
Management Review Meetings (MRM)
-
Conduct Data Protection Impact Assessments (DPIAs) for new product features, particularly those involving personal data
Vendor & Third-Party Security
-
Own the vendor security assessment programme — completing questionnaires and reviews for GCP, Modal.com, and all critical SaaS tools
-
Ensure security clauses are present in all vendor contracts and customer MSAs
-
Maintain the third-party inventory in Scrut with classification and review cadence
Security Awareness & Culture
-
Launch and manage the company-wide security awareness training programme for 100+ employees — track completion in Scrut
-
Run quarterly phishing simulations and document results
-
Build a security-first culture — be the person people come to with questions, not the person who sends scary emails
Incident Response & Monitoring
-
Own and maintain the Incident Response Policy and Playbook
-
Coordinate tabletop exercises before audit milestones
-
Monitor and triage security events in collaboration with the DevOps and IT teams
What We're Looking For :
-
3–5 years of experience in information security, GRC, or compliance roles
-
Hands-on experience implementing or maintaining ISO 27001 — you have been through at least one certification cycle end-to-end
-
Solid understanding of SOC 2 Trust Service Criteria and what auditors look for
-
Experience using a GRC platform (Scrut.io, Vanta, Drata, Tugboat Logic, or equivalent)
-
Ability to translate technical security controls into plain-English policies and evidence tasks that non- security teams can execute
-
Strong project management skills — you are comfortable owning deadlines, chasing stakeholders, and escalating blockers
-
Familiarity with cloud security concepts — GCP or AWS — and what 'shared responsibility model' means in practice
Nice to Have
-
ISO 27001 Lead Implementer or Lead Auditor certification (PECB, BSI, or equivalent)
-
CISSP, CISM, or CISA certification
-
Experience with AI/ML product companies or platforms handling sensitive personal data
-
Familiarity with CCPA/CPRA data protection requirements
-
Experience with DPDP Act 2023 (India) — useful given our India operations
-
Prior startup experience — comfortable building programmes with limited resources
