Job Role: Sr GRC/GRC Analyst
Roles and Responsibilities:
This individual’s primary day to day responsibilities is mentioned below (but are not limited to these):
- Plan and conduct end-to-end cybersecurity risk assessments for ICT assets (networks, servers, applications, endpoints, cloud), including threat/vulnerability identification, likelihood/impact analysis, risk scoring, and treatment plans.
- Lead third-party/vendor risk assessments: due diligence, security questionnaires, evidence reviews, control gap analysis, and ongoing monitoring aligned to ISO 27001 Annex A, SOC 2 trust services criteria, NIST controls, and GDPR requirements.
- Map assessment findings to GRC frameworks and regulatory requirements; produce compliance-ready reports, risk registers, and executive summaries.
- Collaborate with IT and engineering on security architecture reviews for networks, servers, and cloud; recommend hardening, segmentation, and secure configuration baselines.
- Support policy, standard, and procedure development for risk management, vulnerability management, incident response, access control, and asset management.
- Prepare materials for internal/external audits (ISO 27001, SOC 2) and respond to client security assessments and RFPs.
- Evaluate and secure cloud environments (AWS, Azure, GCP) by conducting cloud-specific risk assessments, reviewing identity and access management, ensuring workload segmentation, and checking adherence to cloud security posture management best practices.
- Assess compliance of cloud service providers with frameworks such as ISO 27017/27018, CIS Cloud Benchmarks, and guide the deployment of secure and resilient cloud architectures.
- Formulation and testing of Business Continuity and Disaster Recovery Plans; identify ICT risks impacting availability and participate in tabletop and failover exercises to ensure preparedness.
- Evaluate the use of cryptographic protocols and encryption solutions for data at rest, in transit, and in use across enterprise systems and cloud assets.
- Knowledge of security controls like Authentication, Authorization, Data Security, IAM
Required Qualifications
- Bachelor's degree in computer science, Information Security, Engineering, or equivalent practical experience.
- 2+ years of hands-on experience in cybersecurity risk assessments of ICT environments, including VAPT oversight and remediation management.
- Strong knowledge of networking (TCP/IP, routing, switching, firewalls, VPNs, proxies), server platforms (Windows/Linux), directory services, virtualization, and cloud basics.
- Experience supporting ISO 27001 certification or SOC 2 Type 1/Type 2 readiness and audits.
- Demonstrated experience implementing or assessing against GRC frameworks: ISO/IEC 27001/27002, SOC 2, NIST CSF/800-53/800-171, and GDPR security/privacy controls.
- Experience with third-party risk management: security questionnaires, SIG/CAIQ or equivalent, due diligence evidence review, and continuous monitoring.
- Proficiency with vulnerability management tools and VAPT methodologies; ability to interpret CVEs/CVSS and prioritize remediation.
- Strong documentation and reporting skills with the ability to communicate technical risks to non-technical stakeholders.
- Understanding of secure configuration benchmarks (e.g., CIS), patching cycles, logging/monitoring fundamentals, and incident response coordination.
- Mandatory certifications CEH/Security +
Preferred Qualifications
- Certifications: CISM, CISA, ISO 27001 Lead Auditor/Lead Implementer.
- Hands-on exposure to SIEM, EDR, SAST/DAST, cloud security posture management, and container security basics.
- Tools and Technologies:
o Vulnerability/VAPT: Nessus, Qualys, OpenVAS, Burp Suite, Nmap, Metasploit.
o Governance/Risk/Compliance: risk registers, control libraries, SIG/CAIQ, ISO 27001 documentation suites; ticketing for remediation tracking.
o Infrastructure: Windows/Linux server administration fundamentals, network device configuration review, cloud (AWS/Azure/GCP) security baselines.
o Monitoring: SIEM/EDR exposure for context during risk assessments and validation of remediation.
