We're looking for a GRC Analyst to help us run and evolve our governance, risk, and compliance program in a way that is credible with technical teams and useful for the business.
As a GRC Analyst, you will work closely with Engineering, DevOps/Platform, Security, Legal, and customer-facing teams to keep us audit-ready, reduce risk in practical ways, and support the next wave of compliance efforts.
You will own and continuously improve our GRC program across ISO 27001, SOC 2, ISO 27701, and ISO 42001, including control mapping and evidence expectations. You will partner with control owners to make compliance repeatable and low-friction – evidence as a habit, not a scramble.
You will drive audit readiness: artifacts, timelines, action tracking, and clear control demonstration. You will improve policies, standards, and procedures so they reflect how we actually operate.
You will build strong working relationships with DevOps/Platform and engineering teams. You will evaluate technical implementations – branch protection, CI/CD, Kubernetes, cloud architecture, monitoring – well enough to ask good questions and validate evidence.
You will translate technical reality into clear audit narratives without losing accuracy. You will contribute to risk identification and assessment across technical, operational, and vendor domains.
You will maintain risk registers and track mitigations to closure. You will support leadership reporting by surfacing themes and trends that lead to real decisions.
You will evaluate and prepare for ISO 22301, and potentially HITRUST and FedRAMP as business needs evolve. You will identify gaps early and propose pragmatic roadmaps that engineering teams can execute.
We're looking for someone with a hands-on technical background (engineering, DevOps/SRE, IT management, or similar) and understanding of how cloud environments work, especially AWS. You should be able to follow technical conversations well beyond what a traditional auditor can – you understand how the sausage is made.
You should have experience supporting audit cycles and know what good evidence looks like. You should be organised, proactive, and able to drive multiple workstreams independently – with clear, thoughtful communication across both technical and business audiences.
You should have technical aptitude: comfortable writing a simple script when needed, and experienced using AI and LLM tools in your work.
Bonus points if you have direct experience with ISO 27001, SOC 2, ISO 42001, or ISO 27701, or have worked in ISO 22301, HITRUST, or FedRAMP environments.
XML job scraping automation by YubHub
