Show more filters
Banner image for Outsourced

GRC Analyst (Homebased)

Outsourced

2.8
14 reviews
Outsourced
Job Type   /   Job Level
Full-time   /   Others/Any
Company Location
Philippines
Job Description

As a GRC Analyst you keep compliance programs healthy across a portfolio of client accounts. This is a hands-on, behind-the-scenes role. You live inside GRC platforms and client systems. You close failing controls, collect and organize evidence, run access reviews, work through security questionnaires, and answer the day-to-day compliance questions clients ask in Slack. You track every piece of work in Linear so nothing slips.

Responsibilities

  • GRC PLATFORM OPERATIONS
    • Keep client compliance platforms (Drata, Vanta, Secureframe, Thoropass) healthy day to day: control status, evidence freshness, failing tests, and broken integrations.
    • Run a weekly pass across your accounts to catch gaps, failing controls, and stale evidence before they become audit issues.
    • Triage every failing control. Fix what you can directly. Open a Linear ticket with a clear owner and SLA for the rest, and drive each one to closed.
  • EVIDENCE, AUDITS, AND REVIEWS
    • Collect audit-ready evidence: screenshots with visible dates, the correct system views, and permissions shown the way an auditor will accept
    • Prepare and organize evidence packages for SOC 2 Type I and Type II, ISO 27001, and other audits, and keep them ready through the audit window.
    • Run user access reviews end to end: request exports, chase the system owners, document findings and recommended actions, and track every item to sign-off.
    • Conduct vendor and third-party risk assessments: collect SOC 2 reports and DPAs, review data handling and integrations, and document the risk decision.
  • GAP ASSESSMENTS AND ONBOARDING
    • Work new clients through their initial gap assessment: map their environment to the framework, identify what is missing, and turn it into a prioritized remediation plan in Linear.
    • Stand up the GRC platform for new clients, connect integrations, and get the first controls moving.
  • COMPLIANCE QUESTIONS IN SLACK
    • Answer the questions clients ask every day: do we need a pen test for this, is MFA required here, does this vendor need a review, what does our policy say about X. Give clear, correct, grounded answers, and know when to escalate to the U.S. team
    • Keep client Slack channels responsive during business hours.
  • SECURITY QUESTIONNAIRES
    • Complete inbound security questionnaires, DDQs, and vendor assessments accurately and on time. Standard turnarounds are one to two days; complex ones five to seven.
  • IT AND ACCESS OPERATIONS SUPPORT
    • Support joiner, mover, and leaver workflows tied to compliance: provisioning and deprovisioning across Okta, Google Workspace, Slack, Jamf, and similar, with each step documented.
    • Track that access changes and remediation SLAs are met (Critical 24 hours, High 72 hours, Medium one week) and that nothing falls through
  • TRACKING AND COORDINATION
    • Track all of your work in Linear. Every client ask becomes a ticket with an owner. Slack is for conversation; Linear is the system of record.
    • Give the U.S. engagement leads a clear weekly picture of what is done, what is in progress, and what needs escalation.
Qualifications

  • Two to four years hands-on in GRC, IT audit, compliance, or security operations, ideally in a consulting, MSSP, or multi-client environment.
  • Direct experience working multiple clients or engagements at the same time. This is a firm requirement.
  • Working knowledge of at least two of: SOC 2, ISO 27001, HIPAA, NIST 800-53, CMMC, PCI DSS, GDPR.
  • Hands-on experience with at least one GRC platform: Drata, Vanta, Secureframe, Thoropass, Sprinto, or similar.
  • Strong written English. You will answer clients in Slack and in writing every day.
  • Able to work substantial overlap with U.S. business hours.
  • Familiarity with cloud (AWS, GCP, Azure) (Nice to have)
  • Experience tracking work in Linear, Jira, or a similar system (Nice to have)
  • Certifications such as CISA, Security+, CRISC, or ISO 27001 Lead Implementer (Nice to have)

Additional Information

  • Homebased
  • T to Sat, 12am to 9am

More jobs