Job Description
As a GRC Analyst you keep compliance programs healthy across a portfolio of client accounts. This is a hands-on, behind-the-scenes role. You live inside GRC platforms and client systems. You close failing controls, collect and organize evidence, run access reviews, work through security questionnaires, and answer the day-to-day compliance questions clients ask in Slack. You track every piece of work in Linear so nothing slips.
Responsibilities - GRC PLATFORM OPERATIONS
- Keep client compliance platforms (Drata, Vanta, Secureframe, Thoropass) healthy day to day: control status, evidence freshness, failing tests, and broken integrations.
- Run a weekly pass across your accounts to catch gaps, failing controls, and stale evidence before they become audit issues.
- Triage every failing control. Fix what you can directly. Open a Linear ticket with a clear owner and SLA for the rest, and drive each one to closed.
- EVIDENCE, AUDITS, AND REVIEWS
- Collect audit-ready evidence: screenshots with visible dates, the correct system views, and permissions shown the way an auditor will accept
- Prepare and organize evidence packages for SOC 2 Type I and Type II, ISO 27001, and other audits, and keep them ready through the audit window.
- Run user access reviews end to end: request exports, chase the system owners, document findings and recommended actions, and track every item to sign-off.
- Conduct vendor and third-party risk assessments: collect SOC 2 reports and DPAs, review data handling and integrations, and document the risk decision.
- GAP ASSESSMENTS AND ONBOARDING
- Work new clients through their initial gap assessment: map their environment to the framework, identify what is missing, and turn it into a prioritized remediation plan in Linear.
- Stand up the GRC platform for new clients, connect integrations, and get the first controls moving.
- COMPLIANCE QUESTIONS IN SLACK
- Answer the questions clients ask every day: do we need a pen test for this, is MFA required here, does this vendor need a review, what does our policy say about X. Give clear, correct, grounded answers, and know when to escalate to the U.S. team
- Keep client Slack channels responsive during business hours.
- SECURITY QUESTIONNAIRES
- Complete inbound security questionnaires, DDQs, and vendor assessments accurately and on time. Standard turnarounds are one to two days; complex ones five to seven.
- IT AND ACCESS OPERATIONS SUPPORT
- Support joiner, mover, and leaver workflows tied to compliance: provisioning and deprovisioning across Okta, Google Workspace, Slack, Jamf, and similar, with each step documented.
- Track that access changes and remediation SLAs are met (Critical 24 hours, High 72 hours, Medium one week) and that nothing falls through
- TRACKING AND COORDINATION
- Track all of your work in Linear. Every client ask becomes a ticket with an owner. Slack is for conversation; Linear is the system of record.
- Give the U.S. engagement leads a clear weekly picture of what is done, what is in progress, and what needs escalation.
Qualifications
- Two to four years hands-on in GRC, IT audit, compliance, or security operations, ideally in a consulting, MSSP, or multi-client environment.
- Direct experience working multiple clients or engagements at the same time. This is a firm requirement.
- Working knowledge of at least two of: SOC 2, ISO 27001, HIPAA, NIST 800-53, CMMC, PCI DSS, GDPR.
- Hands-on experience with at least one GRC platform: Drata, Vanta, Secureframe, Thoropass, Sprinto, or similar.
- Strong written English. You will answer clients in Slack and in writing every day.
- Able to work substantial overlap with U.S. business hours.
- Familiarity with cloud (AWS, GCP, Azure) (Nice to have)
- Experience tracking work in Linear, Jira, or a similar system (Nice to have)
- Certifications such as CISA, Security+, CRISC, or ISO 27001 Lead Implementer (Nice to have)
Additional Information
- Homebased
- T to Sat, 12am to 9am