GRC Analyst

Pillsbury Winthrop Shaw Pittman LLP is seeking a strategic and detail-oriented GRC (Governance, Risk & Compliance) Analyst to strengthen and scale our Governance, Risk, and Compliance (GRC) capabilities. This role is an integral part of the GRC team, with a strong emphasis on Vendor Risk Management, client trust, and compliance with ISO 27001 and related frameworks. You will support firmwide risk reduction efforts and lead initiatives that safeguard sensitive data while enabling business operations and client service delivery.

Responsibilities:

Vendor Risk Management

• Lead the vendor security review process, including intake, risk assessment, documentation, and re-evaluation cycles.

• Collaborate with IT and Legal to embed security and privacy requirements into contracts and onboarding workflows.

• Maintain the vendor inventory and risk classification system; track remediation items and expiration of security attestations (SOC 2, ISO 27001, etc.).

• Assess cloud platforms, SaaS tools, and third-party services against security, compliance, and privacy requirements.

Client Trust & Engagement

• Coordinate responses to client security assessments, due diligence requests, and audits.

• Coordinate with attorneys, business development, and compliance teams to support contractual commitments.

• Maintain a centralized repository of audit evidence and standard responses using tools such as Loopio.

ISMS & Compliance Operations

• Support the day-to-day management of our ISO 27001-certified ISMS, including control implementation and documentation.

• Assist in preparation for surveillance and recertification audits and maintain alignment with ISO 27001:2022 control requirements.

• Track risk treatment plans, control testing, and internal audit findings.

Policy & Control Governance

• Draft, update, and socialize firmwide security and privacy policies.

• Maintain a control library mapped across multiple frameworks including ISO 27001, NIST 800-171, CMMC, and client-specific standards.

• Support the intake and processing of exceptions to security policies, ensuring proper documentation and leadership awareness.

Risk Monitoring & Incident Response Support

• Assist with maintaining the risk register, including identification, analysis, and tracking of risks and mitigations.

• Coordinate with internal teams during security incidents to ensure proper documentation, containment, and reporting.

Security Awareness & Training

• Administer employee training programs including mandatory awareness training and role-specific modules.

• Coordinate phishing simulations and follow-up education for at-risk users.

• Partner with Marketing and IT to drive behavior change through campaigns, posters, and communication.

Program Enablement & Tooling

• Maintain and optimize the GRC toolset (e.g., UpGuard, KnowBe4, Loopio).

• Drive process improvements in risk assessments, audits, and reporting dashboards.

• Support annual penetration testing coordination and track remediation progress.

Required Education, Knowledge & Experience 

• Bachelor’s degree in information security, Risk Management, or a related field.

• 5+ years of experience in security governance, compliance, or vendor risk management roles (legal or professional services industry preferred).

• Proven experience conducting vendor security assessments and managing related compliance workflows.

• Deep understanding of ISO 27001 and common security/privacy frameworks (NIST, SOC 2, CMMC, GDPR, etc.).

• Strong writing, communication, and organizational skills.

• Experience with GRC platforms and vendor risk tools.

• Certifications such as ISO 27001 Lead Implementer, Security+ or CISM are a plus.

Physical Requirements 

• Ability to sit and stand for extended periods. 

• Ability to lift up to 20 pounds. 

Pillsbury Winthrop Shaw Pittman LLP is an Equal Opportunity Employer.

If you require an accommodation in order to apply for a position, please contact us at [email protected].