IS Risk & Assurance Advisor (Applications Platforms and Data)

At GHD, we don’t just believe in the power of commitment, we live and breathe it every day. 

That’s why we pledge to support and empower all of our people to make a positive impact when working hand in hand with our business to drive change. We'll help you accelerate your career and empower you with the right technology and training as you bring ideas and projects to life. 
Together with your colleagues, clients and partners, you'll make an impact that is felt by all. See where your commitment could take you. 

Who are we looking for?   

As a senior Second Line of Defense (2LoD) Technology Risk & Control Assurance role within Information Services, the IS Risk & Assurance Advisor provides independent assurance and strategic insight over the control environment supporting application platforms, data and AI services, software development, domain and DNS management, and the online/web ecosystem. 

The role leads risk‑based assurance and thematic review programs to assess control design and operating effectiveness, identify systemic control weaknesses, and govern remediation outcomes. It delivers executive‑level reporting on technology risk posture, control effectiveness, trends and material issues, supporting informed decision‑making by the CIO/CTO, senior leadership, and governance committees, in alignment with industry frameworks, regulatory expectations and client requirements. 

Responsibilities:

• Maintains and evolves the control library mapped to internal policies and external frameworks (e.g., ISO/IEC 27001/2, Essential Eight, CMMC, client requirements). 
• Defines platform‑specific control objectives for applications, data, AI, online/web, DNS, development, including control owners, test procedures, success criteria, and evidence requirements. 
• Partner with Applications, Data & AI, Technology and Web/Digital teams to embed controls by design in business plans. 
• Runs a risk‑based assurance program (design/operating effectiveness testing) for target platforms. 
• Executes thematic reviews (e.g., domain/DNS hygiene, AI use‑case onboarding, web app release quality, development practices, data access controls) and facilitates remediation plans with owners. 
• Validates control evidence, tracks findings to closure, and escalates material non‑conformances and risks. 
• Produces monthly CIO/CTO Platform Assurance Reporting: control effectiveness ratings, heat maps, KRIs, trend analysis, and material risks/issues. 
• Supports internal/external audits and client assessments with defensible evidence. 
• Delivers actionable insights highlighting control gaps and recommended fixes. 
• Coordinates AI use‑case risk assessments, data protection measures, logging/traceability, and model/service controls.
• Provides oversight of the web environment, secure configuration, code development and promotion, protections, lifecycle, CSP/HSTS usage, defect leakage metrics and domain portfolio governance (renewals, registrar lock, DNS change control, DNSSEC (where relevant), data privacy, and name server posture). 
• Identifies changing regulatory and compliance alignment, managing change and impacts to the controls environment 
• Provides insightful dashboards and reports to senior leadership and governance committees 
• Champions continuous improvement in the domain, team and mentor team members 

Skills and Competencies:

• Maintains and evolves the technology risk and control library, mapped to internal policies and external frameworks (e.g. ISO/IEC 27001/2, Essential Eight, CMMC, and client requirements). 
• Defines and governs platform‑specific control objectives across applications, data, AI, online/web, DNS, and development domains, including control intent, ownership, assurance approach, success criteria, and evidence expectations. 
• Provides independent oversight, challenge and advisory input to Applications, Data & AI, Technology, and Web/Digital teams to support the embedding of controls by design within business plans and delivery approaches. 
• Designs and executes a risk‑based technology assurance program, including control design and operating effectiveness assessments for in‑scope platforms and services. 
• Leads thematic and deep‑dive reviews (e.g. domain/DNS hygiene, AI use‑case onboarding, web application release quality, development practices, and data access controls), and govern remediation planning and outcomes with accountable control owners. 
• Validates control evidence, manages findings, tracks remediation progress to closure, and escalates material control weaknesses, non‑conformances, and risks in accordance with governance thresholds. 
• Produces regular CIO/CTO Platform Assurance reporting, including control effectiveness ratings, risk heat maps, key risk indicators (KRIs), trend analysis, and material risks and issues. 
• Supports internal and external audits and client assessments, providing defensible assurance artefacts, evidence, and subject‑matter expertise. 
• Delivers clear, actionable insights highlighting control gaps, emerging risk themes, and prioritised improvement recommendations. 
• Provide second‑line oversight of AI risk management, including governance of AI use‑case risk assessments, data protection controls, logging and traceability, and model/service control expectations.
• Provide second‑line oversight of the online and web environment, including secure configuration standards, development and release practices, lifecycle controls, defect leakage metrics, and domain portfolio governance (e.g. renewals, registrar lock, DNS change control, DNSSEC where applicable, data privacy, and name server posture). 
• Monitors and assess regulatory, compliance, and client requirement changes, and manages their impact on the technology control and assurance environment. 
• Provides insightful dashboards and reporting to senior leadership and governance committees to support informed risk‑based decision‑making. 
• Champions continuous improvement in technology risk and assurance practices, and mentor team members within the IS Risk & Compliance function

Qualifications:

• Bachelor’s degree in Information Security, IT, or related field 
• Knowledge of ISO/IEC 27001, NIST SP 800-171, CMMC L2, IRAP/ISM/PSPF/DSPF ASD E8ML3 
• 5–10 years in IT and controls-related roles 
• Strong coordination, design, testing, and risk-related skills 
• Excellent communication, documentation, and stakeholder engagement abilities 

Benefits: 

• 401K - Employees are eligible to participate on the first day of the month following 3 months of service
• Paid time off – Our PTO benefit is designed to provide eligible employees with a period of rest and relaxation, sick, and personal time throughout the year. PTO starts at 16 days per year and increases with years of service
• Holiday Pay - Holiday pay is provided for eligible employees. GHD observes 9 holidays per year. Holiday pay will be based on the regular set schedule for the employee
• Wellness Benefit- Regular full-term employees are eligible to participate in the wellness reimbursement program. GHD will reimburse 50% of the cost of the following to maximum of $250.00 reimbursement annually for such items as: Health club membership fees, Home exercise equipment purchases, Bicycles, Race, run & marathon entrance fees, Smoking cessation programs, Weight loss programs (i.e.—Weight Watchers, Jenny Craig), Fitbits and Fitness Tracking devices

Salary range: $87,97500 - $146,625.00 based on experience and location

Take on some of the world’s toughest challenges - with everyone at GHD backing you every step of the way.

We'll give you control over your career, empower you to find innovative solutions and help you create a lasting impact.

See where your commitment could take you with GHD.

As a multicultural organization, we encourage individual achievement and recognize the strength of a diverse workforce. GHD is an equal opportunity employer. We provide equal employment opportunities to all qualified employees and applicants without regard to race, creed, religion, national origin, citizenship, color, sex, sexual orientation, gender identity, age, disability, marital status or veteran status.

 #LI-RM1