Senior / Principal GRC Analyst

The Senior / Principal GRC Analyst is a senior individual contributor responsible for architecting, leading, and scaling enterprise governance, risk, and compliance programs across highly regulated, technology‑driven environments. This role owns implementation and continuous improvement of ISO/IEC 27001, ISO/IEC 42001 (AI Management Systems), GDPR, CCPA/CPRA, and CMMC, and acts as a trusted advisor to security leadership, engineering, legal, and executive stakeholders.

This role requires strong hands‑on cybersecurity knowledge, deep regulatory expertise, and the ability to translate technical security architectures into audit‑ready, business‑aligned compliance outcomes.

• Define and maintain a risk‑based GRC architecture aligned to ISO, NIST, privacy, and regulatory requirements.
• Lead end‑to‑end implementations of:
  • ISO/IEC 27001 (ISMS ownership, risk methodology, SoA, internal audits)
  • ISO/IEC 42001 (AI governance, AI risk and control design)
  • GDPR and CCPA/CPRA privacy programs
  • CMMC / NIST SP 800‑171
• Translate security architectures and technical controls into compliant policies, standards, and evidence.
• Lead enterprise, third‑party, cloud, and AI‑specific risk assessments.
• Serve as primary interface for auditors, assessors, regulators, customers, and partners.
• Drive efficiency using GRC platforms, security telemetry, and AI‑assisted compliance tooling.
• Mentor junior GRC professionals and influence cross‑functional teams without direct authority.

• Strong understanding of defense‑in‑depth architectures, including:
  • Network segmentation, firewalls, IDS/IPS
  • Endpoint Detection & Response (EDR/XDR)
  • Identity and Access Management (IAM), SSO, MFA, RBAC
• Ability to assess and validate technical control effectiveness, not just paper compliance.

• Hands‑on familiarity with cloud security models (AWS, Azure, GCP concepts):
  • Shared responsibility
  • Logging and monitoring
  • Encryption at rest and in transit
  • Secure CI/CD and infrastructure‑as‑code risks
• Ability to map cloud security controls to ISO 27001, NIST, and CMMC requirements.

• Understanding of:
  • Data classification and labeling
  • DLP, encryption, key management
  • Data residency and cross‑border data transfer controls
• Ability to work with engineering teams on privacy‑by‑design implementations.

• Familiarity with:
  • Vulnerability management lifecycle
  • Secure configuration baselines
  • Risk acceptance, compensating controls, and technical debt
• Ability to assess real‑world risk rather than checklist compliance.

• Knowledge of incident response processes, including:
  • Detection, containment, and post‑incident reviews
  • Regulatory and contractual notification requirements
• Ability to validate IR plans against ISO and regulatory expectations.

• Understanding of AI‑related security and governance risks:
  • Training data integrity
  • Model lifecycle and access control
  • Bias, explainability, and accountability considerations
• Exposure to AI‑enabled security and compliance tools preferred.

• CMMC L1–L3 and NIST SP 800‑171 technical control interpretation
• CUI protection, enclave design, boundary controls
• Vendor and subcontractor security assurance
• DFARS‑aligned audit and evidence readiness

• Protection of design IP, fabrication data, and production systems
• Supplier and foundry security risk assessments
• Alignment of cyber, physical, and operational security controls
• Global compliance and data localization considerations

• Cloud‑native ISMS design
• Secure SDLC and CI/CD risk governance
• Customer audits, security questionnaires, trust signals
• AI feature governance and responsible data usage

• ISO 27001 Lead Implementer / Lead Auditor
• CISSP, CISA, CRISC
• CIPM, CIPP/US, CIPP/E
• Experience with Microsoft security and compliance platforms (Purview, Defender, Entra ID) or equivalent
• Exposure to AI governance frameworks, tools, or regulations

Senior GRC Analyst

• Leads major compliance initiatives
• Acts as SME for key frameworks
• Partners closely with security and engineering
• Defines enterprise GRC strategy and architecture
• Advises executives on material cyber and regulatory risk
• Shapes AI governance and future compliance roadmaps
• Mentors and raises overall GRC maturity