Sr GRC Consultant

Job Description

Job Role: Sr GRC Analyst

Location: Ahmedaba

Roles and Responsibiliti

e

:
This individual's primary day to day responsibilities is mentioned below (but are not limited to th

es):
Plan and conduct end-to-end cybersecurity risk assessments for ICT assets (networks, servers, applications, endpoints, cloud), including threat/vulnerability identification, likelihood/impact analysis, risk scoring, and treatment

plns.
Lead third-party/vendor risk assessments: due diligence, security questionnaires, evidence reviews, control gap analysis, and ongoing monitoring aligned to ISO 27001 Annex A, SOC 2 trust services criteria, NIST controls, and GDPR requ

iremnts.
Map assessment findings to GRC frameworks and regulatory requirements; produce compliance-ready reports, risk registers, and executive

summries.
Collaborate with IT and engineering on security architecture reviews for networks, servers, and cloud; recommend hardening, segmentation, and secure configurati

on baslines.
Support policy, standard, and procedure development for risk management, vulnerability management, incident response, access control, and as

s

et mangement.
Prepare materials for internal/external audits (ISO 27001, SOC 2) and respond to client security asse

ssments nd RFPs.
Evaluate and secure cloud environments (AWS, Azure, GCP) by conducting cloud-specific risk assessments, reviewing identity and access management, ensuring workload segmentation, and checking adherence to cloud security posture managem

e

nt best ractices.
Assess compliance of cloud service providers with frameworks such as ISO 27017/27018, CIS Cloud Benchmarks, and guide the deployment of secure and resilient

cloud arcitectures.
Formulation and testing of Business Continuity and Disaster Recovery Plans; identify ICT risks impacting availability and participate in tabletop and failover exercises

t

o ensure peparedness.
Evaluate the use of cryptographic protocols and encryption solutions for data at rest, in transit, and in use across enterprise

systems and loud assets.
Knowledge of security controls like Authentication, Authoriz

a

tion, Data Scurity, I

AM
RequiredQualifications
Bachelor's degree in computer science, Information Security, Engineering, or e

q

uivalent practcal experience.
2+ years of hands-on experience in cybersecurity risk assessments of ICT environments, including VAPT over

sight and remedition management.
Strong knowledge of networking (TCP/IP, routing, switching, firewalls, VPNs, proxies), server platforms (Windows/Linux), directory services

,

virtualization,and cloud basics.
Experience supporting ISO 27001 certification or SOC

2 Type 1/Type 2 rediness and audits.
Demonstrated experience implementing or assessing against GRC frameworks: ISO/IEC 27001/27002, SOC 2, NIST CSF/800-53/800-1

7

1, and GDPR securiy/privacy controls.
Experience with third-party risk management: security questionnaires, SIG/CAIQ or equivalent, due diligence ev

idence review, and cntinuous monitoring.
Proficiency with vulnerability management tools and VAPT methodologies; ability to inte

r

pret CVEs/CVSS and pioritize remediation.
Strong documentation and reporting skills with the ability to communicate t

echnical risks to non-echnical stakeholders.
Understanding of secure configuration benchmarks (e.g., CIS), patching cycles, logging/monitoring fu

n

damentals, and inciden response coordin

ation.
Mandatory cert

fications CEH/Security +
Preferred Qualifications
Certifications:

C

ISM, CISA, ISO 27001 Lea Auditor/Lead Implementer.
Hands-on exposure to SIEM, EDR, SAST/DAST, cloud secur

ity posture management, a

n container security basic.
Tools and Technologies:
o Vulnerability/VA

PT

: Nessus, Qualys, OpenVAS,Burp Suite, Nmap, Metasploit.
o Governance/Risk/Compliance: risk registers, control libraries, SIG/CAIQ, ISO 270

01 documentation suites; tickting for remediation tracking.
o Infrastructure: Windows/Linux server administration fundamentals, network device c

o

nfiguration review, cloud (AW/Azure/GCP) security baselines.
o Monitoring: SIEM/EDR exposure for context during risk assessmen