Security and Compliance Analyst

Job Description Position: Security and Compliance Analyst Experience Range: 2 to 4 yrs Job Location: Bangalore Work Mode: Hybrid (3 days in the office, 2 days remote) Job Summary Anumana is seeking a detail-oriented and proactive Security and Compliance Analyst to ensure our organization's adherence to international security standards and regulatory requirements. The successful candidate will play a key role in the development, implementation, and continuous improvement of Anumana's Information Security Management System (ISMS) in compliance with ISO/IEC 27001, ISO/IEC 27002, and ISO 13485 standards. This role involves close collaboration with multiple departmentsHR, Legal, IT, Engineering, and Quality/Regulatory teamsto maintain a robust security and compliance posture. The Security and Compliance Analyst will also be responsible for managing third-party risk assessments, ensuring compliance with global privacy regulations (such as GDPR), and supporting the overall Information Security Program. Key Responsibilities Compliance Management - Maintain and continuously improve the Information Security Management System (ISMS) to comply with ISO/IEC 27001, ISO/IEC 27002, and ISO 13485 standards. - Coordinate with the Quality and Regulatory team to align security controls with ISO 13485 requirements for medical device software. - Develop and update policies, procedures, and documentation necessary for maintaining certification status. - Conduct internal audits and prepare for external audits, ensuring that all necessary evidence is documented and accessible. Cross-Department Collaboration - Work closely with HR, Legal, IT, Engineering, and other departments to ensure that information security requirements are consistently integrated across the organization. - Provide guidance on security and compliance matters, including secure practices, policy enforcement, and risk mitigation. - Assist in the development of training materials and conduct regular security awareness sessions for staff. Third-Party Risk Management - Respond to third-party risk management questionnaires, ensuring that external parties meet Anumana's security standards. - Perform risk assessments on vendors, suppliers, and partners, evaluating their adherence to security requirements. - Maintain and update a database of third-party risk assessments and ensure regular monitoring of vendor compliance. Privacy and Confidentiality Management - Monitor and enforce privacy compliance across the organization, focusing on GDPR, CCPA, and other relevant global data protection regulations. - Track data protection incidents and coordinate response and remediation activities. - Work with Legal and HR teams to ensure confidentiality agreements are properly managed and enforced. Security Program Oversight - Support the overall information security program by conducting risk assessments, tracking key performance indicators (KPIs), and managing security metrics. - Develop and maintain security policies, standards, and guidelines based on best practices and relevant frameworks. - Monitor and assess compliance with organizational policies, industry standards, and applicable regulations. - Identify areas of improvement in security controls and recommend mitigation strategies. Audit Preparation & Evidence Management - Gather, organize, and maintain documentation of control evidence required for internal and external audits. - Track audit findings, follow up on remediation actions, and ensure they are completed on time. - Prepare reports summarizing compliance activities, audit results, and risk assessments for management review. Qualifications Required: - Bachelor's degree in Information Security, Computer Science, Risk Management, or a related field (or equivalent experience). - 2+ years of experience in information security, compliance, risk management, or related fields. - Strong understanding of ISO/IEC 27001, ISO/IEC 27002, and ISO 13485 standards. - Experience with information security frameworks (e.g., NIST, HITRUST) and best practices. - Knowledge of data protection regulations, including GDPR, CCPA, and other privacy laws. - Ability to respond to third-party risk assessments and manage vendor compliance. - Familiarity with GRC (Governance, Risk, and Compliance) tools and methodologies. Preferred: - Professional certifications such as CISSP, CISM, CRISC, CCSK, or ISO/IEC 27001 Lead Auditor/Implementer. - Experience working in the medical device or healthcare sector, with familiarity in Software as a Medical Device (SaaMD). - Knowledge of security assessment tools and vulnerability management practices. - Understanding of secure software development and DevSecOps practices. Skills: - Strong analytical and problem-solving skills with attention to detail. - Excellent communication skills, with the ability to present complex information clearly to technical and non-technical stakeholders. - Highly organized, with strong project management skills and the ability to prioritize tasks effectively. - Demonstrated ability to work collaboratively with cross-functional teams.