Sr GRC Consultant

Job Role: Sr GRC/GRC Analyst

Roles and Responsibilities:

This individual's primary day to day responsibilities is mentioned below (but are not limited to these):

• Plan and conduct end-to-end cybersecurity risk assessments for ICT assets (networks, servers, applications, endpoints, cloud), including threat/vulnerability identification, likelihood/impact analysis, risk scoring, and treatment plans.
• Lead third-party/vendor risk assessments: due diligence, security questionnaires, evidence reviews, control gap analysis, and ongoing monitoring aligned to ISO 27001 Annex A, SOC 2 trust services criteria, NIST controls, and GDPR requirements.
• Map assessment findings to GRC frameworks and regulatory requirements; produce compliance-ready reports, risk registers, and executive summaries.
• Collaborate with IT and engineering on security architecture reviews for networks, servers, and cloud; recommend hardening, segmentation, and secure configuration baselines.
• Support policy, standard, and procedure development for risk management, vulnerability management, incident response, access control, and asset management.
• Prepare materials for internal/external audits (ISO 27001, SOC 2) and respond to client security assessments and RFPs.
• Evaluate and secure cloud environments (AWS, Azure, GCP) by conducting cloud-specific risk assessments, reviewing identity and access management, ensuring workload segmentation, and checking adherence to cloud security posture management best practices.
• Assess compliance of cloud service providers with frameworks such as ISO 27017/27018, CIS Cloud Benchmarks, and guide the deployment of secure and resilient cloud architectures.
• Formulation and testing of Business Continuity and Disaster Recovery Plans; identify ICT risks impacting availability and participate in tabletop and failover exercises to ensure preparedness.
• Evaluate the use of cryptographic protocols and encryption solutions for data at rest, in transit, and in use across enterprise systems and cloud assets.
• Knowledge of security controls like Authentication, Authorization, Data Security, IAM

Required Qualifications

• Bachelor's degree in computer science, Information Security, Engineering, or equivalent practical experience.
• 2+ years of hands-on experience in cybersecurity risk assessments of ICT environments, including VAPT oversight and remediation management.
• Strong knowledge of networking (TCP/IP, routing, switching, firewalls, VPNs, proxies), server platforms (Windows/Linux), directory services, virtualization, and cloud basics.
• Experience supporting ISO 27001 certification or SOC 2 Type 1/Type 2 readiness and audits.
• Demonstrated experience implementing or assessing against GRC frameworks: ISO/IEC 27001/27002, SOC 2, NIST CSF/800-53/800-171, and GDPR security/privacy controls.
• Experience with third-party risk management: security questionnaires, SIG/CAIQ or equivalent, due diligence evidence review, and continuous monitoring.
• Proficiency with vulnerability management tools and VAPT methodologies; ability to interpret CVEs/CVSS and prioritize remediation.
• Strong documentation and reporting skills with the ability to communicate technical risks to non-technical stakeholders.
• Understanding of secure configuration benchmarks (e.g., CIS), patching cycles, logging/monitoring fundamentals, and incident response coordination.
• Mandatory certifications CEH/Security +

Preferred Qualifications

• Certifications: CISM, CISA, ISO 27001 Lead Auditor/Lead Implementer.
• Hands-on exposure to SIEM, EDR, SAST/DAST, cloud security posture management, and container security basics.
• Tools and Technologies:

o Vulnerability/VAPT: Nessus, Qualys, OpenVAS, Burp Suite, Nmap, Metasploit.

o Governance/Risk/Compliance: risk registers, control libraries, SIG/CAIQ, ISO 27001 documentation suites; ticketing for remediation tracking.

o Infrastructure: Windows/Linux server administration fundamentals, network device configuration review, cloud (AWS/Azure/GCP) security baselines.

o Monitoring: SIEM/EDR exposure for context during risk assessments and validation of remediation.