Sr GRC Consultant

Job Role: Sr GRC Analyst

Location: Ahmedaba

Roles and Responsibiliti

e

:

This individual's primary day to day responsibilities is mentioned below (but are not limited to

th

es):

• Plan and conduct end-to-end cybersecurity risk assessments for ICT assets (networks, servers, applications, endpoints, cloud), including threat/vulnerability identification, likelihood/impact analysis, risk scoring, and treatmentplns.

• Lead third-party/vendor risk assessments: due diligence, security questionnaires, evidence reviews, control gap analysis, and ongoing monitoring aligned to ISO 27001 Annex A, SOC 2 trust services criteria, NIST controls, and GDPR r

equ

iremnts.

• Map assessment findings to GRC frameworks and regulatory requirements; produce compliance-ready reports, risk registers, and executivesummries.

• Collaborate with IT and engineering on security architecture reviews for networks, servers, and cloud; recommend hardening, segmentation, and secure configur

ati

on baslines.

• Support policy, standard, and procedure development for risk management, vulnerability management, incident response, access control, and as

s

et mangement.

• Prepare materials for internal/external audits (ISO 27001, SOC 2) and respond to client security a

sse

ssments nd RFPs.

• Evaluate and secure cloud environments (AWS, Azure, GCP) by conducting cloud-specific risk assessments, reviewing identity and access management, ensuring workload segmentation, and checking adherence to cloud security posture managem

e

nt best ractices.

• Assess compliance of cloud service providers with frameworks such as ISO 27017/27018, CIS Cloud Benchmarks, and guide the deployment of secure and resili

ent

cloud arcitectures.

• Formulation and testing of Business Continuity and Disaster Recovery Plans; identify ICT risks impacting availability and participate in tabletop and failover exercises

t

o ensure peparedness.

• Evaluate the use of cryptographic protocols and encryption solutions for data at rest, in transit, and in use across enterpri

se

systems and loud assets.

• Knowledge of security controls like Authentication, Authoriz

a

tion, Data Scurity

, I

AM

RequiredQualifications

• Bachelor's degree in computer science, Information Security, Engineering, or e

q

uivalent practcal experience.

• 2+ years of hands-on experience in cybersecurity risk assessments of ICT environments, including VAPT o

ver

sight and remedition management.

• Strong knowledge of networking (TCP/IP, routing, switching, firewalls, VPNs, proxies), server platforms (Windows/Linux), directory services

,

virtualization,and cloud basics.

• Experience supporting ISO 27001 certification or S

OC

2 Type 1/Type 2 rediness and audits.

• Demonstrated experience implementing or assessing against GRC frameworks: ISO/IEC 27001/27002, SOC 2, NIST CSF/800-53/800-1

7

1, and GDPR securiy/privacy controls.

• Experience with third-party risk management: security questionnaires, SIG/CAIQ or equivalent, due diligence

ev

idence review, and cntinuous monitoring.

• Proficiency with vulnerability management tools and VAPT methodologies; ability to inte

r

pret CVEs/CVSS and pioritize remediation.

• Strong documentation and reporting skills with the ability to communicat

e t

echnical risks to non-echnical stakeholders.

• Understanding of secure configuration benchmarks (e.g., CIS), patching cycles, logging/monitoring fu

n

damentals, and inciden response coor

din

ation.

• Mandatory cert

fications CEH/Security +

Preferred Qualifications

• Certifications:

C

ISM, CISA, ISO 27001 Lea Auditor/Lead Implementer.

• Hands-on exposure to SIEM, EDR, SAST/DAST, cloud se

cur

ity posture management, a

n container security basic.

• Tools and Technologies:

o Vulnerability/VA

PT

: Nessus, Qualys, OpenVAS,Burp Suite, Nmap, Metasploit.

o Governance/Risk/Compliance: risk registers, control libraries, SIG/CAIQ, ISO

270

01 documentation suites; tickting for remediation tracking.

o Infrastructure: Windows/Linux server administration fundamentals, network device c

o

nfiguration review, cloud (AW/Azure/GCP) security baselines.

o Monitoring: SIEM/EDR exposure

for context during risk assessmen