Job Description

The Senior / Principal GRC Analyst is a senior individual contributor responsible for architecting, leading, and scaling enterprise governance, risk, and compliance programs across highly regulated, technology‑driven environments. This role owns implementation and continuous improvement of ISO/IEC 27001, ISO/IEC 42001 (AI Management Systems), GDPR, CCPA/CPRA, and CMMC, and acts as a trusted advisor to security leadership, engineering, legal, and executive stakeholders.

This role requires strong hands‑on cybersecurity knowledge, deep regulatory expertise, and the ability to translate technical security architectures into audit‑ready, business‑aligned compliance outcomes

Core Responsibilities (All Environments)

• Define and maintain a risk‑based GRC architecture aligned to ISO, NIST, privacy, and regulatory requirements.
• Lead end‑to‑end implementations of:
  • ISO/IEC 27001 (ISMS ownership, risk methodology, SoA, internal audits)
  • ISO/IEC 42001 (AI governance, AI risk and control design)
  • GDPR and CCPA/CPRA privacy programs
  • CMMC / NIST SP 800‑171
• Translate security architectures and technical controls into compliant policies, standards, and evidence.
• Lead enterprise, third‑party, cloud, and AI‑specific risk assessments.
• Serve as primary interface for auditors, assessors, regulators, customers, and partners.
• Drive efficiency using GRC platforms, security telemetry, and AI‑assisted compliance tooling
• Mentor junior GRC professionals and influence cross‑functional teams without direct authority.

Technical Cybersecurity Skills & Expectations

Security Architecture & Controls

• Strong understanding of defense‑in‑depth architectures, including:
  • Network segmentation, firewalls, IDS/IPS
  • Endpoint Detection & Response (EDR/XDR)
  • Identity and Access Management (IAM), SSO, MFA, RBAC
• Ability to assess and validate technical control effectiveness, not just paper compliance.

Cloud & SaaS Security

• Hands‑on familiarity with cloud security models (AWS, Azure, GCP concepts):
  • Shared responsibility
  • Logging and monitoring
  • Encryption at rest and in transit
  • Secure CI/CD and infrastructure‑as‑code risks
• Ability to map cloud security controls to ISO 27001, NIST, and CMMC requirements

Data Protection & Privacy Engineering

• Understanding of:
  • Data classification and labeling
  • DLP, encryption, key management
  • Data residency and cross‑border data transfer controls
• Ability to work with engineering teams on privacy‑by‑design implementations.

Vulnerability & Risk Management

• Familiarity with:
  • Vulnerability management lifecycle
  • Secure configuration baselines
  • Risk acceptance, compensating controls, and technical debt
• Ability to assess real‑world risk rather than checklist compliance.

Incident Response & Monitoring

• Knowledge of incident response processes, including:
  • Detection, containment, and post‑incident reviews
  • Regulatory and contractual notification requirements
• Ability to validate IR plans against ISO and regulatory expectations.

AI & Emerging Technology Risk

• Understanding of AI‑related security and governance risks:
  • Training data integrity
  • Model lifecycle and access control
  • Bias, explainability, and accountability considerations
• Exposure to AI‑enabled security and compliance tools preferred.

Industry‑Specific Skills

Defense / Government Contractors

• CMMC L1–L3 and NIST SP 800‑171 technical control interpretation
• CUI protection, enclave design, boundary controls
• Vendor and subcontractor security assurance
• DFARS‑aligned audit and evidence readiness

Semiconductor / Hardware & Manufacturing

• Protection of design IP, fabrication data, and production systems
• Supplier and foundry security risk assessments
• Alignment of cyber, physical, and operational security controls
• Global compliance and data localization considerations

SaaS / Cloud‑Native

• Cloud‑native ISMS design
• Secure SDLC and CI/CD risk governance
• Customer audits, security questionnaires, trust signals
• AI feature governance and responsible data usage

Qualifications:

Required Qualifications

• 7–12+ years of experience in GRC, security, privacy, or risk management
• Proven ownership of ISO 27001, GDPR/CCPA, and CMMC or NIST 800‑171 programs.
• Strong technical and regulatory interpretation skills.
• Ability to operate independently at senior or principal IC level.

Preferred Certifications & Experience

• ISO 27001 Lead Implementer / Lead Auditor
• CISSP, CISA, CRISC
• CIPM, CIPP/US, CIPP/E
• Experience with Microsoft security and compliance platforms (Purview, Defender, Entra ID) or equivalent
• Exposure to AI governance frameworks, tools, or regulations

Role Leveling Expectations

Senior GRC Analyst

• Leads major compliance initiatives
• Acts as SME for key frameworks
• Partners closely with security and engineering
• Defines enterprise GRC strategy and architecture
• Advises executives on material cyber and regulatory risk
• Shapes AI governance and future compliance roadmaps
• Mentors and raises overall GRC maturity

Job Type:

Regular

Shift:

Primary Location:

Bengaluru, Karnataka, India

Additional Locations:

Posting Statement:

All qualified applicants will receive consideration for employment without regard to race, color, religion, religious creed, sex, national origin, ancestry, age, physical or mental disability, medical condition, genetic information, military and veteran status, marital status, pregnancy, gender, gender expression, gender identity, sexual orientation, or any other characteristic protected by local law, regulation, or ordinance.