Information Security Analyst (Governance Risk Compliance, CISA/CISSP)

Job Summary:

The Info Sec Analyst – (GRC) will be responsible for managing policy exceptions, policy management, and supporting internal and external audits. The role requires a strong understanding of ISO 27001, NIST CSF, and other relevant security frameworks. The analyst will work closely with various stakeholders to ensure compliance, assess risks, and improve the organization’s security posture.

Key Responsibilities:

• Policy Management: Develop, review, update, and enforce information security policies, standards, and procedures in alignment with industry best practices.
• Policy Exception Handling: Evaluate and process policy exception requests, perform risk assessments, and recommend appropriate mitigation measures.
• Audit Support: Assist in preparing for and responding to internal and external audits, including evidence collection, gap analysis, and remediation tracking.
• Compliance & Risk Assessments: Conduct security and risk assessments, including vendor assessments and contract reviews, to ensure compliance with ISO 27001, NIST CSF, and other regulatory requirements.
• Risk-based analysis: Identify attack vectors in security architecture reviews.
• Documentation & Reporting: Maintain accurate records of security policies, exceptions, and audit findings, and prepare reports for management review.
• Security Awareness: Support security awareness programs by educating employees on policies, compliance requirements, and risk management best practices.
• Stakeholder Collaboration: Work with IT, security, legal, and business teams to ensure security policies and controls align with business objectives.
• Continuous Improvement: Monitor evolving cybersecurity regulations and frameworks to enhance security policies and governance processes.

Required Skills & Experience:

• Experience: 2+ years in information security, governance, risk, and compliance (GRC) roles.
• Knowledge of Standards & Frameworks: Strong understanding of ISO 27001, NIST CSF, and other compliance frameworks.
• Audit & Compliance Experience: Familiarity with internal and external audit processes, regulatory requirements, risk management, vendor assessments, and contract reviews.
• Technical Knowledge: Understanding of IT security concepts, risk assessment methodologies, and security controls.
• Communication & Collaboration: Strong written and verbal communication skills to interact with stakeholders across different functions.
• Analytical Skills: Ability to assess security risks, review policy exceptions, and recommend appropriate mitigation strategies.

Education & Certifications:

• Certifications such as CISA, CISSP, ISO 27001 Lead Auditor/Implementer, or equivalent are highly desirable.
• Bachelor’s degree in Information Technology, Cybersecurity, or a related field.