The Risk & Compliance Officer owns the day-to-day operation of the organization’s Governance, Risk, and Compliance program. The role identifies and assesses risks, maintains the control framework, drives remediation with control owners, and ensures ongoing compliance with applicable standards, contracts, and regulations (e.g., ISO 27001:2022, SOC 2, PCI DSS, Data Privacy Act of 2012, HIPAA as applicable). The officer partners with IT, Security, Operations, Legal, HR, and third parties to keep risk within appetite and audit-ready.

Key Responsibilities

• Governance & Policy: Maintain and update Information Security & Privacy policies; ensure dissemination and alignment with control frameworks.
• Risk Management: Conduct periodic enterprise and vendor risk assessments; maintain the Risk Register and oversee mitigation plans.
• Compliance & Audits: Lead readiness for ISO 27001, SOC 2, and regulatory audits; support client due diligence and gap remediation.
• Vendor Security: Manage supplier security due diligence, contract reviews, and ongoing risk monitoring.
• Control Assurance: Validate and monitor key security controls (access, vulnerability, backup, EDR, SIEM, encryption).
• Training & Awareness: Implement annual security and privacy training; conduct targeted awareness campaigns.
• Incident Support: Assist in incident response, RCA, and change management reviews.
• Reporting: Deliver regular GRC dashboards and act as point of contact for audits and client security inquiries.

Qualifications

• Education: Bachelor’s degree in IT, Information Security, Business, or related field (or equivalent experience).
• Experience: 3–7+ years in Risk, Audit, Information Security, or Compliance (GRC) roles.
• Frameworks: Hands-on with at least two — ISO 27001, SOC 2, PCI DSS, NIST CSF, HIPAA, or PH Data Privacy Act.
• Technical Skills: Strong grasp of access control, vulnerability management, incident response, SIEM, and cloud/SaaS security.
• Communication: Able to translate technical risk into business impact.
• 
  

Preferred Certifications: ISO 27001 Lead Implementer/Auditor, CISA, CISM, CRISC, PCI ISA/PCIP, CIPM/CIPT, ITIL, or PH DPO training.

Tools Familiarity: GRC platforms (ServiceNow, OneTrust, Drata), Identity (Azure AD, Okta), SIEM/EDR (Sentinel, Defender), and cloud (Azure/AWS/GCP).

Core Competencies: Risk analysis, control testing, vendor management, policy writing, stakeholder engagement, and project execution.

Success Indicators: Timely audit closures, high control pass rates, risk reduction, strong training compliance, and SLA adherence.