Job Description

My name is Himanshu , and I serve as the Recruitment Manager at Nexiva INC. I am reaching out to share an excellent career opportunity for the role of " Principal GRC Analyst " with our esteemed client. If you are interested then please share your updated resume at Himanshu@nexivainc.com .

Job Description

Title: Principal GRC Analyst (Governance, Risk & Compliance) (GRC) (Hands-on)

Location: 100% Remote (Should they live in Los Angeles, near Vernon, CA), but remote is fine.

Description

• Communication skills are EXTREMELY IMPORTANT - Clear, concise communication-able to translate technical risk for non technical stakeholders and produce executive ready content
• Forgent Power has purchased 3 other companies. Now, all the companies are margining into 1 entity . This GRC environment is still not fully built out yet
• They need someone that has been in "under-developed environments or not fully built out environments" , to come in and Lead the build-out of Compliance programs, Risk programs and related . Someone that is great with ISO 27001, SOX and ISMS.

Must Have:

• Certifications: Must have at least 1 of these Certifications; ISO/IEC 27001 Lead Implementer or Internal Auditor , or CISA, CRISC, CISM/CISSP
• 9 + years' experience as a Senior GRC Analyst (Governance, Risk & Compliance) going into lead-level experience in IT Audit/Controls, GRC , and Information Security Risk, including executing ISO 27001 and SOX control activities.
• 7+ years Hands on ISMS work (SoA upkeep, internal audit coordination, corrective actions, awareness/training support ).
  • Maintain the ISMS operating programs: scope updates, risk assessments, Statement of Applicability (SoA) maintenance, corrective action tracking, and surveillance/certification readiness .
  • Draft, update, and socialize policies/standards/procedures
• Risk Management (IT & OT) - Maintain cross framework mappings (ISO 27001, NIST CSF/800 53, CIS Controls, SOC 2) to ensure clear control coverage and traceability.
• 5+ years ' experience in SOX 404 involvement across IAM, change management, computer operations , and application controls ( RCM maintenance, testing, and remediation tracking) in ERP (SAP/Oracle) and key applications.
• Practical use of GRC/IRM platforms ( OneTrust, Drata/Vanta ) and integrations with IAM ( SailPoint/Saviynt/Okta ), CMDB, SIEM, ticketing, and vulnerability management tools .

• Below - Should be talked about in a least the first 2 most recent jobs on the resume

• Governance & ISMS Operations (ISO/IEC 27001)
• Maintain the ISMS operating rhythm: scope updates, risk assessments, Statement of Applicability (SoA) maintenance, corrective action tracking , and surveillance/certification readiness.
• Draft, update, and socialize policies/standards/procedures (access control, change management, vulnerability management, secure SDLC, incident response, data retention/supplier security).
• Prepare decision ready materials and follow ups for governance forums ( Risk & Compliance Steering Committee , CAB, ISO Management Review ).

Key Responsibilities

Governance & ISMS Operations (ISO/IEC 27001)

• Maintain the ISMS operating rhythm: scope updates, risk assessments, Statement of Applicability (SoA) maintenance, corrective action tracking, and surveillance/certification readiness.
• Draft, update, and socialize policies/standards/procedures (access control, change management, vulnerability management, secure SDLC, incident response, data retention/supplier security).
• Prepare decision ready materials and follow ups for governance forums (Risk & Compliance Steering Committee, CAB, ISO Management Review).

Risk Management (IT & OT)

• Run risk identification, assessment (qualitative plus FAIR lite scenario estimates), treatment planning, and risk acceptance with accountable owners.
• Maintain cross framework mappings (ISO 27001, NIST CSF/800 53, CIS Controls, SOC 2) to ensure clear control coverage and traceability.

Third Party Risk (TPRM/VRM)

• Execute risk tiered vendor due diligence, contractual security/privacy controls, onboarding/offboarding checks, continuous monitoring, and remediation with business owners and Procurement.
• Align the program to ISO/IEC 27036 for supplier relationships and partner with Legal on DPAs, security addenda, and privacy clauses (e.g., CCPA/CPRA).

SOX ITGCs & Application Controls

• Support ownership of SOX 404 controls across IAM, change management, computer operations, and key application controls: scoping, RCM upkeep, walkthroughs, testing, sampling, and remediation tracking across ERP (SAP/Oracle) and in scope apps.
• Ensure audit ready evidence quality and timing SLAs; coordinate with Finance/Accounting on financial reporting risks.

Access Governance & Hybrid Reviewer Model

• Lead quarterly user access certification campaigns using a hybrid reviewer model, including SoD analysis, exception handling, and revocation SLAs.
• Align Joiner Mover Leaver (JML), privileged access, and emergency/firefighter access to policy and control objectives; integrate with IAM (e.g., SailPoint/Saviynt/Okta) and ticketing (Jira).

Tooling, Automation & CCM

• Configure/administer GRC/IRM tooling (e.g., OneTrust, Drata/Vanta) and integrate with IAM, CMDB, SIEM, ticketing, and ERP for automated evidence and continuous control monitoring (CCM).
• Build control analytics for access outliers, change exceptions, and segregation of duties (SoD) conflicts; publish dashboards and alerts.

Audits & Assurance

• Execute internal audits (ISO 27001 clauses/Annex A, policy/process adherence) and coordinate external audits (SOX, ISO surveillance/certification, SOC 2 as applicable).
• Perform walkthroughs, sample selection, operating effectiveness testing, issue documentation, and sustainable remediation verification.

Incident, BCP/DR & Privacy Collaboration

• Ensure incident response governance produces audit ready artifacts (playbooks, post incident reviews, root cause, corrective actions).
• Support BCP/DR governance (BIA updates, test planning/execution, lessons learned).
• Partner with Legal/Privacy on data protection and records retention; align supplier agreements with privacy obligations.

Education

Bachelor's degree in Information Systems, Computer Science, Engineering, Accounting/Finance, or related field preferred.

Experience

• Progressive experience in IT Audit/Controls, GRC, or Information Security Risk, including executing ISO 27001 and SOX control activities.
• Hands on ISMS work (SoA upkeep, internal audit coordination, corrective actions, awareness/training support).
• SOX 404 involvement across IAM, change, computer operations, and application controls (RCM maintenance, testing, and remediation tracking) in ERP (SAP/Oracle) and key applications.
• Practical use of GRC/IRM platforms (OneTrust, Drata/Vanta) and integrations with IAM (SailPoint/Saviynt/Okta), CMDB, SIEM, ticketing, and vulnerability management tools.
• Comfort with data/evidence: logs, configuration exports, ERP control parameters; Excel/Power BI/SQL for CCM or audit analytics is a plus.

Certifications

• ISO/IEC 27001 Lead Implementer or Internal Auditor
• CISA, CRISC, CISM/CISSP
• ITIL Foundation; FAIR training

Skills & Competencies

• Strong control design, documentation, and testing skills with precision in scoping and remediation tracking.
• Clear, concise communication-able to translate technical risk for non technical stakeholders and produce executive ready content.
• Influences without authority; collaborates with Finance, IT, Plant Ops, and external auditors.
• Continuous improvement mindset; balances compliance rigor with business sense.

Job Tags

Similar Jobs