GRA Analyst

IT Security Governance, Risk, and Assurance

We believe that we make a difference every day. To do that, we need committed and engaged employees. Our people are accountable for delivering world-class service and they are passionate about making the world a safer and more secure place. Our teams operate with integrity and respect for one another fueled by an entrepreneurial spirit.

What we look for

An effective communicator, you are a confident team player with a genuine passion for making things happen in a dynamic organization. If you’re ready to take on a wide range of responsibilities and are committed to seeking out new ways to make a difference, this role is for you.

Job purpose

Reporting to the Cyber & IT Risk Team Lead, your role will be focused on identifying, assessing, and mitigating risks related to cybersecurity, IT systems, and business processes. Your role will also support the implementation of our organization’s strategies around Cyber & IT controls by maintaining and developing new ways of doing things and creating cross-functional business relationships within Technology and other business units.

The position is expected to work with internal stakeholders and take a supportive role in analysing key risks, establishing regular dialogue between risk and control owners to identify areas for improvement and develop strategies to enhance security of IT and business processes.

Main Responsibilities

• Manage and mature the Information Security & IT risk control framework to enable effective operation and monitoring of controls.
• Document and report control failures and gaps to stakeholders. Provide remediation guidance and occasionally drive projects to ensure deployment of mitigation actions.
• Develop security policies, standards, and procedures to drive standardization and centralization of control activities.
• Perform risk assessment activities across the organization, identify potential risks within IT and business processes, and recommend risk mitigation strategies and controls.
• Ensure risks and remediation plans are regularly addressed and implemented by risk and control owners.
• Support activities to maintain compliance with relevant regulations and standards (e.g., ISO27001, NIST, GDPR).
• Audit and document processes and prepare reports summarizing findings and insights for management and stakeholders.

Required Qualifications

Minimum Qualifications

• Bachelor’s degree within a relevant field and at least 3 years of direct experience within Information Security & IT risk and compliance.
• Experience working in GRC departments and direct experience working in:
  • Defining, creating, and executing of an Information Security & IT risk control framework, not only internally but also for third-party and partners. It is key also have experienced in documenting security procedures, policies, and standards.
  • Performing information Information Security & IT assessments and conducting compliance and maturity assessments using international standards and best practices from various industries. 
  • Ensuring that all risks, vulnerabilities, and non-conformities are actively managed, monitored, documented, and mitigated if possible.
  • Defining and tracking KPIs/KRIs and generating reporting adapted for different levels and stakeholders.
  • Performing Information Security & IT controls audits and executing remediation plans not only internally but also third party and partners.

• Work experience in a professional environment preferred, including:
  • Demonstrated planning and problem-solving skills and ability to analyze complex technical issues.
  • Thorough understanding of market structures, including relevant regulatory compliance requirements (SOC 2, NIST, GDPR, COBIT, ITIL, etc.).
  • Ability to build professional relationships and collaborate effectively with peers and stakeholders.
  • Experience organizing and carrying out risk assessments and compliance projects.
  • Fluent written and verbal communication skills in English.
  • Travel availability.

Preferred qualifications

• Relevant security certifications: CISSP, CRISC, CISM, CISA, Security+, ISO 27001

• Proficient with MS Office, project management, and at least one GRC tool (recommended).
• Familiarity with auditing, monitoring, controlling, and process assessment.