GRC Specialist

Our mission at Oura is to empower every person to own their inner potential. Our award-winning products help our global community gain a deeper knowledge of their readiness, activity, and sleep quality by using their Oura Ring and its connected app. We've helped 2.5 million people understand and improve their health by providing daily insights and practical steps to inspire healthy lifestyles.

Empowering the world starts with living our values and empowering our team. As a quickly growing company focused on helping people live healthier and happier lives, we ensure that our team members have what they need to do their best work — both in and out of the office. 

We are seeking a GRC Specialist to join our Security Team. This role will serve as a subject matter expert (SME) supporting compliance, risk, and governance initiatives. Working alongside the Governance Risk and Compliance Team, the GRC Specialist will help mature our security and compliance programs such as SOC 2, HIPAA, ISO27001, ISO27799, HITRUST, NIST 800-171, CMMC, and FedRAMP.

The ideal candidate has hands-on experience implementing compliance frameworks, conducting risk assessments, supporting audits, and developing policies that drive security and business alignment.

What you will do:

• Compliance & Audit Support – Assist with internal and external audits (SOC 2, HIPAA, HITRUST), including evidence collection, process documentation, and remediation tracking.
• Policy & Procedure Management – Draft, update, and maintain security and compliance policies to align with regulatory requirements and industry best practices.
• Change Management Security Reviews – Collaborate with Product, Engineering, and Privacy teams to assess security risks in new product features, infrastructure changes, and business processes.
• Contract Security Reviews – Review client and vendor contracts to assess security and compliance requirements, ensuring appropriate controls are in place before execution.
• Risk Management – Perform risk assessments, track remediation efforts, and collaborate with stakeholders to mitigate security and compliance risks.
• Third-Party Risk Management (TPRM) – Conduct vendor risk assessments, evaluate security controls, and support contract security reviews.
• Access & Security Reviews – Conduct user access audits, assess RBAC effectiveness, and improve offboarding controls.

Requirements

We would love to have you on our team if you have:

• Experience: 5+ years in GRC, IT compliance, security, or risk management.
• Compliance Knowledge: Strong understanding of various frameworks such as SOC 2, HIPAA, HITRUST, NIST 800-171, ISO27001, ISO27799, CMMC, FedRAMP, and related frameworks.
• Technical Skills: Familiarity with IT environments, cloud environments, security controls, and compliance tooling (e.g., ServiceNow, access management systems).
• Risk & Audit Expertise: Hands-on experience conducting risk assessments, managing audits, and supporting compliance reporting.
• Strong Communicator: Ability to translate compliance requirements into actionable policies and procedures.
• Certifications (Preferred): CGRC, CISA, CRISC, CISSP, or equivalent.

Benefits

At Oura, we care about you and your well-being. Everyone here at Oura has a ring of their own and we are continually looking to improve employee health.

What we offer:

• Competitive salary and equity packages
• Health, dental, vision insurance, and mental health resources
• An Oura Ring of your own plus employee discounts for friends & family
• 20 days of paid time off plus 13 paid holidays plus 8 days of flexible wellness time off
• Paid sick leave and parental leave

Oura takes a market-based approach to pay, which may vary depending on your location. US locations are categorized into tiers based on a cost of labor index for that geographic area. While most offers will be closer to the starting range, successful candidates' pay will be determined based on job-related skills, experience, qualifications, work location, internal peer equity, and market conditions. These ranges may be modified in the future.

• Region 1: $112,000 - $140,000 
• Region 2: $100,000 - $125,000 
• Region 3: $94,000 - $117,000 

A recruiter can determine your zones/tiers based on your US location.

We are not considering candidates residing in the following states: Alaska (AK), Arkansas (AR), Delaware (DE), Iowa (IA), Mississippi (MS), Missouri (MO), Nebraska (NE), Oklahoma (OK), Rhode Island (RI), South Dakota (SD), Vermont (VT), West Virginia (WV), and Wisconsin (WI)

Oura is proud to be an equal opportunity workplace. We celebrate diversity and are committed to creating an inclusive environment for all employees. Individuals seeking employment at Oura are considered without regard to age, ancestry, color, gender (including pregnancy, childbirth, or related medical conditions), gender identity or expression, genetic information, marital status, medical condition, mental or physical disability, national origin, protected family care or medical leave status, race, religion (including beliefs and practices or the absence thereof), sexual orientation, military or veteran status, or any other characteristic protected by federal, state, or local laws. We will not tolerate discrimination or harassment based on any of these characteristics.

We will work to ensure individuals with disabilities are provided reasonable accommodation to participate in the interview process, to perform essential job functions, and to receive other benefits and privileges of employment.

Disclaimer: Beware of fake job offers!
We’ve been alerted to scammers posing as ŌURA recruiters, especially for remote roles. Please note:

• Our jobs are listed only on the ŌURA Careers page and trusted job boards.
• We will never ask for personal information like ID or payment for equipment upfront.
• Official offers are sent through Docusign after a verbal offer, not via text or email.

Stay cautious and protect your personal details.

To all recruitment agencies: Oura does not accept agency resumes. Please do not forward resumes to our jobs alias, Oura employees, or any other organization's location. Oura is not responsible for any fees related to unsolicited resumes.