Manager - GRC

Position – Governance, Risk and Compliance

Min Experience- Min 6 Years

Location- Mumbai / Bangalore

Role Overview

The Manager / Senior Manager – GRC will be responsible for driving the organizations Governance, Risk, and Compliance (GRC) initiatives, ensuring alignment with regulatory, contractual, and cybersecurity requirements. The role involves managing security governance frameworks, enterprise risk management, compliance audits, supplier security assessments, cybersecurity awareness initiatives, and executive-level reporting.

The candidate will work closely with internal stakeholders, auditors, customers, suppliers, and leadership teams to strengthen the organizations cybersecurity posture and ensure compliance with applicable standards and regulations.

Key Responsibilities

Governance, Risk & Compliance (GRC)

• Manage and govern Information Security frameworks such as ISO 27001, ISO 27701, ISO 20000, SOC 2, HIPAA, PCI DSS, NIST, DPDP, and other applicable standards
• Drive enterprise-wide Governance, Risk & Compliance initiatives
• Maintain and improve ISMS, PIMS, and ITSM programs
• Develop, review, and maintain security policies, procedures, standards, guidelines, and templates
• Ensure periodic review and continuous improvement of cybersecurity governance processes
• Track compliance obligations and ensure closure of non-conformities and audit observations

Risk Management

• Execute end-to-end cybersecurity risk management lifecycle
• Conduct risk assessments, gap assessments, and control evaluations
• Maintain enterprise risk register and track mitigation plans
• Identify cybersecurity risks related to applications, infrastructure, cloud, vendors, and business operations
• Work with stakeholders to define remediation plans and risk treatment strategies
• Monitor security KPIs, KRIs, and compliance metrics

Audit & Compliance Management

• Coordinate and manage internal audits, external audits, certification audits, surveillance audits, and customer security assessments
• Represent the organization during client audits and compliance reviews
• Coordinate with certifying bodies, auditors, and regulatory stakeholders
• Ensure audit readiness and timely closure of findings
• Prepare audit schedules, reports, evidence documentation, and compliance dashboards
• Support regulatory and contractual compliance requirements

Security Awareness & Training

• Develop and execute cybersecurity awareness and training programs across the organization
• Conduct periodic awareness campaigns, phishing awareness initiatives, and security communication activities
• Publish advisory notes, security alerts, awareness mailers, and best practice guidelines
• Promote awareness related to ISMS, ITSM, privacy, and cybersecurity compliance requirements

Management Reporting & Executive Communication

• Prepare cybersecurity dashboards, scorecards, and management review presentations
• Create executive-level cybersecurity decks for leadership and management reviews
• Present security posture, risks, audit status, compliance metrics, and improvement plan to senior management
• Support Management Review Meetings with reports, metrics, and action tracking

Supplier & Third-Party Security Management

• Conduct supplier/vendor cybersecurity risk assessments and due diligence reviews
• Evaluate supplier security controls, compliance posture, and contractual obligations
• Track vendor compliance findings and remediation activities
• Collaborate with procurement and legal teams on third-party security governance

Contract & Security Review

• Review MSAs, SOWs, NDAs, RFPs, RFIs, and customer security requirements from a cybersecurity compliance perspective
• Provide security and compliance inputs during customer onboarding and procurement processes
• Ensure contractual alignment with regulatory and organizational cybersecurity requirements
• Support security questionnaires and customer assurance activities

Knowledge:

• Information Security frameworks and standards:
• ISO 27001:2022
• ISO 27701
• ISO 20000
• NIST CSF
• SOC 2
• HIPAA
• PCI DSS
• DPDP Act
• Risk management methodologies and audit practices
• Security governance and compliance management
• Third-party/vendor risk management
• Network and infrastructure security concepts
• Regulatory and contractual cybersecurity compliance requirements

Skills:

• Governance of multiple security and compliance frameworks
• Enterprise risk assessment and mitigation planning
• Audit management and stakeholder coordination
• Policy and documentation management
• Vendor/supplier security assessment

  Looking to get Placed? Try our Placement Guarantee Plan

  Get Hired
• MSA, RFP, and contractual security review
• Cybersecurity reporting and dashboard preparation
• Executive presentation and management communication
• Strong analytical and problem-solving skills
• Excellent verbal and written communication
• Ability to manage cross-functional stakeholders

Tasks:

• Review & Analyse various InfoSec requirements and advise on implementation
• Be a Change Approver for the Information Security requirement
• Prepare & Publish Advisory Notes, InfoSec Awareness mailers etc.
• Develop and maintain documents (policies, procedures, templates), records, and templates related to ISO 27001/27701, ISO 20000, NIST, SOC 2, HIPAA, PCI DSS, DPDPA
• Creation and Periodic review of policies, procedures, and templates
• Promoting awareness related to ISMS & ITSM
• Preparing Audit Schedules / Plan, Conduct Internal Audits periodically, Publish Report, and track till closure
• Initiate necessary corrective and preventive action
• Measuring & Monitoring the ISMS & ITSM process performance / KPI periodically
• Prepare Management Review Meeting Reports, Plan, Schedule, and conduct periodic Management Review Meetings
• Coordinating with Certifying Body
• Representing the management during various external audits (certification & surveillance audits, client InfoSec audits, etc)
• Ensuring the compliance of all the functions as per the ISO 27001/27701, ISO 20000, NIST, SOC 2, HIPAA, PCI DSS
• Reporting to the top management on the performance, opportunities for improvement, issues, non-conformities, Audit reports, etc., related to ITSM & ISMS

Soft Skills:

• Strong communication and report writing skills
• Analytical and problem-solving ability
• Stakeholder management and teamwork
• Proficiency in MS Excel, Word, and PowerPoint
• Presentation and audit handling skills
• Proactive mindset with strong ownership

Certifications (Any Two or more):

• ISMS LA/LI ISO-27001:2022
• PIMS LA/LI ISO-27701:2025
• ITSM LA/LI ISO-20000:2018
• CEH, CHFI, CISSP or CISA certificate

Education:

• Any Graduate in Information Technology

Experience:

• 5 to 8 years of experience in managing the Information Security framework of an organization