Senior GRC Consultant

The Role

You will serve as a GRC and compliance consultant leading audit readiness, compliance program development, and risk management across multiple client engagements. You will own frameworks end-to-end: scoping, evidence collection, gap analysis, remediation guidance, and audit support.

This is a senior role where you run your own workstreams and interface directly with client leadership.

What You Will Do

• Lead compliance readiness engagements: SOC 2 Type I/II, ISO 27001, HIPAA, US state privacy laws, and UK/EU GDPR. Own the engagement from scoping through audit support
• Own GRC tooling: manage and maintain compliance platforms like Vanta, Drata, or similar. Responsible for keeping compliance monitoring at 100%, resolving failing checks, and ensuring evidence collection is automated and current
• Conduct risk assessments: formal risk assessments using frameworks like NIST 800-30, translating technical vulnerabilities into business and compliance risks
• Build GRC programs from scratch: design policy hierarchies, control frameworks, risk management processes, and evidence collection systems for clients who have nothing in place
• Perform internal audits: evaluate control design and operating effectiveness, identify gaps, and produce findings reports ready for external auditors
• Manage vendor security questionnaires: oversee end-to-end completion, coordinate with SMEs, maintain knowledge bases, and ensure quality of submissions at scale
• Own client relationships: lead meetings with client management and external auditors, provide weekly status updates, manage expectations directly
• Produce audit-ready documentation: policies, procedures, risk registers, control matrices, evidence packages, and final assessment reports that require no heavy editing

What We Require

• 5-7 years of hands-on experience in GRC, compliance, or audit. Actual compliance delivery work
• Prior consulting or professional services experience is mandatory. You must have managed multiple clients, scoped your own work, and communicated directly with stakeholders
• Required expertise in both: SOC 2 Type I/II (Trust Services Criteria) and ISO 27001 / ISO 27002 (ISMS implementation and audit)
• Additional experience in one or more: UK/EU GDPR, US privacy regulations (CCPA/CPRA), or HIPAA (Security Rule, Privacy Rule)
• Preferred: ISO 42001 (AI Management Systems). This is an emerging framework we are actively building this practice around
• Ability to map controls across frameworks: if a client needs SOC 2 and ISO 27001 simultaneously, you should design a unified control set
• Technical literacy: you must understand cloud security groups, IAM policies, CI/CD pipelines, and how to evaluate whether a technical control is effective
• Strong writing skills: policies, audit reports, risk assessments. Your deliverables should be client-ready without significant revision
• Professional-level English: written and verbal. You will be on client calls with US-based leadership and external auditors regularly

What Sets You Apart

• You've led audit readiness engagements end-to-end, not just collected evidence
• You can take a client from zero compliance posture to audit-ready
• You've worked directly with external auditors (Big 4 or mid-market firms)
• You have hands-on experience with GDPR compliance programs or US state privacy law implementations
• You hold certifications like CISA, CISM, CRISC, ISO 27001 Lead Auditor/Implementer, or equivalent
• You've conducted internal audits and can evaluate both design and operating effectiveness of controls