Manager - GRC

Position – Governance, Risk and Compliance Min Experience- Min 6 Years Location- Mumbai / Bangalore Role Overview The Manager / Senior Manager – GRC will be responsible for driving the organization’s Governance, Risk, and Compliance (GRC) initiatives, ensuring alignment with regulatory, contractual, and cybersecurity requirements. The role involves managing security governance frameworks, enterprise risk management, compliance audits, supplier security assessments, cybersecurity awareness initiatives, and executive-level reporting. The candidate will work closely with internal stakeholders, auditors, customers, suppliers, and leadership teams to strengthen the organization’s cybersecurity posture and ensure compliance with applicable standards and regulations.

Key Responsibilities Governance, Risk & Compliance (GRC) Manage and govern Information Security frameworks such as ISO 27001, ISO 27701, ISO 20000, SOC 2, HIPAA, PCI DSS, NIST, DPDP, and other applicable standards Drive enterprise-wide Governance, Risk & Compliance initiatives Maintain and improve ISMS, PIMS, and ITSM programs Develop, review, and maintain security policies, procedures, standards, guidelines, and templates Ensure periodic review and continuous improvement of cybersecurity governance processes Track compliance obligations and ensure closure of non-conformities and audit observations Risk Management Execute end-to-end cybersecurity risk management lifecycle Conduct risk assessments, gap assessments, and control evaluations Maintain enterprise risk register and track mitigation plans Identify cybersecurity risks related to applications, infrastructure, cloud, vendors, and business operations Work with stakeholders to define remediation plans and risk treatment strategies Monitor security KPIs, KRIs, and compliance metrics Audit & Compliance Management Coordinate and manage internal audits, external audits, certification audits, surveillance audits, and customer security assessments Represent the organization during client audits and compliance reviews Coordinate with certifying bodies, auditors, and regulatory stakeholders Ensure audit readiness and timely closure of findings Prepare audit schedules, reports, evidence documentation, and compliance dashboards Support regulatory and contractual compliance requirements Security Awareness & Training Develop and execute cybersecurity awareness and training programs across the organization Conduct periodic awareness campaigns, phishing awareness initiatives, and security communication activities Publish advisory notes, security alerts, awareness mailers, and best practice guidelines Promote awareness related to ISMS, ITSM, privacy, and cybersecurity compliance requirements Management Reporting & Executive Communication Prepare cybersecurity dashboards, scorecards, and management review presentations Create executive-level cybersecurity decks for leadership and management reviews Present security posture, risks, audit status, compliance metrics, and improvement plan to senior management Support Management Review Meetings with reports, metrics, and action tracking Supplier & Third-Party Security Management Conduct supplier/vendor cybersecurity risk assessments and due diligence reviews Evaluate supplier security controls, compliance posture, and contractual obligations Track vendor compliance findings and remediation activities Collaborate with procurement and legal teams on third-party security governance Contract & Security Review Review MSAs, SOWs, NDAs, RFPs, RFIs, and customer security requirements from a cybersecurity compliance perspective Provide security and compliance inputs during customer onboarding and procurement processes Ensure contractual alignment with regulatory and organizational cybersecurity requirements Support security questionnaires and customer assurance activities Knowledge: Information Security frameworks and standards: ISO 27001:2022 ISO 27701 ISO 20000 NIST CSF SOC 2 HIPAA PCI DSS DPDP Act Risk management methodologies and audit practices Security governance and compliance management Third-party/vendor risk management Network and infrastructure security concepts Regulatory and contractual cybersecurity compliance requirements Skills: Governance of multiple security and compliance frameworks Enterprise risk assessment and mitigation planning Audit management and stakeholder coordination Policy and documentation management Vendor/supplier security assessment MSA, RFP, and contractual security review Cybersecurity reporting and dashboard preparation Executive presentation and management communication Strong analytical and problem-solving skills Excellent verbal and written communication Ability to manage cross-functional stakeholders Tasks: Review & Analyse various InfoSec requirements and advise on implementation Be a Change Approver for the Information Security requirement Prepare & Publish Advisory Notes, InfoSec Awareness mailers etc. Develop and maintain documents (policies, procedures, templates), records, and templates related to ISO 27001/27701, ISO 20000, NIST, SOC 2, HIPAA, PCI DSS, DPDPA Creation and Periodic review of policies, procedures, and templates Promoting awareness related to ISMS & ITSM Preparing Audit Schedules / Plan, Conduct Internal Audits periodically, Publish Report, and track till closure Initiate necessary corrective and preventive action Measuring & Monitoring the ISMS & ITSM process performance / KPI periodically Prepare Management Review Meeting Reports, Plan, Schedule, and conduct periodic Management Review Meetings Coordinating with Certifying Body Representing the management during various external audits (certification & surveillance audits, client InfoSec audits, etc) Ensuring the compliance of all the functions as per the ISO 27001/27701, ISO 20000, NIST, SOC 2, HIPAA, PCI DSS Reporting to the top management on the performance, opportunities for improvement, issues, non-conformities, Audit reports, etc., related to ITSM & ISMS Soft Skills: Strong communication and report writing skills Analytical and problem-solving ability Stakeholder management and teamwork Proficiency in MS Excel, Word, and PowerPoint Presentation and audit handling skills Proactive mindset with strong ownership Certifications (Any Two or more): ISMS LA/LI ISO-27001:2022 PIMS LA/LI ISO-27701:2025 ITSM LA/LI ISO-20000:2018 CEH, CHFI, CISSP or CISA certificate Education: Any Graduate in Information Technology Experience: 5 to 8 years of experience in managing the Information Security framework of an organization