Senior GRC Consultant
Job Description
Note: Selected candidate will initially be based in India for 1 year and then relocate to UAE as per company requirement and business needs.
Key Responsibilities
• GRC Framework Implementation: Lead the design, implementation, and maintenance of comprehensive GRC frameworks for clients, integrating governance, risk management, and compliance activities across the organization.
• ISO 27001 Implementation: Conduct gap assessments, risk assessments, and Statement of Applicability (SoA) development for ISO 27001; draft and implement ISMS documentation, lead internal audits, and support clients through certification and surveillance audits.
• ISO 22301 Implementation: Implement and maintain Business Continuity Management Systems (BCMS) in accordance with ISO 22301, including business impact analysis, BIA, risk assessment, business continuity plans (BCP), incident response plans, and disaster recovery strategies.
• ISO 20000 Implementation: Implement and maintain Service Management Systems (SMS) per ISO 20000, including service level management, incident, problem, change, configuration, and release management processes, and integration with ITIL practices.
• ISO 27701 Implementation: Implement and maintain Privacy Information Management Systems (PIMS) as per ISO 27701, including privacy risk assessments, privacy policies, data subject rights management, and alignment with data protection regulations.
• Gap and Maturity Assessments: Conduct detailed gap assessments against ISO 27001, ISO 22301, ISO 20000, ISO 27701, and other relevant standards; identify control weaknesses; and develop practical remediation action plans.
• Risk Management: Lead comprehensive risk assessment exercises using ISO 27005, ISO 31000, or similar methodologies; develop and maintain risk registers; define risk treatment plans; and provide guidance on risk acceptance, mitigation, transfer, and avoidance.
• Compliance and Regulatory Alignment: Ensure GRC programs align with applicable regulatory frameworks such as GDPR, DPDPA, PCI DSS, HIPAA, NIST, UAE_IA, and other region-specific requirements, and support compliance reporting.
• Internal Audit and Testing: Conduct internal audits and control testing for ISMS, BCMS, SMS, and PIMS; develop audit programs and checklists; perform walk-throughs, sampling, and evidence collection; and prepare audit reports with findings and recommendations.
• Policy and Procedure Development: Create and review security, privacy, business continuity, service management, and GRC-related policies, procedures, standards, guidelines, and work instructions tailored to client environments.
• Client Engagement and Consulting: Engage with C-level executives, senior management, and cross-functional teams to understand business objectives, define GRC strategy, provide expert advisory, and deliver GRC implementation and advisory services.
• Training and Awareness: Develop and deliver targeted GRC training and awareness programs for management, IT and security teams, privacy officers, and business continuity coordinators.
• Certification Support: Serve as a lead implementer/consultant for ISO 27001, ISO 22301, ISO 20000, ISO 27701 certification audits; coordinate with certification bodies; prepare clients for successful audits and handle non-conformities.
• Reports and Metrics: Develop and maintain GRC dashboards, KPIs, KRIs, and management reports on the status of ISMS, BCMS, SMS, PIMS, risk posture, compliance status, and audit findings.
• GRC Tools and Platforms: Configure and use GRC tools, audit management platforms, risk management software, and spreadsheets to manage controls, risks, audits, and compliance tracking.
Qualifications
Experience
5–6 years of hands-on experience in GRC, information security management, risk management, and compliance, with demonstrable experience in implementing and maintaining ISO 27001, ISO 22301, ISO 20000, ISO 27701, and related frameworks for enterprise clients, preferably multinational organizations across multiple industries.
Certifications
Required:
• Certified Information Security Manager (CISM)
• ISO 27001 Lead Implementer or Lead Auditor (ISO/IEC 27001:2022)
Preferred:
• ISO 22301 Lead Implementer or Lead Auditor (ISO/IEC 22301:2019)
• ISO 20000 Lead Implementer or Lead Auditor (ISO/IEC 20000-1:2018)
• ISO 27701 Lead Implementer or Lead Auditor (ISO/IEC 27701:2019)
• Certified Information Systems Auditor (CISA)
• Certified in Risk and Information Systems Control (CRISC)
• Certified Data Privacy Solutions Engineer (CDPSE)
• Certified in the Governance of Enterprise IT (CGEIT) / GRCP
Technical Skills
• In-depth practical knowledge of ISO 27001, ISO 22301, ISO 20000, ISO 27701, including their clauses, controls, documentation, and certification processes
• Strong understanding of ISMS, BCMS, SMS, PIMS implementation life cycles, including gap assessment, risk assessment, documentation, implementation, internal audit, and certification support
• Experience in conducting risk assessments and building/maintaining risk registers aligned with ISO 27005 or similar methodologies
• Proficiency in developing and reviewing GRC documentation: policies, standards, procedures, SoA, risk treatment plans, BCP/DRP, service level agreements (SLAs), and incident response plans
• Hands-on experience with GRC tools, audit management platforms, and risk management software
• Knowledge of major data protection regulations (GDPR, DPDPA, CCPA, HIPAA, PCI DSS, UAE_IA, etc.) and their interaction with ISO standards
• Familiarity with business continuity planning, disaster recovery, and incident response frameworks
• Understanding of ITIL processes and service delivery management in alignment with ISO 20000
• Experience in internal and external audit coordination, preparation, and response
• Strong understanding of security and privacy controls mapping across ISO 27001, ISO 27701, and sector-specific requirements
Education
Bachelor’s degree in Information Security, Cybersecurity, Computer Science, Information Technology, Business Administration, or a related field (or equivalent professional experience in GRC and compliance roles).
Soft Skills
• Excellent consulting and client-facing skills with ability to present complex GRC concepts to management and technical teams
• Strong analytical and problem-solving skills to assess control environments and recommend practical improvements
• Excellent written and verbal communication skills for drafting reports, policies, slides, and conducting meetings
• Ability to manage multiple client engagements and projects simultaneously with strong time and task management
• Strong negotiation and influencing skills to drive GRC initiatives and secure stakeholder buy-in
• Detail-oriented mindset with emphasis on accuracy, completeness, and consistency in documentation and artifacts
• High level of professionalism, integrity, and confidentiality when handling sensitive information
Additional Requirements
• Demonstrated experience in end-to-end implementation of ISO 27001, ISO 22301, ISO 20000, and ISO 27701 for enterprise clients
• Experience working with multinational clients across different geographies and regulatory environments
• Understanding of maturity models and GRC maturity assessment approaches
• Ability to work independently as well as in a team environment on complex GRC engagements
• Willingness to occasionally travel to client sites or for certification-related activities
• Commitment to continuous learning and staying updated with new GRC standards, regulations, and best practices
• Knowledge of audit requirements, evidence collection, and non-conformity closure processes
Resume Information
How to Apply
To apply for this position, email your resume to [email protected]
Subject Line Format: FC_GRC_CONSULTANT_[YOUR FULL NAME]_RESUME
Resume Requirements
Your resume must include the following information:
• Last Company Details: Name of your most recent employer, duration of employment (in years/months), job title, and brief description of your GRC responsibilities and projects
• ISO Implementation Experience: Detailed experience with ISO standards:
• ISO 27001 (implementation and/or audit)
• ISO 22301 (implementation and/or audit)
• ISO 20000 (implementation and/or audit)
• ISO 27701 (implementation and/or audit)
• For each, mention the number of projects, type of client (industry), and your role (lead implementer, auditor, consultant, etc.)
• Other Frameworks and Regulations: Experience with:
• Other relevant standards (e.g., NIST, ITIL, COBIT, PCI DSS, HIPAA, GDPR, DPDPA, UAE_IA, etc.)
• Regulatory and compliance frameworks applicable in your region and client base
• Client Profile: Industries and types of clients worked with (e.g., BFSI, healthcare, IT/ITeS, manufacturing, energy, government, etc.)
• GRC Tools and Platforms: List of GRC, audit, risk, and compliance tools used (e.g., spreadsheets, GRC platforms, audit software, risk registers, etc.)
• Certifications: List all relevant GRC and security certifications:
• Certification name (e.g., CISM, CISA, CRISC, ISO Lead Implementer/Auditor, etc.)
• Issuing body (e.g., ISACA, PECB, BSI, etc.)
• Year obtained and validity status
• Certification ID (if applicable)
• Education: Degree details including discipline, specialization, institution, and year of completion
• Project Portfolio (High-Level): Brief highlights of key GRC/ISO projects delivered, including:
• Standard implemented or audited (e.g., ISO 27001, ISO 22301, etc.)
• Client industry and size (e.g., large enterprise in BFSI)
• Key achievements and outcomes (e.g., successful certification, maturity improvement, audit closure)
• Passport Size Photograph: A recent passport size photograph must be included on your resume (mandatory requirement)
Incomplete applications or resumes missing any of the above requirements will not be considered for evaluation.
Job Type: Full-time
Pay: ₹300,000.00 - ₹800,000.00 per year
Work Location: In person
