Job Description — Business Analyst - Governance, Risk & Compliance - (GRC) Specialist (6‑Month Contract)
Reports to: Risk Controls & Compliance Lead
Contract: 6 months (with potential to extend based on outcomes)
Role Purpose
Drive audit readiness and uplift governance, risk, and compliance practices across the security program. You'll lead the preparation for NIST 2.0, streamline evidence collection, and design automation to enhance the consistency and efficiency of controls—especially those aligned to JSOX/SOX and the Essential Eight.
Key Outcomes
- Audit-ready posture: Clear, complete, traceable evidence sets and control operation narratives for internal/external review.
- Automation-first compliance: Repeatable, technology-enabled control testing and evidence capture that reduces manual effort and error.
- Actionable risk remediation: Prioritized findings, tracked remediation, and validated corrective actions with measurable improvements.
Core Responsibilities
Assessment & Gap Analysis
- Plan and perform control testing across NIST 800-series/NIST 2.0, SOX/JSOX, and Essential Eight requirements.
- Run a pre‑audit readiness review for NIST 2.0, highlighting gaps, risks, and pragmatic remediation paths.
- Map regulatory/standard requirements to technical controls and operational processes.
Evidence & Audit Support
- Assemble and maintain audit artifacts: procedures, walkthroughs, test results, control descriptions, and evidence logs.
- Facilitate auditor interactions and stakeholder walkthroughs; ensure accuracy, completeness, and traceability.
Automation & Process Improvement
- Identify manual control steps suitable for automation; design and implement technology-enabled workflows.
- Build or enhance scripts/workflows/dashboards for control monitoring and evidence capture.
- Improve risk registers and reporting cadence; uplift alignment to the Risk Management Framework.
Remediation & Governance
- Track findings through to closure; verify corrective actions and sustainability of fixes.
- Maintain clear documentation standards (templates, versioning, lineage) for repeatable audits.
Skills & Experience
- Framework Expertise: Hands-on exposure to NIST (incl. 2.0) or ISO/IEC 27001; experience implementing or auditing security frameworks.
- Controls & Tooling: Familiarity with SIEM, endpoint management, GRC platforms, and audit management systems.
- Requirements & Mapping: Strong ability to interpret regulatory controls and translate them into technical and process controls.
- Delivery Methods: Comfortable operating in Agile and Waterfall environments; able to tailor artifacts and ceremonies accordingly.
- Tool Proficiency: Microsoft 365, Jira, Confluence, and process modelling (e.g., Visio).
- Stakeholder Engagement: Clear communicator with the ability to collaborate across business, engineering, and senior leadership.
Ways of Working / Competencies
- Team-first, versatile: Willing to lean in and support adjacent workstreams.
- Outcome‑driven & meticulous: Strong documentation, traceability, and evidence hygiene.
- Proactive risk management: Early identification of issues; options‑led escalation with crisp recommendations.
Success Measures (Indicative)
- Pre‑audit assessment completed with documented gaps, risk ratings, and remediation plans.
- Automated workflows implemented for priority controls/evidence capture, reducing manual effort and cycle time.
- Audit artifacts delivered on time with minimal rework; findings tracked to closure and validated.
What You'll Work With (Examples)
- Frameworks: NIST 800‑series/NIST 2.0, SOX/JSOX, Essential Eight.
- Platforms: SIEM and endpoint tools, GRC/audit systems, Microsoft 365, Jira/Confluence.
- Artifacts: Control catalogs, test plans, walkthrough scripts, evidence repositories, remediation trackers.