GRC Expert

Job Description: Governance, Risk & Compliance (GRC) Expert

Position Summary

The GRC Expert will be a strategic contributor responsible for designing, implementing, and maintaining comprehensive governance, risk, and compliance frameworks across the organization. This role bridges the gap between technical security measures and business objectives while ensuring alignment with regulatory requirements including SEBI CSCRF, RBI guidelines, DPDP Act, and industry best practices. The successful candidate will manage internal audits, regulatory compliance, governance frameworks, security awareness programs, and third-party risk assessments.

Required Qualifications

Experience

• Minimum 5-6 years of experience in cybersecurity, GRC, compliance, or risk management roles
• Minimum 3+ years of experience working in the BFSI sector (banking, insurance, financial services, fintech)
• Demonstrated experience with:
• Internal audit planning, execution, and reporting
• Regulatory compliance and governance framework development
• Third-party risk assessment and vendor management
• Security awareness program design and delivery
• Regulatory requirement mapping and control design
• Incident response and breach management

Key Responsibilities

Internal Governance & Policy Framework (25%)

• Design, develop, and maintain organization-wide governance policies, standards, and procedures
• Create and update information security governance frameworks aligned with organizational objectives and regulatory requirements
• Establish metrics, KPIs, and dashboards to monitor governance effectiveness
• Conduct governance gap assessments and recommend improvements to strengthen the control environment
• Ensure alignment between IT governance, business objectives, and regulatory compliance requirements

Regulatory Governance & Compliance (20%)

• Monitor regulatory developments from RBI, SEBI, data protection authorities, and industry regulators
• Assess impact of regulatory changes on organizational processes, systems, and controls
• Map regulatory requirements to internal controls and maintain requirement-control matrices
• Ensure compliance with SEBI CSCRF, RBI guidelines on cybersecurity, DPDP Act, and other applicable regulations
• Prepare regulatory submissions, compliance certifications, and attestations as required
• Maintain compliance calendars and ensure timely completion of regulatory requirements

Audit Management (20%)

• Plan, coordinate, and execute internal audit activities across Cyber, Technology, infrastructure, applications, and business processes
• Develop and maintain audit schedules aligned with regulatory calendars and organizational risk priorities
• Conduct risk-based audit procedures and validation testing in compliance with NIST, CIS, and ISO 27001 standards
• Track and monitor audit findings closure with timelines and accountability assignment
• Coordinate with external auditors (internal audit teams, external audit firms, regulators) and provide necessary documentation
• Document audit evidence and maintain audit trails for regulatory review
• Develop and maintain audit checklists, programs, and templates aligned with regulatory requirements

Third-Party Risk Management & Assessment (20%)

• Develop and maintain third-party risk assessment frameworks and questionnaires
• Conduct security assessments of vendors, outsourcing partners, and service providers
• Evaluate third-party compliance with organizational security standards and regulatory requirements
• Maintain vendor assessment scorecards and risk ratings
• Recommend remediation actions and monitor vendor compliance improvement
• Manage third-party security incidents and breach notifications
• Conduct periodic re-assessments of critical vendors (annual/biennial)
• Maintain vendor risk inventory and escalate high-risk vendors to management

Security Awareness & Training (15%)

• Design and develop comprehensive security awareness and training programs aligned with regulatory requirements
• Create and deliver role-specific training modules covering:
• Data protection and privacy (DPDP Act awareness)
• Incident response procedures
• Phishing and social engineering awareness
• Acceptable use policies
• Regulatory compliance requirements
• Email security (DMARC, SPF, DKIM configuration awareness)
• Conduct quarterly awareness campaigns and measure effectiveness through phishing simulations and assessments
• Maintain training records and compliance documentation for audit purposes
• Develop and maintain training materials (videos, presentations, documentation)
• Track training completion and escalate non-compliance to management

Education & Certifications

• Bachelor’s degree in information technology, Cybersecurity, Business Administration, or related field
• Required Certifications (any One of the following):
• ISO 27001 Lead Implementer/Lead Auditor
• CISA (Certified Information Systems Auditor)
• CISSP (Certified Information Systems Security Professional)