The Governance, Risk and Compliance Manager (Security) specializes in third-party risk assessments, ISO27001 audits, SOC2 audits, and client-conducted risk assessments. The position plays a pivotal role in maintaining and enhancing PRGX's governance, risk and compliance framework.
Key Responsibilities:
ISO27001 Audits:
- Oversees the preparation, execution, and management of ISO27001 audits to assess the effectiveness of the organization's information security management system (ISMS).
- Works closely with internal stakeholders to address audit findings, implement corrective actions, and continuously improve the ISMS to meet ISO27001 standards.
- Serves as a subject matter expert on ISO27001 requirements and provide guidance and support to teams across the organization to ensure compliance.
- Manages the SOC2 audit process, including readiness assessments, evidence gathering, and coordination with auditors to facilitate successful SOC2 examinations.
- Develops and maintains SOC2 policies, controls, and documentation to demonstrate compliance with trust services criteria (security, availability, processing integrity, confidentiality, and privacy).
- Monitors and tracks remediation activities to address any identified gaps or deficiencies in SOC2 controls and ensure timely resolution.
Client-Conducted Risk Assessments:
- Completes client assessments of PRGX security controls to ensure all client concerns are addressed and they are comfortable providing data required for services.
- Acts as a liaison between clients and internal teams to address client inquiries, clarify requirements, and ensure the timely completion of risk assessment processes.
Compliance and Reporting:
- Keeps abreast of regulatory changes, industry trends, and emerging risks related to information security, privacy, and data protection.
- Prepares and delivers regular reports to senior management and stakeholders on the status of third-party risk assessments, ISO27001 audits, SOC2 audits, client-conducted risk assessments, and overall compliance initiatives.
- Collaborates with internal and external auditors to facilitate compliance audits and assessments as needed.
Third-Party Risk Assessment:
- Leads the evaluation and assessment of third-party vendors and partners to identify potential risks and ensure compliance with contractual obligations, industry standards, and regulatory requirements.
- Develops and maintains a comprehensive third-party risk management program, including risk assessment methodologies, risk identification, evaluation, and mitigation strategies.
- Collaborates with cross-functional teams, including Legal, Procurement, and IT Security, to establish and enforce third-party risk management policies and procedures.
- Bachelor's degree in Information Security, Risk Management, Business Administration, or a related field (Master's degree preferred).
- Professional certifications such as CISA, CISSP, CISM, ISO27001 Lead Auditor, or equivalent.
- Proven experience (5+ years) in governance, risk, and compliance roles, with a focus on third-party risk management, ISO27001 audits, SOC2 audits, and client-conducted risk assessments.
- In-depth knowledge of relevant frameworks, standards, and regulations, including ISO27001, SOC2, GDPR, CCPA, etc.
- Strong analytical skills with the ability to assess complex risk scenarios and develop effective mitigation strategies.
- Excellent communication and interpersonal skills, with the ability to collaborate effectively with cross-functional teams, clients, and external stakeholders.
- Demonstrated leadership abilities with experience in managing audit processes, leading teams, and driving results.