Principal GRC Analyst-Remote

Role: Principal GRC Analyst (Governance, Risk & Compliance) (GRC) (Hands-on)Location: 100% Remote (It’s a bonus if they live in Los Angeles, near Vernon, CA), but remote is fine. ~10% travel to manufacturing plants, data centers, and corporate offices for audits, walkthroughs, and stakeholder workshops.Visa: USC or GC or GC EAD onlyDuration: +12 Months contractInterview: VideoBack open … new notes from the IT GRC Director. They want fresh candidates that are NOT “Audit focused.” Previous candidates were all audit focused; that’s not the right fit.Communication skills are EXTREMELY IMPORTANT - Clear, concise communication—able to translate technical risk for non‑technical stakeholders and produce executive‑ready contentForgent Power has purchased 3 other companies. Now, all the companies are margining into 1 entity. This GRC environment is still not fully built out yet … They need someone that has been in “under-developed environments or not fully built out environments”, to come in and Lead the build-out of Compliance programs, Risk programs and related. Someone that is great with ISO 27001, SOX and ISMS. {Required! Must send the Month and day of the Birthday & last 4 SSN with ALL submissions }Send LinkedIn LinksW2 only! 4-page max resumes…………MUST HAVE’s ………{ Make sure all this below is in the resume, in the job description for the last 9 years}Must have – Certifications: Must have at least 1 of these Certifications; ISO/IEC 27001 Lead Implementer or Internal Auditor, or CISA, CRISC, CISM/CISSP 9 + years’ experience as a Senior GRC Analyst (Governance, Risk & Compliance) going into lead-level experience in IT Audit/Controls, GRC, and Information Security Risk, including executing ISO 27001 and SOX control activities.7+ years Hands‑on ISMS work (SoA upkeep, internal audit coordination, corrective actions, awareness/training support).Maintain the ISMS operating programs: scope updates, risk assessments, Statement of Applicability (SoA) maintenance, corrective action tracking, and surveillance/certification readiness.Draft, update, and socialize policies/standards/procedures Risk Management (IT & OT) - Maintain cross‑framework mappings (ISO 27001, NIST CSF/800‑53, CIS Controls, SOC 2) to ensure clear control coverage and traceability.5+ years’ experience in SOX 404 involvement across IAM, change management, computer operations, and application controls (RCM maintenance, testing, and remediation tracking) in ERP (SAP/Oracle) and key applications.Practical use of GRC/IRM platforms (OneTrust, Drata/Vanta) and integrations with IAM (SailPoint/Saviynt/Okta), CMDB, SIEM, ticketing, and vulnerability management tools.Below - Should be talked about in a least the first 2 most recent jobs on the resumeGovernance & ISMS Operations (ISO/IEC 27001)Maintain the ISMS operating rhythm: scope updates, risk assessments, Statement of Applicability (SoA) maintenance, corrective action tracking, and surveillance/certification readiness.Draft, update, and socialize policies/standards/procedures (access control, change management, vulnerability management, secure SDLC, incident response, data retention/supplier security).Prepare decision‑ready materials and follow‑ups for governance forums (Risk & Compliance Steering Committee, CAB, ISO Management Review).Overview -We are a $1 Billion+ company and rapidly growing in the manufacturing sector, seeking an experienced Principal GRC Lead AnalystHiring a hands‑on Principal GRC Analyst to execute and continuously improve our governance, risk, and compliance program across IT and OT environments.You will run day‑to‑day ISMS operations, drive SOX IT control execution, lead access certification cycles using a hybrid reviewer model, mature third‑party risk, and advance continuous control monitoring.This is a senior individual contributor role designed for candidates with Senior and Principal years of high‑impact GRC experience who can lead complex workstreams, mentor teammates, and coordinate vendors—without formal people management.Key ResponsibilitiesGovernance & ISMS Operations (ISO/IEC 27001)Maintain the ISMS operating rhythm: scope updates, risk assessments, Statement of Applicability (SoA) maintenance, corrective action tracking, and surveillance/certification readiness.Draft, update, and socialize policies/standards/procedures (access control, change management, vulnerability management, secure SDLC, incident response, data retention/supplier security).Prepare decision‑ready materials and follow‑ups for governance forums (Risk & Compliance Steering Committee, CAB, ISO Management Review).Risk Management (IT & OT)Run risk identification, assessment (qualitative plus FAIR‑lite scenario estimates), treatment planning, and risk acceptance with accountable owners.Maintain cross‑framework mappings (ISO 27001, NIST CSF/800‑53, CIS Controls, SOC 2) to ensure clear control coverage and traceability.Third‑Party Risk (TPRM/VRM)Execute risk‑tiered vendor due diligence, contractual security/privacy controls, onboarding/offboarding checks, continuous monitoring, and remediation with business owners and Procurement.Align the program to ISO/IEC 27036 for supplier relationships and partner with Legal on DPAs, security addenda, and privacy clauses (e.g., CCPA/CPRA).SOX ITGCs & Application ControlsSupport ownership of SOX 404 controls across IAM, change management, computer operations, and key application controls: scoping, RCM upkeep, walkthroughs, testing, sampling, and remediation tracking across ERP (SAP/Oracle) and in‑scope apps.Ensure audit‑ready evidence quality and timing SLAs; coordinate with Finance/Accounting on financial reporting risks.Access Governance & Hybrid Reviewer ModelLead quarterly user access certification campaigns using a hybrid reviewer model, including SoD analysis, exception handling, and revocation SLAs.Align Joiner‑Mover‑Leaver (JML), privileged access, and emergency/firefighter access to policy and control objectives; integrate with IAM (e.g., SailPoint/Saviynt/Okta) and ticketing (Jira).Tooling, Automation & CCMConfigure/administer GRC/IRM tooling (e.g., OneTrust, Drata/Vanta) and integrate with IAM, CMDB, SIEM, ticketing, and ERP for automated evidence and continuous control monitoring (CCM).Build control analytics for access outliers, change exceptions, and segregation of duties (SoD) conflicts; publish dashboards and alerts.Audits & AssuranceExecute internal audits (ISO 27001 clauses/Annex A, policy/process adherence) and coordinate external audits (SOX, ISO surveillance/certification, SOC 2 as applicable).Perform walkthroughs, sample selection, operating effectiveness testing, issue documentation, and sustainable remediation verification.Incident, BCP/DR & Privacy CollaborationEnsure incident response governance produces audit‑ready artifacts (playbooks, post‑incident reviews, root cause, corrective actions).Support BCP/DR governance (BIA updates, test planning/execution, lessons learned).Partner with Legal/Privacy on data protection and records retention; align supplier agreements with privacy obligations.EducationBachelor’s degree in Information Systems, Computer Science, Engineering, Accounting/Finance, or related field preferred.ExperienceProgressive experience in IT Audit/Controls, GRC, or Information Security Risk, including executing ISO 27001 and SOX control activities.Hands‑on ISMS work (SoA upkeep, internal audit coordination, corrective actions, awareness/training support).SOX 404 involvement across IAM, change, computer operations, and application controls (RCM maintenance, testing, and remediation tracking) in ERP (SAP/Oracle) and key applications.Practical use of GRC/IRM platforms (OneTrust, Drata/Vanta) and integrations with IAM (SailPoint/Saviynt/Okta), CMDB, SIEM, ticketing, and vulnerability management tools.Comfort with data/evidence: logs, configuration exports, ERP control parameters; Excel/Power BI/SQL for CCM or audit analytics is a plus.Certifications (Preferred)ISO/IEC 27001 Lead Implementer or Internal AuditorCISA, CRISC, CISM/CISSP ITIL Foundation; FAIR training Skills & CompetenciesStrong control design, documentation, and testing skills with precision in scoping and remediation tracking.Clear, concise communication—able to translate technical risk for non‑technical stakeholders and produce executive‑ready content.Influences without authority; collaborates with Finance, IT, Plant Ops, and external auditors.Continuous improvement mindset; balances compliance rigor with business sense.Travel & Work Environment~10% travel to manufacturing plants, data centers, and corporate offices for audits, walkthroughs, and stakeholder workshops.