Information Security Compliance Analyst

We are seeking a detail-oriented and strategically minded Information Security Compliance Analyst to join our security and risk team. The ideal candidate will support the development, implementation, and maintenance of information security compliance programs, frameworks, and controls; ensure alignment with applicable regulatory and contractual requirements; and collaborate with IT, engineering, legal, and business stakeholders to reduce risk and demonstrate compliance. This role requires hands‑on compliance experience, strong knowledge of security frameworks and standards, excellent documentation skills, and the ability to communicate technical requirements to non‑technical audiences.

• Implement, maintain, and monitor information security compliance programs and control frameworks (e.g., ISO 27001, NIST CSF, SOC 2, PCI‑DSS, HIPAA) to ensure ongoing alignment with regulatory, contractual, and business requirements.
• Manage and execute internal compliance assessments, risk assessments, and control testing; document findings, track remediation activities, and verify corrective actions.
• Support third‑party security assessments and vendor risk management processes, including intake questionnaires, evidence collection, review of results, and coordination of mitigation plans with vendors and internal stakeholders.
• Coordinate and support external audits and certification efforts (e.g., SOC 2 audits, ISO certifications, regulatory reviews), serving as a primary point of contact for auditors and external assessors.
• Develop, maintain, and update security policies, standards, procedures, and control matrices; ensure documentation is current, accessible, and mapped to applicable frameworks and requirements.
• Collect, analyze, and report compliance metrics and status to security leadership and cross‑functional partners; prepare evidence packages and executive‑ready reports demonstrating control effectiveness and remediation progress.
• Collaborate with Information Security, IT operations, engineering, legal, and business teams to interpret compliance requirements, integrate controls into processes and systems, and advise on remediation or compensating controls.
• Stay informed of changes in privacy, security, and regulatory landscapes; evaluate impacts to the organization and recommend required updates to policies, controls, or compliance programs.
• Provide training and awareness sessions for employees on security compliance topics, control responsibilities, and evidence collection best practices.

• Bachelor’s degree in Information Security, Cybersecurity, Information Technology, Computer Science, Risk Management, or related field, or equivalent experience.
• 3+ years of experience in information security compliance, audit, risk management, or related roles within technology‑driven or regulated organizations.
• Practical knowledge of common security frameworks and standards (e.g., SOC 2, ISO 27001, NIST CSF, PCI‑DSS) and experience mapping controls to requirements.
• Experience performing control testing, risk assessments, vendor security reviews, and preparing evidence for audits or certifications.
• Strong written and verbal communication skills; ability to produce clear policy and procedure documentation and present compliance status to technical and non‑technical stakeholders.
• Familiarity with security and compliance tooling (e.g., GRC platforms, SIEM, vulnerability management, ticketing/ITSM systems) and proficient with Excel or similar data analysis tools.
• Excellent organizational skills and attention to detail, with the ability to manage multiple priorities, deadlines, and cross‑functional projects.

• Relevant certifications such as CISA, CISSP, ISO 27001 Lead Implementer/Auditor, CRISC, or similar are preferred.
• Experience supporting SOC 2 or ISO 27001 audits, or leading vendor risk and third‑party assessment programs.
• Familiarity with cloud security controls and compliance in AWS, Azure, or GCP, and experience working with DevOps/engineering teams to embed controls into CI/CD pipelines.
• Prior experience with GRC platforms (e.g., RSA Archer, ServiceNow GRC, OneTrust, Drata) or automation of compliance evidence collection is a plus.

• Full‑time position with an onsite work model.
• Competitive salary commensurate with experience and a comprehensive benefits package, including health insurance, retirement plan options, and paid time off.
• Opportunities for professional development, continuing education support, and assistance with certification costs.
• Collaborative and inclusive team culture committed to diversity, equity, and professional growth.