Governance, Risk & Compliance - Lead

How will you contribute?

• ISMS Governance & Controls Assurance
• Lead the maintenance and continuous improvement of Smarsh’s ISO 27001-aligned ISMS.
• Oversee the control assurance programme, ensuring robust evidence collection, control testing, and continuous monitoring.
• Own key internal and external audit workstreams, including SOC 2, ISO 27001, FedRAMP and customer audits.

• 
  Cybersecurity Risk Management
• Drive the risk assessment lifecycle, embedding business, technical, and supply chain risk perspectives.
• Enhance risk methodologies and tools, integrating real-time risk metrics into dashboards and governance forums.
• Support risk acceptance processes and facilitate cross-functional remediation plans.

• 
  Regulatory, Contractual & Client Assurance
• Monitor emerging regulations (e.g. DORA, SEC, UK AI Act) and translate them into actionable internal obligations.
• Manage customer security assessments and DDQs, enabling frictionless trust through reusable assurance artefacts.
Coordinate timely, high-quality client responses and external assurance artefacts.

• Third-Party & Supply Chain Risk
• Lead third-party security reviews and ensure governance controls are extended across the vendor lifecycle.
• Partner with Procurement and Legal to align contractual security requirements and risk acceptance criteria.

• 
  Policy Governance & Stakeholder Reporting
• Maintain the InfoSec policy lifecycle and track compliance across business units.
• Develop and maintain security governance metrics and reporting for the CISO and wider executive team.
• Support the operation of governance forums and steering committees.

• 
  Security Awareness & Culture
• Deliver targeted security training and awareness campaigns aligned to regulatory and business needs.
• Promote a security-aware culture of governance accountability and enablement across teams.

• 
  GRC Operations & Enablement
• Own and refine core GRC workflows, including documentation, issue tracking, evidence management, and status reporting.
• Maintain and expand GRC tooling integrations, ensuring high-quality automation and reporting outputs.

What will you bring?

• 7–10 years’ experience in security governance, risk, or compliance roles within SaaS or regulated industries.
• Strong track record operationalising ISMS frameworks, managing control assurance, and supporting external audits.
• Hands-on experience with GRC platforms, security metrics reporting, and risk assessments.
• Proven ability to work across business, engineering, and legal teams to embed governance effectively.
• Familiarity with modern regulatory landscapes and frameworks such as ISO 27001, SOC 2, GDPR, DORA, FedRAMP and SEC Cyber rules.
• Strong communication skills, with the ability to create executive-level reporting and artifacts.
• Experience leading client assurance programmes or third-party risk management.
• Professional certifications (CISA, CISM, ISO 27001 LA, CISSP, CRISC) preferred.