
Senior GRC Analyst
Posted May 12

Posted May 12
This is a fully remote position, open to applicants in Canada.
• Take ownership of the compliance program roadmap, ensuring alignment of framework requirements (SOC 2, ISO 27001, ISO 27701, ISO 42001) with business goals and product strategy.
• Lead compliance initiatives across departments including Engineering, Product, Legal, and IT, acting as the primary authority on governance and risk issues.
• Develop and maintain Docker’s comprehensive control framework, including cross-mapping to NIST 800-53 and identifying control deficiencies across various standards.
• Plan and conduct internal audits from start to finish: defining scope, gathering evidence, testing controls, managing findings, and coordinating with external auditors.
• Provide guidance to GRC Engineering on appropriate integrations for configuring automated monitoring controls.
• Conduct and lead risk assessments across systems, processes, third-party tools, and cloud setups, converting findings into actionable risk treatment strategies.
• Oversee the vendor risk management program, assessing third-party vendors against compliance and security standards while facilitating the remediation of identified deficiencies.
• Create, review, and update corporate security policies, aligning them with relevant control standards to ensure consistency across frameworks.
• Set and report on compliance metrics and KPIs, delivering data-driven insights into the program's maturity to leadership.
• Stay informed about evolving regulatory and industry standards (e.g., ISO 27xxx, SOC 2, GDPR, AI governance regulations) and proactively evaluate their impact on Docker’s compliance stance.
• 4 to 6 years of experience in Information Security, Governance, Risk, and Compliance.
• Proven experience in establishing or managing an enterprise risk management program, including conducting risk assessments, maintaining risk registers, and planning risk treatments.
• Experience in third-party risk management, encompassing vendor security evaluations and due diligence processes.
• Knowledge of security frameworks and standards such as ISO 27001, SOC 2, NIST 800-53, and GDPR.
• Understanding of AI governance concepts and emerging frameworks (ISO 42001, NIST AI RMF) or a proven ability to quickly learn and implement new frameworks.
• Experience in designing metrics and reporting for GRC programs, including dashboards and executive summaries.
• Familiarity with cloud platforms (AWS, GCP, Azure) and their associated risk and compliance considerations.
• Excellent written and verbal communication skills, with the capability to explain risk and compliance topics to both technical and non-technical audiences.
• A history of building and enhancing GRC programs from the ground up, including defining processes, creating documentation, and operationalizing workflows.
• Self-driven with a proven ability to thrive in remote-first, dynamic environments.
• Nice to Have: Relevant industry certifications such as CRISC, CISA, CISSP, or CCSK.
• Nice to Have: Experience with GRC platforms (Anecdotes, ServiceNow GRC, OneTrust, or similar).
• Nice to Have: Experience with automation or scripting for risk management processes.
• Freedom & flexibility; tailor your work to fit your life.
• Designated quarterly Whaleness Days plus an end-of-year Whaleness break.
• Home office setup; we prioritize your comfort while you work.
• 16 weeks of paid parental leave (after 6 months of employment).
• Technology stipend of $100 USD net per month.
• PTO plan that encourages you to take time for activities you enjoy.
• Training stipend for conferences, courses, and classes.
• Equity; as a growing start-up, we want all employees to share in our success.
• Docker Swag.
• Medical benefits, retirement, and holiday policies vary by country.
• Remote-first culture, with offices located in Seattle and Paris.
Mercyhealth Wisconsin and Illinois
Parexel
Anchorage Digital
BeOne Medicines
Get handpicked remote jobs straight to your inbox weekly.