Senior GRC Analyst

📋 Description

• Take ownership of and drive the compliance program roadmap, ensuring that framework requirements (SOC 2, ISO 27001, ISO 27701, ISO 42001) align with business objectives and product strategies.

• Lead cross-functional compliance initiatives involving Engineering, Product, Legal, and IT, acting as the primary authority on governance and risk issues.

• Develop and maintain Docker’s unified control framework, including cross-mapping to NIST 800-53 and identifying control deficiencies across various standards.

• Plan and conduct comprehensive internal audits from beginning to end: scoping, evidence collection, control testing, findings management, and coordination with external auditors.

• Provide guidance to GRC Engineering on proper integrations for configuring controls that require automated monitoring.

• Execute and oversee risk assessments across systems, processes, third-party tools, and cloud configurations, converting findings into actionable risk treatment strategies.

• Manage the vendor risk management program by assessing third-party vendors against compliance and security standards and facilitating the remediation of identified vulnerabilities.

• Create, review, and maintain corporate security policies, mapping them to relevant control standards to ensure alignment across frameworks.

• Establish and report on compliance metrics and KPIs, delivering data-driven insights into program maturity to leadership.

• Stay updated on evolving regulatory and industry standards (e.g., ISO 27xxx, SOC 2, GDPR, AI governance regulations) and proactively evaluate their implications for Docker’s compliance posture.

⛳️ Requirements

• 4 to 6 years of experience in Information Security, Governance, Risk, and Compliance.

• Proven experience in developing or managing an enterprise risk management program, including risk assessments, risk registers, and risk treatment strategies.

• Experience in third-party risk management, encompassing vendor security assessments and due diligence processes.

• Familiarity with security frameworks and standards, including ISO 27001, SOC 2, NIST 800-53, and GDPR.

• Understanding of AI governance concepts and emerging frameworks (ISO 42001, NIST AI RMF) or a demonstrated capability to quickly learn and apply new frameworks.

• Experience in designing metrics and reporting for GRC programs, including dashboards and executive summaries.

• Knowledge of cloud environments (AWS, GCP, Azure) and their implications for risk and compliance.

• Excellent written and verbal communication skills, with the ability to convey risk and compliance topics to both technical and non-technical audiences.

• Proven history of building and advancing GRC programs from the ground up, including defining processes, creating documentation, and operationalizing workflows.

• Self-driven with experience succeeding in remote-first, fast-paced settings.

• Nice to Have: Relevant industry certifications such as CRISC, CISA, CISSP, or CCSK.

• Nice to Have: Experience with GRC platforms (Anecdotes, ServiceNow GRC, OneTrust, or similar).

• Nice to Have: Experience with automation or scripting for risk management workflows.

🏝️ Benefits

• Freedom & flexibility; tailor your work to fit your life.

• Designated quarterly Whaleness Days and an end-of-year Whaleness break.

• Home office setup; we prioritize your comfort while you work.

• 16 weeks of paid parental leave (after 6 months of employment).

• Technology stipend equivalent to $100 USD net/month.

• PTO plan that encourages you to take time for activities you enjoy.

• Training stipend for conferences, courses, and classes.

• Equity; as a growing start-up, we want all employees to share in the company’s success.

• Docker Swag.

• Medical benefits, retirement, and holidays vary by country.

• Remote-first culture, with offices located in Seattle and Paris.