Principal Analyst, Governance, Risk & Compliance (Grc)

Blackstone Talent Group, an award-winning technology consulting and talent agency is seeking a Principal Analyst, Governance, Risk & Compliance (GRC) to join our Client's team.

Our Client is hiring a hands?on Principal GRC Analyst to execute and continuously improve our governance, risk, and compliance program across IT and OT environments. You will run day?to?day ISMS operations, drive SOX IT control execution, lead access certification cycles using a hybrid reviewer model, mature third?party risk, and advance continuous control monitoring. This is a senior individual contributor role designed for candidates with 5–7 years of high?impact GRC experience who can lead complex workstreams, mentor teammates, and coordinate vendors—without formal people management.

Key Responsibilities

Governance & ISMS Operations (ISO/IEC 27001)

• Maintain the ISMS operating rhythm: scope updates, risk assessments, Statement of Applicability (SoA) maintenance, corrective action tracking, and surveillance/certification readiness.
• Draft, update, and socialize policies/standards/procedures (access control, change management, vulnerability management, secure SDLC, incident response, data retention/supplier security).
• Prepare decision?ready materials and follow?ups for governance forums (Risk & Compliance Steering Committee, CAB, ISO Management Review).

Risk Management (IT & OT)

• Run risk identification, assessment (qualitative plus FAIR?lite scenario estimates), treatment planning, and risk acceptance with accountable owners.
• Maintain cross?framework mappings (ISO 27001, NIST CSF/800?53, CIS Controls, SOC 2) to ensure clear control coverage and traceability.

Third?Party Risk (TPRM/VRM)

• Execute risk?tiered vendor due diligence, contractual security/privacy controls, onboarding/offboarding checks, continuous monitoring, and remediation with business owners and Procurement.
• Align the program to ISO/IEC 27036 for supplier relationships and partner with Legal on DPAs, security addenda, and privacy clauses (e.g., CCPA/CPRA).

SOX ITGCs & Application Controls

• Support ownership of SOX 404 controls across IAM, change management, computer operations, and key application controls: scoping, RCM upkeep, walkthroughs, testing, sampling, and remediation tracking across ERP (SAP/Oracle) and in?scope apps.
• Ensure audit?ready evidence quality and timing SLAs; coordinate with Finance/Accounting on financial reporting risks.

Access Governance & Hybrid Reviewer Model

• Lead quarterly user access certification campaigns using a hybrid reviewer model, including SoD analysis, exception handling, and revocation SLAs.
• Align Joiner?Mover?Leaver (JML), privileged access, and emergency/firefighter access to policy and control objectives; integrate with IAM (e.g., SailPoint/Saviynt/Okta) and ticketing (Jira).

Tooling, Automation & CCM

• Configure/administer GRC/IRM tooling (e.g., OneTrust, Drata/Vanta) and integrate with IAM, CMDB, SIEM, ticketing, and ERP for automated evidence and continuous control monitoring (CCM).
• Build control analytics for access outliers, change exceptions, and segregation of duties (SoD) conflicts; publish dashboards and alerts.

Audits & Assurance

• Execute internal audits (ISO 27001 clauses/Annex A, policy/process adherence) and coordinate external audits (SOX, ISO surveillance/certification, SOC 2 as applicable).
• Perform walkthroughs, sample selection, operating effectiveness testing, issue documentation, and sustainable remediation verification.

Incident, BCP/DR & Privacy Collaboration

• Ensure incident response governance produces audit?ready artifacts (playbooks, post?incident reviews, root cause, corrective actions).
• Support BCP/DR governance (BIA updates, test planning/execution, lessons learned).
• Partner with Legal/Privacy on data protection and records retention; align supplier agreements with privacy obligations.

Qualifications

Education

Bachelor’s degree in Information Systems, Computer Science, Engineering, Accounting/Finance, or related field preferred.

Experience

• Progressive experience in IT Audit/Controls, GRC, or Information Security Risk, including executing ISO 27001 and SOX control activities.
• Hands?on ISMS work (SoA upkeep, internal audit coordination, corrective actions, awareness/training support).
• SOX 404 involvement across IAM, change, computer operations, and application controls (RCM maintenance, testing, and remediation tracking) in ERP (SAP/Oracle) and key applications.
• Practical use of GRC/IRM platforms (OneTrust, Drata/Vanta) and integrations with IAM (SailPoint/Saviynt/Okta), CMDB, SIEM, ticketing, and vulnerability management tools.
• Comfort with data/evidence: logs, configuration exports, ERP control parameters; Excel/Power BI/SQL for CCM or audit analytics is a plus.

Certifications (Preferred)

• ISO/IEC 27001 Lead Implementer or Internal Auditor
• CISA, CRISC, CISM/CISSP (any one is a plus)
• ITIL Foundation; FAIR training a plus

Skills & Competencies

• Strong control design, documentation, and testing skills with precision in scoping and remediation tracking.
• Clear, concise communication—able to translate technical risk for non?technical stakeholders and produce executive?ready content.
• Influences without authority; collaborates with Finance, IT, Plant Ops, and external auditors.
• Continuous improvement mindset; balances compliance rigor with business sense.

Travel & Work Environment

~10% travel to manufacturing plants, data centers, and corporate offices for audits, walkthroughs, and stakeholder workshops.

Security Clearance Required: N/ABlackstone Talent Group is a wholly owned subsidiary of Blackstone Technology Group, a global IT services and software firm that implements technological solutions across commercial industry verticals and the US Federal Government. Blackstone's global talent augmentation practice was founded in 1998. Blackstone Talent Group has offices in San Francisco, Denver, Houston, Colorado Springs, and Washington, DC. We specialize in providing clients the best talent across a variety of industries and sectors.EOE of Minorities/Females/Veterans/Disabilities