Key skills
AWSAzureCloudRepositorySaaSRisk ManagementCommunicationSales
About this role
Role Overview
- Receive, triage, and complete inbound GRC / security questionnaires submitted by existing and prospective clients as part of their vendor assessment and TPRM processes.
- Develop and maintain a master response library to accelerate questionnaire completion, covering areas such as data security, access controls, business continuity, incident response, and privacy.
- Coordinate with internal stakeholders (Engineering, Product, Operations, Legal) to gather accurate, up-to-date technical evidence and supporting documentation.
- Track questionnaire status, deadlines, and outcomes; maintain a central log and escalate blockers in a timely manner.
- Build relationships with client procurement, risk, and security contacts to manage ongoing TPRM obligations efficiently.
- Manage questionnaires that require formal documentary evidence — such as policies, audit reports (e.g. SOC 2, ISO 27001), penetration test summaries, data processing agreements, and certifications.
- Maintain a structured evidence repository, ensuring documents are current, version-controlled, and accessible for rapid submission.
- Identify gaps between client evidence requirements and the company's current documentation; work with the Head of Information Security and Compliance or relevant leads to close those gaps.
- Review information security, data protection, and compliance clauses within Master Service Agreements (MSAs) and other commercial contracts from clients and prospects.
- Identify obligations and requirements (e.g. audit rights, subprocessor notifications, breach notification timescales, data residency, encryption standards) and assess the company's ability to comply.
- Liaise with Legal counsel and the Head of Information Security and Compliance to flag materially onerous or non-standard terms; assist in drafting redlines and proposed alternative language where appropriate.
- Maintain a tracker of contractual information security obligations to ensure ongoing compliance post-signature.
- Design and operate a structured TPRM programme for the company's own vendors and sub-contractors who process client data or have access to company systems.
- Conduct initial and periodic risk assessments of vendors, including completion of security questionnaires, review of their compliance certifications, and assessment of contractual controls.
- Categorise vendors by risk tier and ensure appropriate due diligence is applied proportionate to the nature and sensitivity of the relationship.
- Maintain a vendor risk register, tracking assessment outcomes, remediation actions, and review schedules.
- Report on vendor risk posture to relevant internal stakeholders on a regular cadence.
Requirements
- Proven experience in a compliance, information security, GRC, or vendor risk management role, ideally within a SaaS, technology, or regulated industry context.
- Demonstrable experience completing complex security and GRC questionnaires (e.g. SIG, CAIQ, bespoke client questionnaires) and compiling supporting evidence packs.
- Familiarity with common information security frameworks and standards: ISO/IEC 27001, SOC 2, NIST CSF, CIS Controls, GDPR / data protection legislation.
- Experience reviewing and interpreting information security provisions in commercial contracts (MSAs, DPAs, SaaS agreements).
- Strong organisational skills — able to manage multiple concurrent questionnaires and workstreams, prioritise effectively, and meet deadlines.
- Excellent written and verbal communication skills, with the ability to translate technical security concepts for non-technical audiences (legal, sales, procurement).
- Proficiency in maintaining documentation, trackers, and evidence repositories; high attention to detail and accuracy.
- Relevant certification such as CISA, CRISC, CISSP, ISO 27001 Lead Implementer/Auditor, CIPP/E, or equivalent. (Bonus points)
- Experience working with or within enterprise clients in regulated sectors such as financial services, healthcare, or energy. (Bonus points)
- Familiarity with data residency requirements and cross-border data transfer mechanisms (SCCs, BCRs). (Bonus points)
- Experience using GRC platforms or questionnaire automation tools (e.g. OneTrust, Vanta, SecurityScorecard). (Bonus points)
- Understanding of SaaS product architectures and cloud environments (AWS, Azure) from a security and compliance perspective. (Bonus points)
- Experience managing sub-processor registers and responding to data subject rights requests. (Bonus points)
Tech Stack
- AWS
- Azure
- Cloud
Benefits
- Competitive salary
- Flexible working hours