Own the vendor and third-party risk lifecycle for a fast-scaling tech company, while supporting the wider GRC programme across ISMS, privacy, and compliance.
Third-Party Risk (Champion) — Own the full vendor risk lifecycle: due diligence, security questionnaires, risk rating, contractual safeguards (DPAs, security schedules), and ongoing monitoring. Maintain the supplier register and drive reassessment cadence based on criticality.
Supplier Assurance — Track fourth-party dependencies and concentration risk across critical suppliers, aligning oversight with DORA ICT third-party requirements and ISO 27001 supplier controls.
ISMS & Audit Readiness — Support policy maintenance, control mapping, and evidence collection to keep the Statement of Applicability (SoA) current and audit-ready across the entities and clients you cover.
Risk Management & RCSA — Execute risk assessments using an ISO 31000-aligned methodology and contribute to Risk & Control Self-Assessment workshops and remediation tracking.
Privacy Operations — Support RoPA maintenance, DPIAs, and data subject requests — with a focus on processor and controller arrangements with vendors and group entities.
Governance Reporting — Prepare third-party risk materials for governance committees and keep registers accurate, visible, and current.
Requirements
Solid GRC grounding — A proven track record in GRC, IT audit, vendor risk, or information security, with hands-on third-party/supplier risk responsibility.
Third-party risk proficiency — Practical experience running vendor due diligence, security questionnaires (SIG, CAIQ, or equivalent), and contractual risk review.
Framework knowledge — Working knowledge of ISO/IEC 27001:2022 supplier controls, ISO 31000, and GDPR processor obligations; familiarity with DORA third-party requirements is a plus.
Independent thinker — You go beyond the checklist — you understand the why behind a control, spot gaps, and propose improvements without being prompted.
Pragmatic compliance mindset — You see GRC as a business enabler, not a blocker, and know how to balance rigor with momentum.
Clear communicator — Precise, confident writing across questionnaires, risk memos, and supplier-facing responses that need minimal oversight.