Key skills
AISaaSCommunication
About this role
1Password is a leading cybersecurity company focused on building a safe and productive digital future. They are seeking a Senior Security Engineer – GRC Controls and Audit to lead compliance audit programs, ensuring effective control testing and evidence collection while improving audit processes through automation.
Responsibilities:
- Own and lead technical audit walkthroughs across SOC 2 Type II, ISO 27001/27017/27018, and ISO 27701 programs — preparing control owners, surfacing the right evidence, and serving as the primary technical liaison with external auditors
- Define and maintain the evidence library — what good evidence looks like for each control domain, where it lives in source systems, and how it maps to trust service criteria
- Execute deep-dive control testing and gap analysis across the Unified Control Framework (UCF), identifying design and operating effectiveness gaps before external testing and driving remediation with clear ownership
- Drive continuous evidence library maturity — shifting GRC from reactive, point-in-time evidence collection toward proactive, continuously-maintained audit-ready artifacts
- Partner cross-functionally with Engineering, IT, Security, and People teams to understand system architectures, identify control owners, and build durable evidence workflows at the source
- Contribute to policy, standards, and baseline development with an eye toward auditability and testability — requirements that control owners can implement and auditors can test
- Apply AI tools to accelerate control narrative drafting, framework cross-mapping, and audit prep — with clear discipline around validation and when human judgment is required
- Mentor A–B level GRC team members on audit methodology, control design, and evidence quality standards
Requirements:
- 5+ years of experience in GRC, compliance, or audit, with a meaningful portion spent as an auditor — public accounting, Big 4, boutique audit firm, or a rigorous internal audit function
- Deep hands-on experience with SOC 2 Type II; strong working knowledge of ISO 27001 and related standards (27017, 27018, 27701)
- Demonstrated experience leading technical audit walkthroughs with external auditors and preparing control owners for those interactions — not just coordinating evidence collection
- The ability to define what 'good evidence' looks like for each control domain: where it lives in source systems (Drata, Kolide, Trelica/SaaS Manager, HRIS, endpoint tooling, cloud infrastructure), how it maps to trust service criteria, and how it must be formatted to satisfy auditor scrutiny
- Proven ability to design and execute control testing — writing test procedures, assessing operating effectiveness, documenting exceptions, and tracking remediation to closure
- Ability to work cross-functionally with Engineering, IT, Security, and People teams to understand system architectures, identify control owners, and build durable evidence collection workflows at the source
- Strong written and verbal communication skills — you've personally authored control narratives, audit-ready documentation, and compliance reports, and you can run a live auditor walkthrough without notes
- Experience with compliance automation platforms (Drata, Vanta, Secureframe, or equivalent) at a level where you can connect automated evidence to specific control requirements, not just use the dashboard
- A builder's instinct — you look at manual, repetitive GRC processes and ask whether they can be automated or AI-assisted, and you bring specific proposals, not just observations
- CPA, CIA, CISA, or CISSP certification
- Audit or compliance experience in a cloud-native SaaS product environment, including evidence collection from cloud infrastructure and MDM/endpoint tooling
- Experience building or improving continuous control monitoring capabilities
- Familiarity with EU AI Act, NIST AI RMF, or AI governance frameworks — increasingly relevant as 1Password governs access for AI agents alongside human users
- Experience with vendor risk assessments — reviewing SOC 2 reports, evaluating third-party compliance documentation, and advising on vendor risk posture