Job Description
Position Details: Location: Vernon Los Angels, CA (Hybrid or Remote) Type: Contract (conversion possible) Department: IT / Information Security / GRC Reports to: Director / Head, Governance, Risk & Compliance (GRC). Collaboration: Finance, IT Infrastructure & Applications, Internal Audit, Legal/Privacy, Plant Operations, Supply Chain, HR. Job Title Principal Analyst, Governance, Risk & Compliance (GRC) Company Overview Our client is a leading U.S. designer and manufacturer of electrical distribution equipment used in data centers, the power grid and energy-intensive industrial facilities. The Company specializes in manufacturing custom products that are âengineered-to-orderâ for technically demanding applications. About the Role Our client is hiring a handsâon Principal GRC Analyst to execute and continuously improve our governance, risk, and compliance program across IT and OT environments. You will run dayâtoâday ISMS operations, drive SOX IT control execution, lead access certification cycles using a hybrid reviewer model, mature thirdâparty risk, and advance continuous control monitoring. This is a senior individual contributor role designed for candidates with 5â7 years of highâimpact GRC experience who can lead complex workstreams, mentor teammates, and coordinate vendorsâwithout formal people management. Key Responsibilities Governance & ISMS Operations (ISO/IEC 27001) ⢠Maintain the ISMS operating rhythm: scope updates, risk assessments, Statement of Applicability (SoA) maintenance, corrective action tracking, and surveillance/certification readiness. ⢠Draft, update, and socialize policies/standards/procedures (access control, change management, vulnerability management, secure SDLC, incident response, data retention/supplier security). ⢠Prepare decisionâready materials and followâups for governance forums (Risk & Compliance Steering Committee, CAB, ISO Management Review). Risk Management (IT & OT) ⢠Run risk identification, assessment (qualitative plus FAIRâlite scenario estimates), treatment planning, and risk acceptance with accountable owners. ⢠Maintain crossâframework mappings (ISO 27001, NIST CSF/800â53, CIS Controls, SOC 2) to ensure clear control coverage and traceability. ThirdâParty Risk (TPRM/VRM) ⢠Execute riskâtiered vendor due diligence, contractual security/privacy controls, onboarding/offboarding checks, continuous monitoring, and remediation with business owners and Procurement. ⢠Align the program to ISO/IEC 27036 for supplier relationships and partner with Legal on DPAs, security addenda, and privacy clauses (e.g., CCPA/CPRA). SOX ITGCs & Application Controls ⢠Support ownership of SOX 404 controls across IAM, change management, computer operations, and key application controls: scoping, RCM upkeep, walkthroughs, testing, sampling, and remediation tracking across ERP (SAP/Oracle) and inâscope apps. ⢠Ensure auditâready evidence quality and timing SLAs; coordinate with Finance/Accounting on financial reporting risks. Access Governance & Hybrid Reviewer Model ⢠Lead quarterly user access certification campaigns using a hybrid reviewer model, including SoD analysis, exception handling, and revocation SLAs. ⢠Align JoinerâMoverâLeaver (JML), privileged access, and emergency/firefighter access to policy and control objectives; integrate with IAM (e.g., SailPoint/Saviynt/Okta) and ticketing (Jira). Tooling, Automation & CCM ⢠Configure/administer GRC/IRM tooling (e.g., OneTrust, Drata/Vanta) and integrate with IAM, CMDB, SIEM, ticketing, and ERP for automated evidence and continuous control monitoring (CCM). ⢠Build control analytics for access outliers, change exceptions, and segregation of duties (SoD) conflicts; publish dashboards and alerts. Audits & Assurance ⢠Execute internal audits (ISO 27001 clauses/Annex A, policy/process adherence) and coordinate external audits (SOX, ISO surveillance/certification, SOC 2 as applicable). ⢠Perform walkthroughs, sample selection, operating effectiveness testing, issue documentation, and sustainable remediation verification. Incident, BCP/DR & Privacy Collaboration ⢠Ensure incident response governance produces auditâready artifacts (playbooks, postâincident reviews, root cause, corrective actions). ⢠Support BCP/DR governance (BIA updates, test planning/execution, lessons learned). ⢠Partner with Legal/Privacy on data protection and records retention; align supplier agreements with privacy obligations. Qualifications Education ⢠Bachelorâs degree in Information Systems, Computer Science, Engineering, Accounting/Finance, or related field preferred. Experience ⢠Progressive experience in IT Audit/Controls, GRC, or Information Security Risk, including executing ISO 27001 and SOX control activities. ⢠Handsâon ISMS work (SoA upkeep, internal audit coordination, corrective actions, awareness/training support). ⢠SOX 404 involvement across IAM, change, computer operations, and application controls (RCM maintenance, testing, and remediation tracking) in ERP (SAP/Oracle) and key applications. ⢠Practical use of GRC/IRM platforms (OneTrust, Drata/Vanta) and integrations with IAM (SailPoint/Saviynt/Okta), CMDB, SIEM, ticketing, and vulnerability management tools. ⢠Comfort with data/evidence: logs, configuration exports, ERP control parameters; Excel/Power BI/SQL for CCM or audit analytics is a plus. Certifications (Preferred) ⢠ISO/IEC 27001 Lead Implementer or Internal Auditor ⢠CISA, CRISC, CISM/CISSP (any one is a plus) ⢠ITIL Foundation; FAIR training a plus Skills & Competencies ⢠Strong control design, documentation, and testing skills with precision in scoping and remediation tracking. ⢠Clear, concise communicationâable to translate technical risk for nonâtechnical stakeholders and produce executiveâready content. ⢠Influences without authority; collaborates with Finance, IT, Plant Ops, and external auditors. ⢠Continuous improvement mindset; balances compliance rigor with business sense. Travel & Work Environment ⢠~10% travel to manufacturing plants, data centers, and corporate offices for audits, walkthroughs, and stakeholder workshops. ⢠Compensation & Benefits ⢠Competitive base salary and bonus. Comprehensive benefits package. Blackstone Talent Group is a wholly owned subsidiary of Blackstone Technology Group, a global IT services and software firm that implements technological solutions across commercial industry verticals and the US Federal Government. Blackstone's global talent augmentation practice was founded in 1998. Blackstone Talent Group has offices in San Francisco, Denver, Houston, Colorado Springs, and Washington, DC. We specialize in providing clients the best talent across a variety of industries and sectors.