GRC & Incident Response Architect

The Business Problem

Our business is facing a critical compliance and operational risk: we cannot effectively prove our security posture for audits and we have no formal plan to respond to a security incident. We lack a centralized system for collecting audit evidence and our ad-hoc approach to incident response is chaotic and ineffective. This situation exposes us to legal penalties and reputational damage and will result in significant business disruption if we are ever breached. We need an expert to build a foundational framework for governance, risk, and compliance (GRC) and an actionable incident response plan.

Required Actions & Scope of Work

We need a skilled professional to build and document a comprehensive GRC and incident response framework. The following actions are required:

• Compliance Gap Analysis: Conduct a thorough analysis of our current security controls against key compliance standards (e.g., SOC 2, ISO 27001). This includes reviewing our current policies and identifying all deficiencies.
• GRC Framework Design: Architect a formal GRC framework to automate evidence collection and management. This framework must enable us to generate a comprehensive audit report for any security control within a 48-hour window.
• Incident Response Plan Creation: Design a detailed and actionable Incident Response Plan (IRP). This document must outline roles and responsibilities, communication protocols, and step-by-step procedures for managing a security breach from detection to recovery.
• Documentation & Policy Creation: Create clear, easy-to-understand security policies and procedures that can be understood and followed by all employees. This includes a runbook for the GRC framework and a formal IRP document.

About the Ideal Candidate

We are looking for a highly organized and strategic GRC & Incident Response Architect. You must be a skilled planner with a deep understanding of compliance regulations and the ability to translate complex requirements into practical, documented procedures. You will be responsible for building the foundation of our long-term security governance.

Skills & Qualifications

• Technical Skills: Deep knowledge of GRC frameworks (NIST, ISO 27001) and compliance standards like SOC 2 and GDPR. Proven experience in designing and documenting Incident Response Plans. Familiarity with GRC platforms and security information and event management (SIEM) tools is highly valued.
• Soft Skills: Exceptional documentation and technical writing skills. Strong attention to detail and a methodical approach. Excellent communication skills to train and guide our internal team.

Post-Project Support

After the final documents are delivered, we require a 14-day support period. During this time, you will be available to answer questions from our internal team about the GRC framework and the IRP, and to provide guidance on the initial steps of implementation.