Principal Analyst, Governance, Risk

Location: Vernon \ Los Angels, CA (Hybrid or Remote)

Type: Contract (conversion possible)

Department: IT / Information Security / GRC

Reports to: Director / Head, Governance, Risk & Compliance (GRC).

Collaboration: Finance, IT Infrastructure & Applications, Internal Audit, Legal/Privacy, Plant Operations, Supply Chain, HR.

Job Title

Principal Analyst, Governance, Risk & Compliance (GRC)

Company Overview

Our client is a leading U.S. designer and manufacturer of electrical distribution equipment used in data centers, the power grid and energy‑intensive industrial facilities. The Company specializes in manufacturing custom products that are “engineered‑to‑order” for technically demanding applications.

About the Role

Our client is hiring a hands‑on Principal GRC Analyst to execute and continuously improve our governance, risk, and compliance program across IT and OT environments. You will run day‑to‑day ISMS operations, drive SOX IT control execution, lead access certification cycles using a hybrid reviewer model, mature third‑party risk, and advance continuous control monitoring. This is a senior individual contributor role designed for candidates with 5–7 years of high‑impact GRC experience who can lead complex workstreams, mentor teammates, and coordinate vendors—without formal people management.

Key Responsibilities

Governance & ISMS Operations (ISO/IEC 27001)

Maintain the ISMS operating rhythm: scope updates, risk assessments, Statement of Applicability (SoA) maintenance, corrective action tracking, and surveillance/certification readiness.

Draft, update, and socialize policies/standards/procedures (access control, change management, vulnerability management, secure SDLC, incident response, data retention/supplier security).

Prepare decision‑ready materials and follow‑ups for governance forums (Risk & Compliance Steering Committee, CAB, ISO Management Review).

Run risk identification, assessment (qualitative plus FAIR‑lite scenario estimates), treatment planning, and risk acceptance with accountable owners.

Maintain cross‑framework mappings (ISO 27001, NIST CSF/800‑53, CIS Controls, SOC 2) to ensure clear control coverage and traceability.

Third‑Party Risk (TPRM/VRM)

Execute risk‑tiered vendor due diligence, contractual security/privacy controls, onboarding/offboarding checks, continuous monitoring, and remediation with business owners and Procurement.

Align the program to ISO/IEC 27036 for supplier relationships and partner with Legal on DPAs, security addenda, and privacy clauses (e.g., CCPA/CPRA).

SOX ITGCs & Application Controls

Support ownership of SOX 404 controls across IAM, change management, computer operations, and key application controls: scoping, RCM upkeep, walkthroughs, testing, sampling, and remediation tracking across ERP (SAP/Oracle) and in‑scope apps.

Ensure audit‑ready evidence quality and timing SLAs; coordinate with Finance/Accounting on financial reporting risks.

Access Governance & Hybrid Reviewer Model

Lead quarterly user access certification campaigns using a hybrid reviewer model, including SoD analysis, exception handling, and revocation SLAs.

Align Joiner‑Mover‑Leaver (JML), privileged access, and emergency/firefighter access to policy and control objectives; integrate with IAM (e.g., SailPoint/Saviynt/Okta) and ticketing (Jira).

Tooling, Automation & CCM

Configure/administer GRC/IRM tooling (e.g., OneTrust, Drata/Vanta) and integrate with IAM, CMDB, SIEM, ticketing, and ERP for automated evidence and continuous control monitoring (CCM).

Build control analytics for access outliers, change exceptions, and segregation of duties (SoD) conflicts; publish dashboards and alerts.

Audits & Assurance

Execute internal audits (ISO 27001 clauses/Annex A, policy/process adherence) and coordinate external audits (SOX, ISO surveillance/certification, SOC 2 as applicable).

Perform walkthroughs, sample selection, operating effectiveness testing, issue documentation, and sustainable remediation verification.

Ensure incident response governance produces audit‑ready artifacts (playbooks, post‑incident reviews, root cause, corrective actions).

Partner with Legal/Privacy on data protection and records retention; align supplier agreements with privacy obligations.

Qualifications

Education

Bachelor’s degree in Information Systems, Computer Science, Engineering, Accounting/Finance, or related field preferred.

Experience

Progressive experience in IT Audit/Controls, GRC, or Information Security Risk, including executing ISO 27001 and SOX control activities.

Hands‑on ISMS work (SoA upkeep, internal audit coordination, corrective actions, awareness/training support).

SOX 404 involvement across IAM, change, computer operations, and application controls (RCM maintenance, testing, and remediation tracking) in ERP (SAP/Oracle) and key applications.

Practical use of GRC/IRM platforms (OneTrust, Drata/Vanta) and integrations with IAM (SailPoint/Saviynt/Okta), CMDB, SIEM, ti