GRC Analyst

Job Description

Job Description

About the Role
Merci Technologies is seeking a GRC Analyst to support the governance, risk, and compliance program for one of our enterprise clients. This role sits at the intersection of security, audit, and business operations, translating complex regulatory and framework requirements into practical controls that teams can actually implement and sustain. You will be the person who knows where the control gaps are, what the auditors are going to ask for, and how to keep the organization audit-ready year round rather than scrambling at assessment time.

The work is varied and visible. In a given month you might run a control assessment against NIST CSF, prepare evidence for a SOC 2 examination, complete a vendor risk review for a new SaaS purchase, and brief stakeholders on the status of open findings. You will maintain the policy library, track risk to closure, and act as a trusted advisor to engineering and business teams who need to understand what compliance requires of them. This is a strong fit for someone who is organized, detail-driven, and comfortable holding teams accountable to commitments. This is a fully remote position open to Contract or Full-Time candidates.

Key Responsibilities

• Conduct control assessments and gap analyses against frameworks including NIST CSF, NIST 800-53, ISO 27001, SOC 2, and CMMC
• Plan and support internal and third-party audits, including scoping, evidence collection, and walkthroughs
• Track audit and assessment findings to remediation and closure, escalating risks where needed
• Develop, maintain, and version-control security policies, standards, and procedures
• Perform vendor and third-party risk assessments and document risk acceptance decisions
• Build and maintain the risk register and report risk posture to leadership and stakeholders
• Support regulatory, customer, and compliance reporting requests
• Help operationalize new framework or regulatory requirements as they emerge

Required Qualifications

• 3 to 5 years of experience in governance, risk, and compliance, IT audit, or information security
• Working knowledge of one or more frameworks: NIST CSF, NIST 800-53, ISO 27001, SOC 2, or CMMC
• Demonstrated experience supporting audit cycles and risk assessments end to end
• Ability to read a control requirement and translate it into clear, actionable guidance
• Strong documentation, organization, and stakeholder communication skills

Preferred Qualifications

• CISA, CRISC, ISO 27001 Lead Auditor, or CISSP certification
• Hands-on experience with GRC platforms such as Archer, ServiceNow GRC, or OneTrust
• Familiarity with defense, healthcare, or financial-services compliance requirements
• Experience with CMMC readiness and assessment preparation

What You Will Bring
You are the kind of person who reads the fine print and keeps the spreadsheet honest. You can push a remediation owner for an update without burning the relationship, and you can explain to a busy engineer why a control matters in language they care about. You treat compliance as a way to make the organization genuinely more secure, not just to pass an audit.