About Certa
Certa automates the vendor, supplier, and stakeholder onboarding processes for businesses
globally. Serving Fortune 500 and Fortune 1000 clients, Certa's team tackles expansive and
deeply technical challenges, driving innovation in business processes across industries. With
our rapid growth trajectory, this role offers significant opportunity for career advancement.

About the Role
The Senior GRC & Security Governance Manager will be responsible for owning and
maturing Certa’s enterprise-wide security governance, risk, and compliance programs.

This is a hands-on, technically-oriented GRC role that covers:

• ISMS ownership & policy management
• Security framework implementation
• Technical risk assessment (architecture, infrastructure, application)
• Regulatory & standards compliance (ISO 27001, SOC2, NIST, GDPR)
• Third-party and vendor security risk management
• Exception management and governance
• Security awareness and training programs
• M&A security due-diligence and integration
• The role works closely with Cloud Security, IT, Product, DevOps, Legal, and executive
• leadership to ensure security and compliance are embedded across the organization.

What You Will Do
1. ISMS & Policy Management
Own and maintain the Information Security Management System (ISMS) aligned to ISO
27001, SOC2, and relevant regulations.
Develop, maintain, and enforce security policies, standards, procedures, and baselines.
Conduct regular reviews, updates, and stakeholder alignment for all security policies.
Ensure technical implementation of policy controls across cloud, applications, and IT
infrastructure.

2. Security Framework Implementation
Implement and mature enterprise-wide security frameworks (ISO 27001, NIST CSF, CIS
Controls).
Map controls to technical and operational environments, including cloud, applications,
and network infrastructure.
Monitor adherence and drive continuous improvement of the security framework.

3. Risk Management
Lead enterprise risk assessments across architecture, cloud infrastructure, and
applications.
Identify and document risks in technical systems, configurations, and deployments.
Collaborate with Cloud Security, IT, and Product teams to remediate risks and track
closure.
Maintain a centralized risk register and automate risk monitoring where possible.

4. Regulatory & Standard Compliance
Manage SOC2, ISO 27001, GDPR, and other regulatory compliance initiatives.
Coordinate evidence collection, control validation, and audits with internal and external
auditors.
Drive compliance of technical controls across cloud (AWS/GCP), applications, and
endpoints.
Ensure continuous compliance monitoring and reporting.

5. Third-Party / Vendor Risk Management
Maintain a complete inventory of all third-party vendors, SaaS applications, and service
providers.
Conduct security assessments (SIG Lite, ISO/SOC review, technical posture evaluation).
Track and manage vendor risks and remediation activities.
Define ongoing monitoring and evidence requirements for vendor compliance.

6. Security Awareness Programs
Build, deliver, and maintain organization-wide security awareness programs.
Conduct targeted workshops, phishing simulations, and training campaigns.
Track and report engagement and effectiveness of awareness initiatives.

7. Exception Management
Implement and manage the exceptions/waiver governance process.
Review, validate, and risk-rate exception requests, define compensating controls.
Maintain records and report exception posture to leadership and auditors.

8. M&A Security Governance
Conduct technical security assessments for potential acquisition targets.
Evaluate cloud, network, infrastructure, and application security posture.
Define integration plans and risk mitigation for acquired entities.
Track security compliance and maturity for new entities post-acquisition.

What You Will Need

Experience: 7+ years in GRC, ISMS, risk, and compliance roles in technology or SaaS
organizations.

Technical Breadth: Strong technical understanding of cloud (AWS/GCP), network,
application, and infrastructure security.

Hands-on GRC: Proven experience with risk assessments, technical control validation,
and security evidence collection.

Framework Mastery: Deep knowledge of ISO 27001, SOC2, NIST, GDPR, and
industry-standard frameworks.

Vendor Risk: Strong experience in third-party risk management and vendor security
assessments.

Collaboration: Excellent communication skills to work with Engineering, Product, IT,
Legal, and external auditors.

Good-to-Have
ISO 27001 Lead Auditor / Lead Implementer, CISSP, CISM, CRISC, or equivalent
certifications.
Experience in M&A security due diligence.
Experience in automating compliance evidence and dashboards.
Familiarity with security awareness and training program delivery.

Why You'll Love Working Here

• Direct impact: Shape our people operations and talent acquisition strategies from the
• ground up
• Growth path: Clear opportunities for advancement as we scale
• Strategic influence: Work closely with leadership to build our people strategy
• Cross-functional collaboration: Partner with all departments to understand talent
• needs and drive employee success
• Work-life balance: Flexible remote work arrangements
• Innovative culture: Work with a talented, passionate team building cutting-edge
• solutions

Certa is committed to building a diverse team and strongly encourages applications from
candidates of all backgrounds. We're looking for exceptional talent who can help us secure our
platform and build trust with our enterprise clients.