GRC Consultant - Job Details
Key responsibilities:
Define, implement and monitor Governance, Risk & Compliance frameworks in line with client requirements and industry best practice.
Conduct Information Security Risk assessments, identifying threats, vulnerabilities, impact and mitigation measures.
Support the definition, review and maintenance of security policies, standards, procedures and controls.
Conduct gap analyses against standards and frameworks such as ISO 27001, NIST CSF, NIS2 (DL125-2025), amongst others.
Monitor internal audits, ensuring the collection of evidence, handling of non-conformities and definition of action plans.
Support processes for technology risk management, third-party risk, business continuity and security awareness.
Produce technical and executive reports containing conclusions, identified gaps, maturity levels and recommendations for improvement.
Collaborate with technical, business and management teams to ensure the implementation and monitoring of defined controls.
Essential requirements:
2 to 5 years’ practical experience in GRC, Information Security, IT Risk or Compliance roles.
Experience in risk assessments, audits, compliance and defining security controls.
Good knowledge of frameworks and standards such as ISO 27001, ISO 22301, NIST CSF, or equivalent.
Solid knowledge of applicable regulatory and statutory requirements, namely NIS2, GDPR and QNRCS.
Experience and ability to draft policies, procedures, executive reports and remediation plans independently.
Ability to interact with various stakeholders, from technical teams to management.
Mandatory certification: ISO 27001 Lead Auditor.
Good command of English (written and spoken).
Excellent command of Portuguese (written and spoken).
What skills do you need to have?
Experience in ISO 27001 certification projects.
Experience in supplier auditing and third-party risk management.
Knowledge of business continuity and disaster recovery.
Experience with GRC tools and risk/compliance management platforms.
Experience in information security awareness, training and outreach.
Knowledge of DORA, NIS2 or other relevant regulatory frameworks.
One of the following certifications or equivalents will be an advantage: ISO 27001 Lead Implementer, CRISC, CISA, CISM.
-
GRC
-
Lisbon