Governance, Risk, & Compliance Analyst | 57/hr

Location: Downtown Nashville, TN (Hybrid)
Employment Type: Contract to Hire (6months)
Compensation: 57/hr, 115k area upon conversation 

Must Have Experience for this role:
5+ years in experience in a mix of the below:
 

• SOC II or FedRAMP auditing experience

-this team is working to get CMMC 3

• ISO 27001 experience
• Gathering audit evidence
• Building a common control framework

Overview: Seeking a strategic and detail-oriented Information Assurance Analyst to strengthen and scale our Governance, Risk, and Compliance (GRC) capabilities. This role is an integral part of the Information Security team, with a strong emphasis on Vendor Risk Management, client trust, and compliance with ISO 27001 and related frameworks. You will support firmwide risk reduction efforts and lead initiatives that safeguard sensitive data while enabling business operations and client service delivery.
Responsibilities:
Vendor Risk Management

• Lead the vendor security review process, including intake, risk assessment, documentation, and re-evaluation cycles.
• Collaborate with IT and Legal to embed security and privacy requirements into contracts and onboarding workflows.
• Maintain the vendor inventory and risk classification system; track remediation items and expiration of security attestations (SOC 2, ISO 27001, etc.).
• Assess cloud platforms, SaaS tools, and third-party services against security, compliance, and privacy requirements.

Client Trust & Engagement

• Coordinate responses to client security assessments, due diligence requests, and audits.
• Coordinate with attorneys, business development, and compliance teams to support contractual commitments.
• Maintain a centralized repository of audit evidence and standard responses using tools such as Loopio.

ISMS & Compliance Operations

• Support the day-to-day management of our ISO 27001-certified ISMS, including control implementation and documentation.
• Assist in preparation for surveillance and recertification audits and maintain alignment with ISO 27001:2022 control requirements.
• Track risk treatment plans, control testing, and internal audit findings.

Policy & Control Governance

• Draft, update, and socialize firmwide security and privacy policies.
• Maintain a control library mapped across multiple frameworks including ISO 27001, NIST 800-171, CMMC, and client-specific standards.
• Support the intake and processing of exceptions to security policies, ensuring proper documentation and leadership awareness.

Risk Monitoring & Incident Response Support

• Assist with maintaining the risk register, including identification, analysis, and tracking of risks and mitigations.
• Coordinate with internal teams during security incidents to ensure proper documentation, containment, and reporting.

Security Awareness & Training

• Administer employee training programs including mandatory awareness training and role-specific modules.
• Coordinate phishing simulations and follow-up education for at-risk users.
• Partner with Marketing and IT to drive behavior change through campaigns, posters, and communication.

Program Enablement & Tooling

• Maintain and optimize the GRC toolset (e.g., UpGuard, KnowBe4, Loopio).
• Drive process improvements in risk assessments, audits, and reporting dashboards.
• Support annual penetration testing coordination and track remediation progress.