Blackstone Talent Group
Principal Analyst, Governance, Risk & Compliance (GRC)
⭐ - Featured Role | Apply direct with Data Freelance Hub
This role is for a Principal Analyst, Governance, Risk & Compliance (GRC) on a contract basis in Vernon/Los Angeles, CA, offering competitive pay. Requires 5–7 years of GRC experience, ISO 27001, SOX, and proficiency with GRC tools.
🌎 - Country
United States
💱 - Currency
$ USD
-
💰 - Day rate
680
-
🗓️ - Date
April 1, 2026
🕒 - Duration
Unknown
-
🏝️ - Location
Hybrid
-
📄 - Contract
Unknown
-
🔒 - Security
Unknown
-
📍 - Location detailed
Los Angeles Metropolitan Area
-
🧠 - Skills detailed
#IAM (Identity and Access Management) #BI (Business Intelligence) #Documentation #Oracle #Microsoft Power BI #Vulnerability Management #SQL (Structured Query Language) #Monitoring #Automation #Security #Compliance #Base #SAP #Computer Science #Jira
Role description
Position Details:
Location: Vernon \ Los Angels, CA (Hybrid or Remote)
Type: Contract (conversion possible)
Department: IT / Information Security / GRC
Reports to: Director / Head, Governance, Risk & Compliance (GRC).
Collaboration: Finance, IT Infrastructure & Applications, Internal Audit, Legal/Privacy, Plant Operations, Supply Chain, HR.
Job Title
Principal Analyst, Governance, Risk & Compliance (GRC)
Company Overview
Our client is a leading U.S. designer and manufacturer of electrical distribution equipment used in data centers, the power grid and energy-intensive industrial facilities. The Company specializes in manufacturing custom products that are “engineered-to-order” for technically demanding applications.
About the Role
Our client is hiring a hands‑on Principal GRC Analyst to execute and continuously improve our governance, risk, and compliance program across IT and OT environments. You will run day‑to‑day ISMS operations, drive SOX IT control execution, lead access certification cycles using a hybrid reviewer model, mature third‑party risk, and advance continuous control monitoring. This is a senior individual contributor role designed for candidates with 5–7 years of high‑impact GRC experience who can lead complex workstreams, mentor teammates, and coordinate vendors—without formal people management.
Key Responsibilities
Governance & ISMS Operations (ISO/IEC 27001)
• Maintain the ISMS operating rhythm: scope updates, risk assessments, Statement of Applicability (SoA) maintenance, corrective action tracking, and surveillance/certification readiness.
• Draft, update, and socialize policies/standards/procedures (access control, change management, vulnerability management, secure SDLC, incident response, data retention/supplier security).
• Prepare decision‑ready materials and follow‑ups for governance forums (Risk & Compliance Steering Committee, CAB, ISO Management Review).
Risk Management (IT & OT)
• Run risk identification, assessment (qualitative plus FAIR‑lite scenario estimates), treatment planning, and risk acceptance with accountable owners.
• Maintain cross‑framework mappings (ISO 27001, NIST CSF/800‑53, CIS Controls, SOC 2) to ensure clear control coverage and traceability.
Third‑Party Risk (TPRM/VRM)
• Execute risk‑tiered vendor due diligence, contractual security/privacy controls, onboarding/offboarding checks, continuous monitoring, and remediation with business owners and Procurement.
• Align the program to ISO/IEC 27036 for supplier relationships and partner with Legal on DPAs, security addenda, and privacy clauses (e.g., CCPA/CPRA).
SOX ITGCs & Application Controls
• Support ownership of SOX 404 controls across IAM, change management, computer operations, and key application controls: scoping, RCM upkeep, walkthroughs, testing, sampling, and remediation tracking across ERP (SAP/Oracle) and in‑scope apps.
• Ensure audit‑ready evidence quality and timing SLAs; coordinate with Finance/Accounting on financial reporting risks.
Access Governance & Hybrid Reviewer Model
• Lead quarterly user access certification campaigns using a hybrid reviewer model, including SoD analysis, exception handling, and revocation SLAs.
• Align Joiner‑Mover‑Leaver (JML), privileged access, and emergency/firefighter access to policy and control objectives; integrate with IAM (e.g., SailPoint/Saviynt/Okta) and ticketing (Jira).
Tooling, Automation & CCM
• Configure/administer GRC/IRM tooling (e.g., OneTrust, Drata/Vanta) and integrate with IAM, CMDB, SIEM, ticketing, and ERP for automated evidence and continuous control monitoring (CCM).
• Build control analytics for access outliers, change exceptions, and segregation of duties (SoD) conflicts; publish dashboards and alerts.
Audits & Assurance
• Execute internal audits (ISO 27001 clauses/Annex A, policy/process adherence) and coordinate external audits (SOX, ISO surveillance/certification, SOC 2 as applicable).
• Perform walkthroughs, sample selection, operating effectiveness testing, issue documentation, and sustainable remediation verification.
Incident, BCP/DR & Privacy Collaboration
• Ensure incident response governance produces audit‑ready artifacts (playbooks, post‑incident reviews, root cause, corrective actions).
• Support BCP/DR governance (BIA updates, test planning/execution, lessons learned).
• Partner with Legal/Privacy on data protection and records retention; align supplier agreements with privacy obligations.
Qualifications
Education
• Bachelor’s degree in Information Systems, Computer Science, Engineering, Accounting/Finance, or related field preferred.
Experience
• Progressive experience in IT Audit/Controls, GRC, or Information Security Risk, including executing ISO 27001 and SOX control activities.
• Hands‑on ISMS work (SoA upkeep, internal audit coordination, corrective actions, awareness/training support).
• SOX 404 involvement across IAM, change, computer operations, and application controls (RCM maintenance, testing, and remediation tracking) in ERP (SAP/Oracle) and key applications.
• Practical use of GRC/IRM platforms (OneTrust, Drata/Vanta) and integrations with IAM (SailPoint/Saviynt/Okta), CMDB, SIEM, ticketing, and vulnerability management tools.
• Comfort with data/evidence: logs, configuration exports, ERP control parameters; Excel/Power BI/SQL for CCM or audit analytics is a plus.
Certifications (Preferred)
• ISO/IEC 27001 Lead Implementer or Internal Auditor
• CISA, CRISC, CISM/CISSP (any one is a plus)
• ITIL Foundation; FAIR training a plus
Skills & Competencies
• Strong control design, documentation, and testing skills with precision in scoping and remediation tracking.
• Clear, concise communication—able to translate technical risk for non‑technical stakeholders and produce executive‑ready content.
• Influences without authority; collaborates with Finance, IT, Plant Ops, and external auditors.
• Continuous improvement mindset; balances compliance rigor with business sense.
Travel & Work Environment
• ~10% travel to manufacturing plants, data centers, and corporate offices for audits, walkthroughs, and stakeholder workshops.
• Compensation & Benefits
• Competitive base salary and bonus. Comprehensive benefits package.
Blackstone Talent Group is a wholly owned subsidiary of Blackstone Technology Group, a global IT services and software firm that implements technological solutions across commercial industry verticals and the US Federal Government. Blackstone's global talent augmentation practice was founded in 1998. Blackstone Talent Group has offices in San Francisco, Denver, Houston, Colorado Springs, and Washington, DC. We specialize in providing clients the best talent across a variety of industries and sectors.
Position Details:
Location: Vernon \ Los Angels, CA (Hybrid or Remote)
Type: Contract (conversion possible)
Department: IT / Information Security / GRC
Reports to: Director / Head, Governance, Risk & Compliance (GRC).
Collaboration: Finance, IT Infrastructure & Applications, Internal Audit, Legal/Privacy, Plant Operations, Supply Chain, HR.
Job Title
Principal Analyst, Governance, Risk & Compliance (GRC)
Company Overview
Our client is a leading U.S. designer and manufacturer of electrical distribution equipment used in data centers, the power grid and energy-intensive industrial facilities. The Company specializes in manufacturing custom products that are “engineered-to-order” for technically demanding applications.
About the Role
Our client is hiring a hands‑on Principal GRC Analyst to execute and continuously improve our governance, risk, and compliance program across IT and OT environments. You will run day‑to‑day ISMS operations, drive SOX IT control execution, lead access certification cycles using a hybrid reviewer model, mature third‑party risk, and advance continuous control monitoring. This is a senior individual contributor role designed for candidates with 5–7 years of high‑impact GRC experience who can lead complex workstreams, mentor teammates, and coordinate vendors—without formal people management.
Key Responsibilities
Governance & ISMS Operations (ISO/IEC 27001)
• Maintain the ISMS operating rhythm: scope updates, risk assessments, Statement of Applicability (SoA) maintenance, corrective action tracking, and surveillance/certification readiness.
• Draft, update, and socialize policies/standards/procedures (access control, change management, vulnerability management, secure SDLC, incident response, data retention/supplier security).
• Prepare decision‑ready materials and follow‑ups for governance forums (Risk & Compliance Steering Committee, CAB, ISO Management Review).
Risk Management (IT & OT)
• Run risk identification, assessment (qualitative plus FAIR‑lite scenario estimates), treatment planning, and risk acceptance with accountable owners.
• Maintain cross‑framework mappings (ISO 27001, NIST CSF/800‑53, CIS Controls, SOC 2) to ensure clear control coverage and traceability.
Third‑Party Risk (TPRM/VRM)
• Execute risk‑tiered vendor due diligence, contractual security/privacy controls, onboarding/offboarding checks, continuous monitoring, and remediation with business owners and Procurement.
• Align the program to ISO/IEC 27036 for supplier relationships and partner with Legal on DPAs, security addenda, and privacy clauses (e.g., CCPA/CPRA).
SOX ITGCs & Application Controls
• Support ownership of SOX 404 controls across IAM, change management, computer operations, and key application controls: scoping, RCM upkeep, walkthroughs, testing, sampling, and remediation tracking across ERP (SAP/Oracle) and in‑scope apps.
• Ensure audit‑ready evidence quality and timing SLAs; coordinate with Finance/Accounting on financial reporting risks.
Access Governance & Hybrid Reviewer Model
• Lead quarterly user access certification campaigns using a hybrid reviewer model, including SoD analysis, exception handling, and revocation SLAs.
• Align Joiner‑Mover‑Leaver (JML), privileged access, and emergency/firefighter access to policy and control objectives; integrate with IAM (e.g., SailPoint/Saviynt/Okta) and ticketing (Jira).
Tooling, Automation & CCM
• Configure/administer GRC/IRM tooling (e.g., OneTrust, Drata/Vanta) and integrate with IAM, CMDB, SIEM, ticketing, and ERP for automated evidence and continuous control monitoring (CCM).
• Build control analytics for access outliers, change exceptions, and segregation of duties (SoD) conflicts; publish dashboards and alerts.
Audits & Assurance
• Execute internal audits (ISO 27001 clauses/Annex A, policy/process adherence) and coordinate external audits (SOX, ISO surveillance/certification, SOC 2 as applicable).
• Perform walkthroughs, sample selection, operating effectiveness testing, issue documentation, and sustainable remediation verification.
Incident, BCP/DR & Privacy Collaboration
• Ensure incident response governance produces audit‑ready artifacts (playbooks, post‑incident reviews, root cause, corrective actions).
• Support BCP/DR governance (BIA updates, test planning/execution, lessons learned).
• Partner with Legal/Privacy on data protection and records retention; align supplier agreements with privacy obligations.
Qualifications
Education
• Bachelor’s degree in Information Systems, Computer Science, Engineering, Accounting/Finance, or related field preferred.
Experience
• Progressive experience in IT Audit/Controls, GRC, or Information Security Risk, including executing ISO 27001 and SOX control activities.
• Hands‑on ISMS work (SoA upkeep, internal audit coordination, corrective actions, awareness/training support).
• SOX 404 involvement across IAM, change, computer operations, and application controls (RCM maintenance, testing, and remediation tracking) in ERP (SAP/Oracle) and key applications.
• Practical use of GRC/IRM platforms (OneTrust, Drata/Vanta) and integrations with IAM (SailPoint/Saviynt/Okta), CMDB, SIEM, ticketing, and vulnerability management tools.
• Comfort with data/evidence: logs, configuration exports, ERP control parameters; Excel/Power BI/SQL for CCM or audit analytics is a plus.
Certifications (Preferred)
• ISO/IEC 27001 Lead Implementer or Internal Auditor
• CISA, CRISC, CISM/CISSP (any one is a plus)
• ITIL Foundation; FAIR training a plus
Skills & Competencies
• Strong control design, documentation, and testing skills with precision in scoping and remediation tracking.
• Clear, concise communication—able to translate technical risk for non‑technical stakeholders and produce executive‑ready content.
• Influences without authority; collaborates with Finance, IT, Plant Ops, and external auditors.
• Continuous improvement mindset; balances compliance rigor with business sense.
Travel & Work Environment
• ~10% travel to manufacturing plants, data centers, and corporate offices for audits, walkthroughs, and stakeholder workshops.
• Compensation & Benefits
• Competitive base salary and bonus. Comprehensive benefits package.
Blackstone Talent Group is a wholly owned subsidiary of Blackstone Technology Group, a global IT services and software firm that implements technological solutions across commercial industry verticals and the US Federal Government. Blackstone's global talent augmentation practice was founded in 1998. Blackstone Talent Group has offices in San Francisco, Denver, Houston, Colorado Springs, and Washington, DC. We specialize in providing clients the best talent across a variety of industries and sectors.
