ISO Auditor (6-Month Fixed-Term)

Role Overview

The Senior Risk and Controls Analyst plays a crucial role in ensuring that MRI's business practices align with relevant regulations, industry best practices, and common security standards. By conducting thorough audits and evaluations of various business functions, the Senior Risk and Controls Analyst helps maintain MRI's commitment to cybersecurity, risk management, data privacy, and continuous improvement. While the primary focus is on technical aspects of security, the role also encompasses non-technical business practices to provide a holistic approach to compliance.

Responsibilities

• Collaborate with business stakeholders to conduct comprehensive audits related to IT general controls, application controls, information security, and business functions.

• Address client and internal inquiries regarding compliance, privacy, and security matters, providing expert guidance and solutions.

• Maintain and enhance MRI's risk register by creating, updating, and assessing entries to ensure accurate documentation of potential risks and mitigation strategies.

• Ensure timely completion of corrective actions by diligently following up with internal and external parties.

• Manage the lifecycle of policies and security documentation, including drafting, updating, archiving, and circulating to relevant stakeholders.

• Prepare detailed minutes, collect and analyze data, and maintain action lists to support meetings, audits, and incident response efforts.

• Align MRI's overall security strategy with internal teams, industry best practices, and global legislation, including but not limited to SOC 1, SOC 2, ISO 27001, NIST, and other standards.

• Develop and oversee mitigation plans related to information security risks, audits, and policy findings, collaborating with relevant teams to ensure effective implementation.

• Conduct vendor security risk assessments and provide risk-based recommendations to help evaluate and improve the company's risk posture.

• Contribute to the development and delivery of engaging and informative enterprise-wide security awareness initiatives to foster a culture of security.

• Forge strong, collaborative partnerships with security, infrastructure, legal, audit, and IT teams to ensure a cohesive approach to compliance and risk management.

• Stay abreast of emerging trends, threats, and best practices in cybersecurity and compliance, proactively identifying opportunities for improvement and implementing necessary changes.

Experience and Qualifications

• Professional experience and familiarity with specifically ISO 27001, while ISO 9001, SOC 1, SOC 2, and other auditing standards are also plusses.

• Professional experience and familiarity with one or more: NIST, CIS, SANS, ISO, CES, FedRAMP, and other cybersecurity frameworks.

• Working knowledge of major international, national, and state level security and privacy regulations, practices, and standards.

• Solid technical background with an applied understanding of common types of security risks and mitigation strategies.

• Experience with vendor risk management and performing security risk reviews.

• Ability to work effectively with geographically distributed teams across different time zones.

• Excellent communication and interpersonal skills, with the ability to translate complex technical concepts to non-technical stakeholders.

• Strong analytical and problem-solving skills, with a keen attention to detail and the ability to think critically.

• Proactive and self-motivated, with the ability to work independently and manage multiple priorities in a fast-paced environment.

• Relevant certifications such as CISA or CRISC are highly desirable.