Compliance Consultant – GRC Practice at Artemis Connection

About Artemis Connection

Artemis Connection is a strategic management consultancy working across the for-profit, public, and social sectors. We help clients around the world identify their most pressing strategic issues and staff teams of strategy consultants to roll up their sleeves and deliver impact. We are passionate about helping innovative and entrepreneurial leaders reach their goals through a customized, project-based approach.

Our GRC practice works with organizations managing complex compliance obligations, from FedRAMP and CMMC authorizations to SOC 2 and ISO 27001 certifications, across regulated industries including defense contracting, healthcare, financial services, and high-growth SaaS. We help clients build compliance programs that are durable, audit-ready, and integrated into how the business actually operates.

Our founder is Christy Johnson, an entrepreneur, educator, and former McKinsey Engagement Manager. Our team is made up of seasoned consultants trained at organizations such as McKinsey & Company, BCG, Bain, Big 4 Strategy, and elite educational institutions.

About the Role

In this role, you will serve as a subject matter resource within the GRC practice, responsible for delivering compliance assessments, framework implementations, and advisory engagements across a portfolio of clients. This role operates with substantial independence on day-to-day project work while escalating strategic or novel issues to senior leadership. You will be expected to own client relationships at the operational level and contribute to business development activities.

What You'll Do

Client Engagement & Delivery

Lead and execute compliance assessments across one or more regulatory and standards frameworks, including but not limited to SOC 2 Type I/II, ISO 27001, CMMC 2.0, NIST CSF, HIPAA, PCI-DSS, and FedRAMP. This includes scoping engagements, developing project plans, conducting gap analyses, running control testing procedures, drafting findings reports, and presenting results to client leadership. Manage multiple concurrent engagements across different clients and frameworks with minimal supervision.

Framework Translation & Reconciliation

Map overlapping frameworks and identify where controls satisfy multiple standards simultaneously. Advise clients on crosswalk strategies that reduce duplicative compliance work, consolidate evidence collection, and rationalize audit schedules. This requires fluency in how frameworks differ in scope, applicability, and control philosophy beyond their surface-level requirements.

Risk Assessment & Control Design

Conduct qualitative and semi-quantitative risk assessments, evaluate control design effectiveness, and recommend compensating or corrective controls appropriate to client operating environments. Evaluate technical controls — access management, encryption, logging and monitoring, vulnerability management — as well as administrative and physical controls. Recommendations must be grounded in both the relevant standard and the practical operational context of the client.

Policy & Documentation Development

Draft, review, and revise information security policies, procedures, standards, and control narratives. This work must be tailored to client context rather than template-driven, with clear mapping to applicable framework requirements and operational workflows. Write at a professional level sufficient for board-level consumption and audit artifact use.

Audit Support & Remediation Management

Support clients through external audits and certification processes, serving as the primary liaison between the client and auditors during evidence collection phases. Post-audit, develop and track remediation plans, monitor control implementation progress, and validate remediation effectiveness before closure.

Business Development Support

Contribute meaningfully to the practice's pipeline. This includes participating in proposal development, scoping and estimating new engagements, identifying expansion opportunities within existing client relationships, and representing the practice at industry events or working groups. You will not typically be expected to originate large engagements independently but should be able to identify and advance opportunities through the pipeline with principal-level support.

What You Bring

Required

• Minimum bachelor's degree in information systems, computer science, business, law, or a closely related field, or equivalent demonstrated experience
• Minimum 5 years of experience in compliance, information security, audit, or a directly related advisory function, including at least two years in a consulting or client-facing delivery role
• Demonstrated hands-on experience with at least two of the following: SOC 2, ISO 27001, CMMC 2.0, NIST CSF, HIPAA, PCI-DSS, or FedRAMP
• At least one active professional certification — CISA, CISSP, CISM, CRISC, or CCSFP are most relevant to this role
• Strong written and verbal communication skills, including the ability to convey technical findings to non-technical audiences with clarity and precision

Preferred

• Experience with GRC platforms such as Vanta, Drata, OneTrust, ServiceNow GRC, or Archer
• Exposure to regulated industries — healthcare, defense industrial base, financial services, or government contracting
• Familiarity with cloud security architecture concepts across AWS, Azure, or GCP, and how cloud-native environments affect control design and evidence collection
• Experience in a Big Four or mid-market advisory firm environment
• Minimum 2+ years of consulting experience

What Makes Someone Successful Here

At the mid-career level, the practice expects this consultant to distinguish themselves not merely by technical knowledge but by judgment. This means knowing when a control deficiency represents a material risk versus a paperwork gap, when to push back on a client's preferred approach versus defer to their operational constraints, and when a finding warrants escalation to the engagement principal versus direct resolution.

The consultant should be transitioning from executing others' methodologies toward developing and refining their own analytical frameworks. Client relationships should feel to the client like they have a trusted advisor, not a task-order fulfillment resource.

Compensation and Structure

This role is structured as a project-based engagement, typically 12 months in duration with the possibility to extend based on client needs and performance. This role is remote, with occasional travel potentially required based on client needs. Compensation is competitive and commensurate with experience; details will be discussed during the interview process.