Risk & Compliance Analyst

Risk & Compliance Analyst – Risk Register Management

Domain: Governance, Risk & Compliance (GRC) | Risk Register | Framework Alignment

Contract: 12-month engagement | Operational from Week 2

We are seeking a Risk & Compliance Analyst to take ownership of the enterprise Risk Register, ensuring it remains a living, authoritative source of truth for all information security and technology risks.

This role sits at the heart of the organisation’s Governance, Risk & Compliance (GRC) function, translating technical security findings into structured, business-owned risk decisions aligned to NIST CSF 2.0, ISO 27001, NIST SP 800-37 RMF, and UAE Information Assurance (UAE IA) requirements.

You will ensure risks are consistently captured, properly assessed, actively managed, and clearly reported to executive stakeholders.

Key Responsibilities

• Own and maintain the enterprise Risk Register as the single source of truth for all security and technology risks.
• Facilitate risk identification workshops with technical teams, business stakeholders, and control owners.
• Define and document risks using a structured format: threat × vulnerability × asset × impact.
• Perform and maintain inherent and residual risk scoring, including tracking risk acceptance decisions.
• Ensure every risk has a clearly defined owner, treatment plan, and review cycle.
• Coordinate periodic risk reviews and ensure remediation progress is tracked to closure.
• Map risks to relevant frameworks including:
• NIST CSF 2.0 (GV.RM, GV.RR)
• ISO 27001 controls
• UAE IA requirements
• NIST SP 800-37 Risk Management Framework
• Produce risk heatmaps, trend analysis, and monthly executive dashboards.
• Integrate inputs from vulnerability management, penetration testing, audit findings, security incidents, and policy exceptions into the Risk Register.
• Ensure risk data is audit-ready and supports regulatory and internal assurance requirements.

Objectives & Success Criteria

Core Outcomes

• A complete, accurate, and defensible enterprise Risk Register
• Every material risk has an accountable owner and active treatment plan
• Executive reporting provides clear visibility of risk posture and trends

SMART Milestones

• Within 30 days:
• Baseline the existing Risk Register, identify gaps, stale entries, and inconsistencies.
• Within 60 days:
• Complete a full refresh cycle ensuring all risks have owners, treatment status, and review dates.
• Within 90 days:
• Deliver first executive risk dashboard and heatmap; integrate vulnerability, pentest, and audit inputs.
• Ongoing:
• Ensure 100% of material risks are reviewed at least quarterly with zero orphaned risks.

Tools & Platforms

• Excel / SharePoint (Risk Register management)
• Jira / Confluence / YouTrack
• Integration with security tooling outputs (VM, pentest, audit, incident tracking systems)

Required Skills & Experience

• 3+ years’ experience in GRC, risk management, cybersecurity governance, or similar roles
• Hands-on experience with Risk Registers or equivalent enterprise risk tooling
• Strong understanding of NIST CSF 2.0, ISO 27001, MITRE ATT&CK, and UAE IA regulations
• Ability to perform structured risk analysis and scoring methodologies
• Experience working with cross-functional technical and business stakeholders
• Strong communication skills with the ability to present to both engineers and executive leadership
• Experience integrating security findings from VM, audit, and pentesting processes

Please apply to be contacted with further information.