Information Security - GRC Analyst

About Avalere Health

United by one profound purpose: to reach EVERY PATIENT POSSIBLE. At Avalere Health, we ensure every patient is identified, treated, supported, and cared for. Our Advisory, Medical, and Marketing teams come together to forge unconventional connections, building a future where healthcare is not a barrier and no patient is left behind. Achieving our mission starts with providing enriching, purpose-driven careers for our team that empower them to make a tangible impact on patient lives.

We are committed to creating a culture where our employees are empowered to bring their whole selves to work and tap into the power of diverse backgrounds and skillsets to play a part in making a difference for every patient, everywhere. Our flexible approach to working allows our global teams to decide where they want to work, whether in-office or at home based on team and client need. Major city hubs in London, Manchester, Washington, D.C., and New York, and smaller offices globally, serve as collaboration hubs allowing our teams to come together when it matters. Homeworkers are equally supported, with dedicated social opportunities and resources.

Our inclusive culture is at the heart of everything we do. We proudly support our employees in bringing their whole selves to work with our six Employee Network Groups – Diverse Ability, Family, Gender, LGBTQ+, Mental Health, and Race/Ethnicity. These groups provide opportunities to promote diversity, equity and inclusion and to connect, learn, and socialise through regular meetings and programs of activity. We are an accredited Fertility Friendly employer with our Fertility Policy, enhanced parental leave, and culture of flexibility ensuring every employee feels supported across their family planning journey and can work in a way that suits their family’s needs.

We take pride in supporting professional growth for our employees through day‑to‑day career experiences, access to thousands of on‑demand training sessions, regular career conversations, and the opportunity for global, cross‑capability career moves. We take pride in being part of the Disability Confident Scheme. This helps make sure you can be interviewed fairly if you have a disability, long term health condition, or are neurodiverse. If you would like to apply and need adjustments made, you can let us know in your application.

About The Role

The Information Security GRC Analyst supports the InfoSec GRC Lead in operating and improving the organization’s governance, risk, and compliance program. The role focuses on reviewing client MSAs and related security requirements, supporting internal and client audits, driving risk and exception management workflows, and supporting supplier/third‑party security reviews. The organization is aligned to ISO/IEC 27001 and is implementing ISO/IEC 42001. The role supports compliance activities relevant to HIPAA, GDPR, and APPI. This is an excellent opportunity for recent graduates or young professionals to build their career in information security.

What You’ll Do

• Governance & Management System Support: Maintain documentation and evidence for ISO/IEC 27001 & ISO/IEC 42001; support continual improvement activities.
• Client MSA & Security Requirements Review: Extract and document security requirements from client MSAs; identify gaps and risks; coordinate with Legal and Privacy teams.
• Audit Support: Coordinate internal and client audit requests; collect evidence; ensure traceability between requirements, controls, and evidence.
• Risk Management & Exceptions: Assist with risk assessments for vendors/projects; maintain risk registers; support exception workflows.
• Supplier Reviews: Assess third‑party security submissions; track supplier risk ratings and remediation actions.
• Compliance Support: Help map regulatory requirements (HIPAA, GDPR, APPI) to internal controls; maintain compliance documentation.
• Reporting & Improvement: Produce operational reports on audit status/risk metrics; contribute to process improvements.

About You

• Exceptional attention to detail
• Strong written communication skills
• Professional discretion handling sensitive information
• Foundational understanding of information security concepts (access control, encryption, incident response)
• Exposure or interest in ISO/IEC 27001 or AI governance frameworks (ISO/IEC 42001)
• Experience supporting audits, vendor risk reviews or privacy compliance is advantageous
• Familiarity with GRC/ticketing/documentation platforms (e.g., ServiceNow/Jira)
• Suitable for junior candidates (1–3 years) in security, IT, risk, compliance, audit, or related fields, or equivalent demonstrated capability.
• Bachelor’s degree in information security, IT, Risk Management, Compliance, or similar is beneficial but not required with relevant experience.
• Minimum requirement: Candidate must hold or be able to achieve the ISC2 Certified in Cybersecurity (CC) certification within an agreed onboarding period (company‑supported).

What we can offer

• You’ll receive up to a 7% pension contribution, life insurance, income protection, and private medical insurance for peace of mind.
• Enjoy flexible working arrangements, including flexible hybrid working, along with the option to work from anywhere across the globe two weeks each year.
• We provide 25 days of annual leave plus two personal well‑being days, along with gifted end‑of‑year holidays and an early Summer Friday finish in June, July, and August.
• Access free counselling through our employee assistance program, as well as personalized health support.
• Enhanced maternity, paternity, family leave, and fertility policies provide support across every stage of your family‑planning journey, as well as on‑demand support from our partner Peppy.
• You can also benefit from continuous opportunities to professionally develop with on‑demand training, support, and global mobility opportunities across the business.

We encourage all applicants to read our candidate privacy notice before applying to Avalere Health.