Technical GRC Analyst in City of Westminster

We are seeking a Technical GRC Analyst to support the day‑to‑day operation of our governance, risk, compliance, and security assurance processes within a growing EdTech SaaS environment. This role will focus on administering established policies and workflows, coordinating compliance and security activities, handling requests from across the business, and performing risk assessments particularly where personal data, information security, and GDPR considerations are involved. You will play a key role in ensuring that our systems, processes, security tooling, and third‑party relationships meet our security, compliance, and data protection standards. Working closely with the IT & Information Security Manager and wider IT team, you will help maintain audit readiness, support operational security assurance activities, and coordinate remediation and evidence management across the organisation.

Responsibilities

• Administer and operate IT risk, compliance, and security assurance processes aligned to internal policies and regulatory requirements (including GDPR).
• Act as a central point of contact for compliance‑related requests (e.g., Subject Access Requests, data sharing requests, access requests, exceptions, and supplier onboarding).
• Perform risk assessments using defined criteria, with a focus on data protection and information security risks.
• Review requests against defined policies and controls, escalating where appropriate in line with internal governance processes.
• Support third‑party/supplier risk assessments, including reviewing security and data protection documentation and tracking follow‑up actions.
• Support periodic reviews of high‑risk and business‑critical suppliers, applications, and technology platforms to ensure appropriate security, compliance, and data protection controls remain in place.
• Support the implementation and ongoing operation of compliance and assurance tooling (Vanta), including evidence collection, test management, stakeholder coordination, remediation tracking, and control adoption activities.
• Ensure appropriate documentation, audit trails, and evidence are maintained for assessments, compliance activities, and operational processes.
• Support internal and external audits (e.g., ISO 27001), including evidence gathering, action tracking, and coordination of remediation activities.
• Monitor compliance with policies and highlight potential risks, gaps, or control weaknesses for review.
• Support coordination and operational delivery of security improvement initiatives across IT and business teams.
• Support incident management processes through documentation, tracking, and coordination of follow‑up actions.
• Coordinate security awareness activities, including phishing simulation campaigns and training tracking.
• Assist with reviews of security tooling configurations and collection of supporting control evidence.
• Work closely with engineering, product, and business teams to ensure compliance and security processes are understood and followed.
• Contribute ideas and feedback to improve workflows and operational processes, particularly where they impact scalability, operational efficiency, or customer trust.

Essential

• Experience in IT risk, compliance, or GRC roles within a SaaS or technology environment.
• Understanding of GDPR and handling of personal data (especially sensitive or child/student data).
• Experience performing risk assessments using structured frameworks and defined processes.
• Ability to interpret policies and apply them to operational and real‑world scenarios.
• Strong organisational, coordination, and documentation skills (audit trails, evidence, decision logs).
• Experience working with cross‑functional teams (e.g., engineering, product, operations).
• Experience supporting operational security assurance activities, such as evidence collection, control validation, remediation tracking, or audit preparation.

Desirable

• Familiarity with ISO 27001, Cyber Essentials, or similar frameworks.
• Experience supporting audits, evidence collection, or remediation tracking activities.
• Experience with vendor / third‑party risk management.
• Exposure to data protection processes (e.g., SARs, DPIAs, data sharing assessments).
• Exposure to data classification, data governance, or data loss prevention (DLP) processes.
• Experience with GRC, compliance, or assurance platforms (e.g., Vanta, Drata) and ticketing/workflow management tools.
• Exposure to Microsoft 365 security and compliance tooling (e.g., Entra ID, Intune, Secure Score, Defender).
• Basic understanding of cloud/SaaS architecture and common security controls.

Key Behaviours

• Pragmatic approach to risk, with the ability to balance compliance requirements with business needs.
• Comfortable assessing requests against defined policies and escalating concerns where appropriate.
• Confident communicating risks, issues, and follow‑up actions to stakeholders.
• Detail‑oriented, with a strong focus on documentation, evidence quality, and traceability.
• Organised and proactive, with the ability to manage multiple tasks and follow through on actions.
• Able to operate independently within established processes and governance frameworks.
• Collaborative approach to working with technical and non‑technical teams.