GRC

• *Position Purpose**

This position is critical to centralizing ownership for driving enterprise\-wide governance and compliance programs, ensuring proactive risk management, audit readiness, and alignment with international standards and local data protection laws. The GRC Lead will work directly with the HOD on multiple GRC initiatives including ISO 27001 certification for Awfis, alignment with the Digital Personal Data Protection (DPDP) Act, Captive Risk Profiling, Third\-Party Risk Management (TPRM), and related programs.**Key Responsibilities****Governance \& Compliance Program Ownership*** + Establish, lead, and continuously mature the enterprise GRC framework across Awfis and Awliv business units.

+ Drive end\-to\-end ownership of ISO 27001 certification for Awfis, including gap assessment, control implementation, internal audits, and external certification readiness.

+ Develop, publish, and maintain information security policies, standards, procedures, and guidelines aligned with industry best practices.

+ Ensure organizational alignment with the DPDP Act and other applicable data protection and privacy regulations.

• *Risk Management*** + Lead Captive Risk Profiling exercises, including identification, assessment, treatment, and continuous monitoring of enterprise risks.

+ Maintain the enterprise risk register and drive periodic risk review cadence with business and IT stakeholders.

+ Define and track key risk indicators (KRIs) and key control indicators (KCIs); report risk posture to leadership.

+ Recommend and oversee implementation of risk mitigation strategies across functions.

• *Third\-Party Risk Management (TPRM)*** + Design and operationalize the TPRM program covering vendor onboarding, due diligence, periodic reassessment, and offboarding.

+ Evaluate third\-party security, privacy, and contractual compliance posture; track remediation of identified gaps.

+ Collaborate with Procurement, Legal, and business owners to embed security and privacy clauses into contracts.

• *Audit \& Assurance*** + Plan and execute internal audits; coordinate external audits, certifications, and client/regulatory assessments.

+ Track audit findings to closure, drive root cause analysis, and reduce repeat non\-conformities.

+ Improve audit closure timelines through structured tracking, accountability, and reporting mechanisms.

+ Serve as the single point of contact for client security and compliance assessments.

• *Data Protection \& Privacy*** + Drive DPDP Act readiness, including data mapping, consent management, data subject rights handling, and breach response.

+ Coordinate with Legal and business teams on data processing agreements, privacy notices, and cross\-border data transfer requirements.

+ Support the Data Protection Officer (DPO) function as required.

• *Stakeholder Engagement \& Reporting*** + Partner with IT, Legal, HR, Operations, Finance, and business units to embed GRC practices into day\-to\-day operations.

+ Prepare and present GRC dashboards, metrics, and reports to senior leadership, the HOD, and relevant committees.

+ Conduct awareness and training programs to build a culture of compliance and security accountability.

• *Required Qualifications****Education*** + Bachelor's degree in Computer Science, Information Technology, Information Security, or a related discipline. A Master's degree or MBA is a plus.

• *Experience*** + 7 to 12 years of progressive experience in Information Security, IT Governance, Risk, and Compliance, with at least 3 years in a GRC leadership or program ownership role.

+ Demonstrated experience driving ISO 27001 certification end\-to\-end (preparation through certification and surveillance audits).

+ Hands\-on experience with DPDP, GDPR, or comparable data protection regimes.

+ Proven track record running TPRM, internal audit, and enterprise risk programs.

• *Certifications (one or more strongly preferred)*** + ISO 27001 Lead Auditor or Lead Implementer

+ CISA, CISM, CRISC, or CISSP

+ DCPP, DCPLA, CIPP/E, or CIPM (for privacy)

• *Technical \& Functional Skills*** + Strong working knowledge of ISO 27001, NIST CSF, SOC 2, PCI DSS, and similar frameworks.

+ Deep understanding of Indian data protection law (DPDP Act) and global privacy regulations.

+ Familiarity with GRC tools, risk assessment methodologies, and control testing approaches.

+ Sound understanding of IT and cloud infrastructure, application security concepts, and common threat landscapes.

• *Behavioural Competencies*** + Strong ownership mindset with the ability to operate independently and drive programs to closure.

+ Excellent stakeholder management and influencing skills across technical and non\-technical audiences.

+ Strong analytical, problem\-solving, and decision\-making abilities.

+ Clear written and verbal communication, including the ability to present to executive leadership.

+ High integrity, attention to detail, and a structured approach to complex problems.

• *Key Deliverables (First 12 Months)*** + Establish a baseline IT compliance practice and operating model across Awfis and Awliv.

+ Achieve ISO 27001 certification for Awfis.

+ Deliver DPDP readiness and operationalize ongoing compliance.

+ Stand up a functional TPRM program with defined SLAs and a vendor risk register.

+ Reduce open audit findings and repeat non\-conformities through structured remediation tracking.

+ Publish a quarterly enterprise risk and compliance dashboard for leadership.