Medior GRC Officer

This role ensures continuous compliance with applicable security and privacy frameworks (ISO 27001/2022, ISO 27018, SOC 2) and evolving regulatory obligations (EU AI Act, NIS2, DORA) while acting as the primary liaison with auditors, Legal, Business Development, Cloud, and data protection stakeholders. The role owns control frameworks, policy governance, risk management, and compliance initiatives.

1. Security, Privacy & Compliance Frameworks 

• Own and maintain governance, documentation, and control frameworks across ISO 27001/2022, ISO 27018, SOC 2, and other applicable standards, ensuring continuous audit readiness.
• Manage core control artefacts including the Statement of Applicability (SOA), risk assessments, mitigation plans, control ownership mapping, audit plans and control effectiveness reviews.
• Automate and streamline evidence collection process across control areas and maintain evidence repositories and tooling (e.g., Vanta/OneTrust) to support internal and external audits.
• Plan, coordinate, and document internal audits and support external certification/attestation audits, including remediation tracking and reporting.
• Act as the primary point of contact for external auditors and manage audit communications and reporting.

2. Risk Management, TPRM & Awareness

• Conduct and maintain organizational risk assessments, risk reporting, track open risks, and oversee mitigation actions.
• Establish, organize, and govern control frameworks incorporating requirements from multiple frameworks, ensuring stakeholder alignment and accountability across geographically distributed business entities.
• Participate in third-party risk management activities, including vendor assessments and annual reviews. 
• Work closely with cross functional teams to identify risk areas and streamline client-facing processes to improve efficiency. 
• Automate and streamline handling of client due diligence questionnaires.   
• Own and maintain the SDS policy and procedure framework, ensuring annual reviews and updates. Communicate policies and changes organization-wide and support AI, security and privacy awareness initiatives.

3. Regulatory Compliance

• Working with group compliance team to monitor both relevant Security/ Privacy/ Data Protection/ AI compliance related laws and regulations impacting the SDS (EU AI Act, NIS2, DORA).
• Perform and maintain regulatory gap assessments for security, privacy & AI areas as needed and oversee implementation and validation of required controls for SDS products. 
• Coordinate with SCOR Group compliance initiatives to assess applicability and ensure timely adoption of regulatory requirements.

4. Data Protection & Privacy

• Coordination with the local and group teams on data protection issues and to ensure sensitive data processing applications are compliant with local data protection laws and group data protection standard.
• Supporting the completion and maintenance of the 'record of processing activities' / 'inventory' as per defined standards and local requirements to ensure compliance with record-keeping, transparency and accountability requirements under data protection laws.
• Promote a culture of 'data protection by design', advising on whether Data Protection Impact Assessments are required for new projects or initiatives.
• Support security and privacy training, awareness, and compliance self-assessments across the organization.
• Coordinate handling of security and privacy incidents to ensure regulatory/ client reporting and root cause analysis by working closely with group data protection team.

• Communication & influence: clear, concise communication with auditors, executives and stakeholders; ability to challenge constructively and drive accountability.
• You are a thoughtful and responsible GRC professional - Someone who is proactive, eager to learn continuously, and comfortable seeking input and feedback.
• GRC ownership: ability to design, implement, and continuously improve security, privacy, and compliance programs across multiple entities and geographies.
• Framework expertise: strong working knowledge of ISO 27001/2022, ISO 27018, SOC 2, and how to map/normalize controls across standards.
• Audit & assurance: end-to-end audit management (internal and external), evidence automation, remediation planning, and clear audit reporting.
• Risk management: practical risk assessment, prioritization, and tracking; ability to translate risks into actionable mitigation plans and control improvements.
• Regulatory awareness: ability to monitor, assess, and operationalize regulatory requirements (e.g., EU AI Act, NIS2, DORA) into policies, controls, and assurance activities.
• Privacy & data protection: working knowledge of GDPR concepts including DPIAs, ROPA, incident handling, and coordination with the DPO.
• Policy governance & awareness: strong capability to write, maintain, and socialize policies/standards; drive annual reviews and training/awareness initiatives.
• Stakeholder & vendor management: effective collaboration with Legal, Business Development, Cloud/Engineering, and third parties; confident handling of client questionnaires and due diligence.
• Tooling & documentation discipline: experience maintaining control/evidence repositories and workflows in tools such as Vanta and OneTrust (or equivalent), plus strong documentation practices.

Required Qualifications & Experience

• 5+ years of experience in information security, compliance, or GRC roles (ideally in a regulated environment and/or technology/SaaS).
• Strong hands-on experience with ISO 27001/2022, ISO 27018, and SOC 2 (control design/operation, evidence, and audit support).
• Desirable: Experience with regulatory programs such as GDPR, EU AI Act, NIS2, or DORA.
• Experience managing audits (internal and external) and regulator-driven programs.
• Ability to work cross-functionally with technical, legal, and business stakeholders.
• Languages: professional working proficiency in English (written and spoken) to collaborate effectively with international stakeholders.
• Travel: occasional travel may be required (e.g., to Paris and/or other SCOR locations) for audits, workshops, or stakeholder sessions.
• Role type: individual contributor position with strong ownership and influence across teams (no direct people management).
• Desirable: Certifications such as ISO 27001 Lead Implementer/Auditor, CISM, CISSP, or equivalent.