Upstox
Website:
upstox.com
Job details:
Job Title: Engineer II - GRC (Full-Time)
Company: Upstox
Location: Mumbai
Work arrangement: 5 days in the office
About Upstox
At Upstox, we’re building the future of investing - simple, powerful, and for everyone. We're one of India’s fastest-growing fintech platforms, backed by the best in the business, including Mr. Ratan Tata and Tiger Global, and on a mission to make wealth creation accessible to every Indian. From first-time investors to seasoned traders, millions trust us to power their financial journeys. We're not just moving fast - we’re moving with purpose. If you thrive in a high-energy, high-impact environment, you're in the right place.
The Role:
We are looking for a proactive GRC (Governance, Risk & Compliance) professional to drive our cybersecurity and privacy compliance initiatives. You will be responsible for strengthening our security posture by managing audits, identifying risks, and ensuring adherence to regulatory and industry standards such as ISO frameworks and regulatory requirements (SEBI, IRDAI).
You will work cross-functionally with technology, product, legal, and business teams to embed security and privacy best practices into the organization while ensuring continuous compliance and risk mitigation.
What You’ll Own
- Develop and update security policies, procedures, and processes.
- Coordinate and facilitate certification audits such as ISO 27001, ISO 27701, and ISO 22301 and regulatory cyber audits from SEBI and IRDAI
- Coordinate with Auditors and internal stakeholders and facilitate Audit findings closure by follow-up with respective teams.
- Perform thorough risk assessments and manage mitigation plans.
- Work closely with different IT Groups to continuously identify, mitigate, and manage compliance risks.
- Oversee security awareness programs and conduct third-party vendor assessments.
- Review third-party agreements to ensure adequate security clauses are in place and conduct comprehensive vendor risk assessments to identify and mitigate cybersecurity risks
- Handle privacy-related activities like PIA, ROPA, and data mapping.
- Conduct thorough assessments of third-party vendors to identify potential cybersecurity risks.
Who You Are
- 2 to 5 years of experience in Information Security, GRC, Risk Management, or Compliance, preferably in a fintech or financial services environment.
- Strong understanding of information security frameworks and standards such as ISO 27001, ISO 27701, ISO 22301, and regulatory requirements like SEBI/IRDAI.
- Hands-on experience in audit management, risk assessments, and control testing.
- Good knowledge of data privacy principles and experience handling activities like PIA (Privacy Impact Assessments), ROPA (Record of Processing Activities), and data mapping.
- Experience conducting third-party/vendor risk assessments and managing associated remediation.
- Ability to work with cross-functional teams to track and close audit findings and ensure compliance adherence.
- Strong analytical and problem-solving skills with the ability to identify gaps and recommend practical mitigation strategies.
- Excellent communication, documentation, and stakeholder management skills.
- Certifications such as CISA,CRISC, ISO 27001 ,27701 Lead Implementer/Auditor are highly desirable.
Why This Role Rocks
- You will play a critical role in safeguarding a high-impact fintech ecosystem, ensuring trust, security, and regulatory compliance for millions of users.
- You will gain exposure to end-to-end cybersecurity governance, including audits, risk management, privacy, and regulatory compliance.
- Work in a fast-paced, collaborative environment with cross-functional teams across tech, legal, and business.
- Opportunity to work on complex regulatory landscapes (SEBI, IRDAI) and global standards, accelerating your growth as a GRC professional.
- High ownership and visibility of your work will directly influence organizational risk posture, audit readiness, and compliance maturity.
By applying for this position, you acknowledge that you have reviewed our Prospective Employee Privacy Notice, which outlines how Upstox collects, uses, and protects your Personal Information ("PI"). I accept Upstox's Prospective Employee Privacy Notice.
Upstox is an Equal Opportunity Employer; all qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, veteran status, or other characteristics.
Click on Apply to know more.