Gresham
Website:
greshamtech.com
Job details:
Company Summary
Gresham is a global financial services technology company specialising in enterprise data automation. We help financial institutions ensure that their operational, regulatory and management data is complete, accurate, timely and fully auditable — particularly within complex environments where data is distributed across multiple systems.
Our solutions automate data controls, reconciliations, workflows and exception management, enabling clients to reduce operational risk, strengthen data governance and enhance confidence in reporting across highly regulated environments. Serving both buy-side and sell-side organisations worldwide, Gresham partners with clients to deliver trusted, transparent and resilient data operations.
Job Purpose
The GRC (Governance, Risk & Compliance) Analyst is responsible for managing and responding to client-initiated information security due diligence requests, including vendor security questionnaires (VSQs), request for proposal (RFP) security schedules, and ESG-related assessments. Operating as part of the Information Security function and reporting directly to the Information Security Manager, the post-holder serves as a point of coordination between Gresham’s security, legal, and commercial teams and its clients’ procurement and risk functions.
As a financial services technology provider operating in highly regulated environments, Gresham’s clients subject the business to rigorous third-party risk assessments covering data security, operational resilience, access controls, and increasingly, ESG and sustainability criteria. The GRC Analyst ensures these assessments are completed accurately, consistently, and within agreed timescales, thereby directly supporting client acquisition, retention, and the organisation’s broader information security governance framework.
Key Responsibilities
- Manage and respond to client information security due diligence questionnaires (DDQs), vendor security questionnaires (VSQs), and RFP security schedules in an accurate, timely, and consistent manner, maintaining a central response library to improve efficiency and quality over time.
- Maintain and continuously improve Gresham’s GRC evidence repository, ensuring that supporting documentation — including policies, certifications, audit reports, and control evidence — is current, accessible, and appropriately version-controlled to support both reactive client requests and proactive assurance activities.
- Coordinate responses to client and prospect ESG assessments, working cross-functionally with People & Culture, Facilities, Legal, and Finance to collate accurate data across environmental, social, and governance dimensions, and ensuring outputs are consistent with Gresham’s broader sustainability commitments and disclosures.
- Support the Information Security Manager in maintaining the organisation’s information security policy framework and certification portfolio, tracking compliance across Gresham’s applicable standards. Gresham operates a suite of products — including Control Cloud, Connect Cloud, Prime EDM, and Pulse Data — each of which carries distinct certification and assurance obligations; the role requires an understanding of how SOC 1 Type II, SOC 2 Type II, ISO/IEC 27001, and SWIFT Customer Security Programme (CSP) requirements apply differently across these product lines.
- The post-holder will contribute to the preparation of internal and external audit activities, risk registers, and periodic security reporting accordingly. You will also contribute to the preparation of internal and external audit activities, risk registers, and periodic security reporting accordingly.
Essential Skills & Experience
- Demonstrable experience responding to information security due diligence questionnaires, vendor security assessments, or equivalent client-facing assurance requests, with a working knowledge of the frameworks and standards commonly referenced in such assessments, including ISO/IEC 27001, SOC 1 Type II, SOC 2 Type II, NIST CSF, and the SWIFT Customer Security Programme (CSP).
Note: Gresham’s product portfolio — which includes Control Cloud, Connect Cloud, Opus EDM, Prime EDM, and Pulse Data — spans multiple certification regimes, and different products and deployment contexts carry distinct assurance obligations. Candidates are not expected to hold deep expertise across all frameworks, but should demonstrate an ability to navigate and respond to client questions that reference these standards in combination.
- A minimum of two years’ experience in a GRC, information security compliance, or technology risk function, with a sound understanding of information security principles including access control, data classification, encryption, incident management, and business continuity.
- Strong written and verbal communication skills with the ability to translate technical security controls into clear, commercially appropriate language for non-technical client stakeholders, legal teams, and procurement functions.
- A degree in Information Security, Computer Science, Law, Business Administration, or a related discipline, or equivalent professional experience in a regulated technology or financial services environment.
Desirable Skills
- Professional certification or active pursuit thereof in a relevant discipline, such as CompTIA Security+, ISO 27001 Foundation or Lead Implementer, CC (ISC²), or CISA (ISACA).
- Familiarity with ESG reporting frameworks applicable to technology businesses, including GRI Standards, the UN Sustainable Development Goals, or India’s Business Responsibility and Sustainability Report (BRSR) requirements.
- Experience using GRC tooling or response management platforms such as OneTrust, Archer, ServiceNow GRC, or equivalent questionnaire automation solutions such as Loopio, Responsive etc.
Equal Opportunities Statement
At Gresham, we are committed to building a diverse and inclusive workforce that reflects the communities we serve. We actively encourage applications from individuals of all backgrounds and are dedicated to providing a workplace where everyone feels valued, respected and supported.
We make employment decisions based on merit, skills and potential, and do not discriminate based on any protected characteristic. We are also committed to making reasonable adjustments throughout the recruitment process and employment lifecycle.
Click on Apply to know more.