Job Title: Cyber GRC Lead (Governance, Risk & Compliance)
Location: India
Employment Type: Contract – 0.75 FTE
Reports To: Global Vice President of Information Technology
Herspiegel is a global life sciences consultancy that guides pharmaceutical and biotech companies through their most decisive moments—powering commercial success and expanding patient access. From early asset strategy to launch readiness and market optimization, we help clients navigate complexity and seize opportunity. Our integrated approach brings together scientific insight, evidence strategy, deep market intuition, and executional precision to ensure brands are built to lead.
Position Summary
The Cyber GRC Lead is responsible for designing, implementing, and operating the organisation’s cyber governance, risk, and compliance framework, with a primary focus on SOC 2 and ISO 27001 readiness and audit preparation.
The role owns the GRC framework, policy suite, control library, evidence management, Cyber risk register, and vendor security assessments, ensuring that security controls implemented by technical teams are properly governed, documented, evidenced, and audit-ready.
Enterprise risk acceptance, audit sign-off, and executive accountability for compliance outcomes remain with the Global VP of IT.
This role exists to remove the operational compliance burden from senior IT leadership and to provide a sustainable, repeatable compliance operating model.
Key Responsibilities
SOC 2 & ISO 27001 Framework Ownership
- Own and operate the SOC 2 and ISO 27001 control frameworks, ensuring alignment between standards and organisational practices.
- Define and maintain the control library, mapping controls to technical, operational, and organisational activities.
- Ensure controls are clearly documented, scoped, and consistently applied.
Policy & Governance Management
- Own the development, maintenance, and version control of information security and IT governance policies.
- Ensure policies are aligned to SOC 2, ISO 27001, regulatory expectations, and customer assurance requirements.
- Coordinate policy reviews, approvals, and periodic refresh cycles.
Evidence Management & Audit Readiness
- Design and operate a centralised evidence management model for SOC 2 and ISO 27001.
- Work with IT Operations and Cyber Security teams to collect, validate, and maintain audit evidence.
- Prepare the organisation for external audits, readiness assessments, and surveillance activities.
- Act as the primary day-to-day audit coordination lead.
Risk Management
- Own and maintain the cyber risk register, including risk identification, assessment, treatment tracking, and reporting.
- Support risk assessments and control gap analyses.
- Escalate material risks and control gaps to the Global VP of IT for decision and risk acceptance.
Vendor & Third-Party Security Assurance
- Own the vendor security assessment framework, including questionnaires, evidence review, and risk scoring.
- Support supplier onboarding and periodic reviews from a security assurance perspective.
- Work with Procurement, Legal, and IT to ensure third-party risks are understood and tracked.
Customer & Commercial Security Support
- Support customer security questionnaires, assurance requests, and compliance artefacts by providing authoritative governance and control evidence.
- Enable faster, more consistent responses to customer due diligence and renewal activities.
Decision Authority
- The Cyber GRC Lead has authority to define and operate governance frameworks, policies, control libraries, and evidence processes.
- Risk acceptance, control exceptions, audit sign-off, and external compliance attestations remain the responsibility of the Global VP of IT.
- Where material control gaps or audit risks are identified, these are escalated for executive decision.
Required Skills & Experience
Experience
- Proven experience in a GRC, security compliance, or audit readiness role.
- Hands-on experience delivering SOC 2 and/or ISO 27001 readiness programmes.
- Experience working with auditors, assessors, and internal stakeholders.
Technical & GRC Skills
- Strong understanding of the latest SOC 2 Trust Services Criteria and ISO 27001 controls.
- Experience building control libraries, evidence models, and risk registers.
- Familiarity with third-party risk management and vendor assessments.
Professional Attributes
- Highly organised, detail-oriented, and process-driven.
- Comfortable working independently in a contract capacity.
- Able to translate technical activity into audit-ready governance artefacts.
Education, Qualifications & Certifications
Education
- Bachelor’s degree in Information Security, Risk Management, Information Systems, Law, or a related discipline (preferred).
- Equivalent professional experience will be considered in lieu of formal education.
Professional Certifications (Strongly Preferred)
One or more of the following, demonstrating senior governance, risk, and compliance expertise:
- ISO/IEC 27001 Lead Implementer or Lead Auditor
- CISM (Certified Information Security Manager)
- CRISC (Certified in Risk and Information Systems Control)
- CISA (Certified Information Systems Auditor)
Additional / Desirable Certifications
- SOC 2 Practitioner / SOC 2 Readiness experience (formal certification not required, demonstrable delivery essential)
- CIPM / CIPT (IAPP) or equivalent privacy-related certifications
- ITIL Foundation (useful for alignment with operational processes)
- Experience with GRC tooling (e.g. risk registers, control mapping, evidence repositories)
Demonstrated experience taking organisations through first-time SOC 2 or ISO 27001 readiness and audit cycles is highly desirable.
Why This Role Is Required
This role provides the governance structure required to achieve and sustain SOC 2 and ISO 27001, reducing friction in customer contracting, renewals, and audits.
Without a dedicated GRC function, compliance activity becomes fragmented, audit timelines slip, and the operational burden falls disproportionately on senior IT leadership.
…