Job Description:

We are seeking a Technical GRC Analyst to support the day-to-day operation of our governance, risk, compliance, and security assurance processes within a growing EdTech SaaS environment.

This role will focus on administering established policies and workflows, coordinating compliance and security activities, handling requests from across the business, and performing risk assessments—particularly where personal data, information security, and GDPR considerations are involved.

You will play a key role in ensuring that our systems, processes, security tooling, and third-party relationships meet our security, compliance, and data protection standards.

Working closely with the IT & Information Security Manager and wider IT team, you will help maintain audit readiness, support operational security assurance activities, and coordinate remediation and evidence management across the organisation.

The role offers exposure across governance, operational security assurance, compliance, and risk management within a growing SaaS environment.

Key Responsibilities

Administer and operate IT risk, compliance, and security assurance processes aligned to internal policies and regulatory requirements (including GDPR)

Act as a central point of contact for compliance-related requests (e.g. Subject Access Requests (SARs), data sharing requests, access requests, exceptions, and supplier onboarding)

Perform risk assessments using defined criteria, with a focus on data protection and information security risks

Review requests against defined policies and controls, escalating where appropriate in line with internal governance processes

Support third-party / supplier risk assessments, including reviewing security and data protection documentation and tracking follow-up actions

Support periodic reviews of high-risk and business-critical suppliers, applications, and technology platforms to ensure appropriate security, compliance, and data protection controls remain in place

Support the implementation and ongoing operation of compliance and assurance tooling (Vanta), including evidence collection, test management, stakeholder coordination, remediation tracking, and control adoption activities.

Ensure appropriate documentation, audit trails, and evidence are maintained for assessments, compliance activities, and operational processes

Support internal and external audits (e.g. ISO 27001), including evidence gathering, action tracking, and coordination of remediation activities

Monitor compliance with policies and highlight potential risks, gaps, or control weaknesses for review

Support coordination and operational delivery of security improvement initiatives across IT and business teams.

Support incident management processes through documentation, tracking, and coordination of follow-up actions

Coordinate security awareness activities, including phishing simulation campaigns and training tracking

Assist with reviews of security tooling configurations and collection of supporting control evidence

Work closely with engineering, product, and business teams to ensure compliance and security processes are understood and followed

Contribute ideas and feedback to improve workflows and operational processes, particularly where they impact scalability, operational efficiency, or customer trust

Skills & Experience

Essential:

Experience in IT risk, compliance, or GRC roles within a SaaS or technology environment

Understanding of GDPR and handling of personal data (especially sensitive or child/student data)

Experience performing risk assessments using structured frameworks and defined processes

Ability to interpret policies and apply them to operational and real-world scenarios

Strong organisational, coordination, and documentation skills (audit trails, evidence, decision logs)

Experience working with cross-functional teams (e.g. engineering, product, operations)

Experience supporting operational security assurance activities, such as evidence collection, control validation, remediation tracking, or audit preparation

Desirable:

Familiarity with ISO 27001, Cyber Essentials, or similar frameworks

Experience supporting audits, evidence collection, or remediation tracking activities

Experience with vendor / third-party risk management

Exposure to data protection processes (e.g. SARs, DPIAs, data sharing assessments)

Exposure to data classification, data governance, or data loss prevention (DLP) processes

Experience with GRC, compliance, or assurance platforms (e.g. Vanta, Drata) and ticketing/workflow management tools

Exposure to Microsoft 365 security and compliance tooling (e.g. Entra ID, Intune, Secure Score, Defender)

Basic understanding of cloud/SaaS architecture and common security controls

Key Behaviours:

Pragmatic approach to risk, with the ability to balance compliance requirements with business needs

Comfortable assessing requests against defined policies and escalating concerns where appropriate

Confident communicating risks, issues, and follow-up actions to stakeholders

Detail-oriented, with a strong focus on documentation, evidence quality, and traceability

Organised and proactive, with the ability to manage multiple tasks and follow through on actions

Able to operate independently within established processes and governance frameworks

Collaborative approach to working with technical and non-technical teams

Bromcom is an equal opportunities employer.