Job Description
Application Notice We encourage you to apply thoughtfully by selecting one position that best matches your qualifications and interests. You may submit up to two active applications at a time. Please consider your location choice carefully—we recommend applying where you envision building your future. The Firm Unlock the Boundless Horizons of Tax, Valuation, and Business Expertise with Andersen! At Andersen, we don’t just offer a career; we provide a thrilling expedition into the world of Tax, Valuation, and Business Advisory. We stand as a trailblazing force with the most extensive global presence among professional services organizations. You’ll embark on a journey that transcends the ordinary, working with extraordinary clients spanning every industry, regardless of their size, because at Andersen, we are free from independence-related constraints that may hinder other firms. But that’s not all; we’re more than just a company; we’re a community that thrives on diversity, inclusivity, and collaboration. Our focus is on your development helping you flourish as leaders, colleagues and trusted advisors. We equip you with world-class education, immersive experiences, and invaluable mentorship to support your rise to the top. We believe in your potential and invest in it to build a legacy that extends beyond your wildest dreams. Bring your ambition, your entrepreneurial spirit, and your burning desire to be the best. Your future mirrors the limitless possibilities of our future. Join us at Andersen, and together, let’s write the story of your success! The Role Andersen is scaling its information security function, and this is a critical hire for the program’s next phase of maturity. The Senior Manager, Governance Risk & Compliance (GRC) will report directly to the Chief Information Security Officer (CISO) and own the build-out of the firm’s governance, risk, and compliance program. The immediate mandate is significant – lead simultaneous SOC 2 Type II and ISO 27001 certification initiatives while establishing the policy and risk management infrastructure the firm will rely on long-term. This is a program-building role, and the right candidate will be energized by the opportunity to design systems rather than maintain them. The Senior Manager, Governance Risk & Compliance (GRC) can expect to: SOC 2 Type II & ISO 27001 Certification Lead end-to-end certification programs for SOC 2 Type II and ISO 27001 simultaneously, from scoping through audit closure Define control environments, manage evidence collection, and serve as the primary liaison with external auditors and certification bodies Administer the firm’s compliance automation platform and maintain continuous control monitoring and audit readiness Manage both programs through their full lifecycle, including observation periods, annual renewals, surveillance audits, and ISO recertification cycles Policy & Risk Management Develop and maintain a comprehensive information security policy suite aligned to SOC 2, ISO 27001, and applicable regulatory requirements, with defined processes for ownership, annual review, and exception management Build and maintain an enterprise risk register using structured methodology (e.g., ISO 27005, NIST CSF) and lead annual and ad hoc risk assessments Communicate risk posture and policy compliance to the CISO and, where appropriate, to firm leadership and clients Develop and maintain an AI governance policy covering acceptable use of AI tools, agentic system deployments, and citizen developer activity, ensuring alignment with the firm’s risk appetite and applicable regulatory requirements Privacy & Regulatory Compliance Serve as the firm’s subject matter expert on GDPR, CCPA, and other applicable privacy and data protection requirements Monitor evolving regulatory obligations globally and translate them into actionable compliance programs Partner with Legal and Operations on data subject requests, privacy impact assessments, and breach notification procedures Advise the CISO on emerging compliance obligations relevant to a global professional services firm Third-Party Risk & Client Due Diligence Design and operate the firm’s third-party risk management program, including vendor tiering, security assessments, and remediation tracking Manage the firm’s response program for client security questionnaires and due diligence requests Maintain a library of certification-aligned response language and track contractual security commitments across vendors and clients Security Awareness & Training Own the firm’s security awareness program, including curriculum