Role Overview
Assess and validate cloud solutions against enterprise security policies and compliance frameworks. Lead ISRP/ISO reviews, support certification readiness, and ensure audit-ready documentation across AWS, GCP, or Azure environments.
Key Responsibilities
- Perform ISRP/ISO reviews across design, build, and certification stages.
- Assess cloud architectures (VPC/VNet, compute, storage, IAM, networking, KMS/CMEK) for policy compliance and residual risk.
- Validate preventative, detective, and automated controls.
- Map controls and risks to NIST (CSF/800-53), ISO 27001, SOC 2; perform gap analyses.
- Drive risk acceptance, exceptions, and remediation plans with stakeholders.
- Prepare audit-ready artifacts (reports, checklists, evidence, sign-offs).
- Support certification gates and provide recommendations.
- Track and report compliance status, remediation, and escalations.
- Collaborate with architects, IAM, threat modeling, SOC, and business teams.
Required Qualifications
- 5+ years in information security, including 3+ years in cloud security & compliance.
- Experience with AWS, GCP, or Azure (VPC/VNet, EC2/GCE, S3/GCS, IAM, logging, KMS).
- Knowledge of IaC/CI-CD security (Terraform, policy-as-code preferred).
- Strong understanding of NIST, ISO 27001, SOC 2 frameworks.
- Experience with audit evidence and compliance reporting.
- Strong communication skills for technical and non-technical audiences.
Preferred Certifications: CISSP, CISM, CRISC, CCSK, Cloud Security certs, ISO 27001 Lead Auditor
Desired Skills
- Experience with cloud certification/gate reviews
- Familiarity with MITRE ATT&CK and threat modeling
- Strong cross-functional collaboration and organization skills
- Ability to manage multiple reviews and evidence tracking
Key Deliverables
- ISRP/ISO review reports and certification recommendations
- Gap analyses and remediation plans
- Audit-ready evidence bundles
- Documented risk decisions and exceptions
- Status reports on compliance and certification progress