Security Governance & Compliance Analyst - NIST, ISO

Security Governance & Compliance Analyst - NIST, ISO, CMMC
£competitive
Cambridge / Hybrid
Company Overview
One of the UK's most forward‑thinking technology companies, recognised for its innovative approach and regularly making headlines across the public domain.

About the Role
We are seeking a Security Governance & Compliance Analyst to strengthen the organisation's security governance capabilities and ensure ongoing audit readiness. This role involves building structured, scalable compliance processes, supporting external certifications, and enhancing the organisation's overall security maturity.

Working closely with teams across Security, Engineering, Legal, and Procurement, you'll help interpret complex standards, streamline assurance activities, and embed secure‑by‑design practices across the business.

Core Areas of Responsibility

1. Assurance Activities & Evidence Stewardship
   

• Perform routine assurance checks across key security domains including IAM, secure configuration baselines, data protection controls, vulnerability management, and logging/monitoring.
  
• Maintain well‑structured, audit‑ready evidence repositories for internal reviews and external assessments.
  
• Track findings, control exceptions, and remediation activities through to completion.
  
• Escalate material risks or recurring control gaps to senior security stakeholders.
  
  

1. Governance of Compliance Standards & Frameworks
   

• Support compliance activities across frameworks such as ISO/IEC 27001:2022, SOC 2 Type II, and CMMC‑aligned requirements.
  
• Help coordinate internal and external audits, including evidence preparation, walkthroughs, sampling, and remediation validation.
  
• Contribute to a continuous monitoring model rather than point‑in‑time audit preparation.
  
• Support the creation, review, and maintenance of policies, standards, and procedures.
  
  

1. Supplier & Partner Assurance
   

• Operate a risk‑based supplier assurance framework to evaluate vendor compliance across cloud security, data handling, resilience, and access governance.
  
• Review supplier questionnaires and documentation; identify risks and recommend mitigation.
  
• Provide compliance sign‑off during procurement and onboarding cycles.
  
• Work with Legal and Procurement to ensure contractual and regulatory obligations are addressed.
  
  

1. Process Engineering, Scalability & Continuous Improvement
   

• Design and refine scalable governance and compliance workflows that support business growth.
  
• Identify opportunities for automation using GRC platforms and workflow tooling.
  
• Maintain and update the enterprise risk register.
  
• Support internal training and awareness programmes.
  
  What You'll Bring
  
• Experience in security compliance, IT audit, cyber governance, or GRC-related roles.
  
• Knowledge of frameworks such as ISO/IEC 27001:2022, SOC 2, NIST standards.
  
• Strong understanding of cloud-security principles including IAM, encryption, monitoring, logging, configuration hardening, and shared responsibility models.
  
• Ability to translate regulatory and control requirements into clear business processes.
  
• Excellent communication skills.
  
• Strong organisational and documentation skills.
  
  Relevant Qualifications
  
• ISO 27001 Internal Auditor, Lead Implementer, or Lead Auditor.
  
• NIST CSF Practitioner or NIST SP 800‑171/CMMC‑related certifications.
  
• CompTIA Security+ or CySA+.
  
• (ISC)² CC, SSCP, or CISSP.
  
• CISM or CRISC.
  
• CISA.
  
• AWS Security Specialty, Azure Security Engineer, or Google Cloud Security Engineer.
  
  Nice to Have
  
• Experience in cloud-native, SaaS, or high-growth tech environments.
  
• Familiarity with NIST SP 800‑171, NIST CSF, or CMMC frameworks.
  
• Understanding of risk methodologies (ISO 31000, FAIR, NIST RMF).
  
• Experience with GRC platforms such as Drata, Vanta, Secureframe, Hyperproof, or Tugboat Logic.
  
• Experience with AWS security tools including GuardDuty, CloudTrail, KMS, Config, Security Hub.
  
  About Adecco
  Adecco is acting as an Employment Agency. We are proud to be an equal opportunities employer. We are on the client's supplier list for this position.
  
  Keywords
  Zero Trust, RBAC, MFA, IAM governance, CSPM, SIEM, SOAR, AWS Config, CloudTrail, GuardDuty, cloud security posture, encryption at rest, encryption in transit, vulnerability scanning, patch management, data classification, DevSecOps, secure SDLC, evidence automation, continuous compliance, threat modelling, risk scoring, audit readiness, SOC 2 Trust Services Criteria, ISO 27001 Annex A controls