Senior Governance, Risk and Compliance Analyst

Overview

Role Summary

Responsibilities

• **ISMS Management:**
• Maintain, update, and continuously improve the ISMS in accordance with ISO/IEC 27001:2022 and NIST CSF 2.0.
• Manage the policy library lifecycle (drafting, review cycles, owner sign-offs).
• Maintain the Statement of Applicability (SoA) and track Annex A control implementation status.
• **Risk Management:**
• Own and maintain the Imbono information security risk register.
• Facilitate risk identification and assessment workshops with business and technology stakeholders.
• Track risk treatment actions to closure and report risk posture to the Head of Information Security monthly.
• **Compliance Monitoring:**
• Monitor Imbono's compliance with applicable regulatory regimes — including UAE PDPL, UAE Information crime Law No. 34/2021, and Angola Lei 22/11 — and with internal security policies.
• Identify and report compliance gaps; track and drive remediation actions.
• **Audit Coordination:**
• Coordinate internal ISMS audits and external ISO 27001:2022 certification audits.
• Collect, organise, and present audit evidence packages.
• Manage findings and corrective action plans (CAPs) through to formal closure with evidence.
• **Third-Party Risk Management:**
• Conduct third-party security assessments for critical vendors, cloud service providers, and managed service partners (including the incumbent MSP during the migration transition).
• Maintain the vendor risk register and track contractual security obligations and SLAs.
• **Data Protection & Regulatory Compliance:**
• Support the maintenance of Records of Processing Activities (ROPA) in Microsoft Purview.
• Assist with data subject access requests (DSARs) and co-ordinate regulatory breach notifications under UAE PDPL and Angola Lei 22/11 where required.
• **Migration Programme GRC Support:**
• Provide governance, risk, and compliance support to the M365 tenant-to-tenant migration programme (Wave 0 through domain cutover, February 2027).
• This includes risk assessments for each migration wave, compliance evidence collection for transition closure milestones, and regulatory impact assessments for cross-border data transfers involved in the migration.
• **Security Awareness:**
• Support the development and delivery of information security awareness training and communications across Imbono's workforce, including Angola-based field users.
• Coordinate phishing simulation programmes and track awareness KPIs.
• **GRC Reporting & Dashboards:**
• Prepare regular GRC dashboards and management reports covering risk posture, compliance status, audit findings, and key risk/performance indicators (KRIs/KPIs) for the Head of Information Security and executive stakeholders.
• Contribute to Board-level ISMS reporting.

Experience

• 5- 7 years of experience in information security governance, risk, and compliance roles.
• Demonstrable hands-on experience implementing and maintaining an ISO/IEC 27001 ISMS, including preparing for certification audits as a primary point of contact.
• Experience with NIST CSF (v1.1 or 2.0) as a risk management and maturity framework.
• Experience with regulatory compliance — UAE PDPL and/or African data protection regimes (Angola Lei 22/11) is a significant advantage. Also GDPR and other regulations.
• Experience with Microsoft 365 compliance tooling (Microsoft Purview, Compliance Manager, Secure Score) is preferred.
• Experience conducting or supporting third-party security risk assessments and vendor due diligence.
• Experience in financial services, trading, or professional services sectors is advantageous.

Qualifications

• Bachelor's degree in Information Security, Computer Science or a related discipline.
• ISO 27001:2022 Lead Implementer certification is required.
• ISO 27001:2022 Lead Auditor certification is required

Preferred Qualifications

• CISM (Certified Information Security Manager) or CISA (Certified Information Systems Auditor)
• CISSP (Certified Information Systems Security Professional) is preferred

Skills

• Deep working knowledge of ISO/IEC 27001:2022 requirements, controls, and Annex A implementation.
• Practical knowledge of NIST CSF 2.0 (Govern, Identify, Protect, Detect, Respond, Recover functions).
• Strong risk assessment methodology skills; risk identification, likelihood/impact analysis, risk treatment planning, and residual risk tracking.
• Familiarity with Microsoft Purview Compliance Manager, Compliance Score, and Microsoft Secure Score.
• Strong written communication; ability to produce clear, audit-ready policies, procedures, risk registers, and evidence packs.
• Proficient in SharePoint-based document management and governance workflows.
• Analytical mindset; ability to translate complex regulatory requirements into operational, actionable compliance programmes.
• Proficiency in English required; Portuguese is a significant advantage.

Competencies

• **Analytical Thinking:**
• Assesses complex risk scenarios and multi-jurisdictional compliance obligations; translates findings into clear, actionable recommendations for leadership.
• **Attention to Detail:**
• Meticulous in reviewing documents, audit evidence, and control implementation records; zero-tolerance for gaps in compliance evidence.
• **Stakeholder Management:**
• Comfortable engaging with senior stakeholders including the Head of Information Security, executive sponsors, and external certification auditors.
• **Communication:**
• Clear and concise written and verbal communication; able to explain complex GRC concepts to non-technical business audiences.
• **Ownership:**
• Self-driven; takes personal responsibility for the quality, completeness, and timeliness of GRC deliverables without requiring close supervision.
• **Resilience:**
• Manages multiple concurrent workstreams (ISMS, audits, migration GRC, regulatory compliance) and maintains quality under time pressure.

Our Values

• Client Oriented
• Excellence
• Innovation
• Integrity
• Perseverance
• *We believe that diversity strengthens our organisation and we welcome applications from individuals of all backgrounds and experiences.
• We want every candidate to perform at their best.
• If you need any reasonable adjustments during the application or interview process, please contact us at
• [email protected]
• and we will work with you to meet your needs.*