Senior GRC Analyst

About the Role

Flagship's GRC program has matured from build to operate. We have a functioning GRC system of record in Jira, active compliance tracks across HITRUST, NIST 800-171, ISO 27001, and SOC 2, and a TPRM workflow in production. What we need now is a hands‑on practitioner who can execute against that infrastructure — someone who is as comfortable running a vendor risk assessment in Jira as they are prepping evidence packages for an audit.

This is not a policy‑writing or director‑level role. It is a technical execution role for someone who gets things done.

• Own day‑to‑day execution of the GRC system of record in Jira — maintaining control records, updating compliance status, logging implementation and auditor notes, and keeping the SOR current across all active frameworks
• Run TPRM assessments end‑to‑end: intake, questionnaire review, risk scoring, CISO decision documentation, and post‑approval tracking
• Coordinate audit evidence collection and control testing activities across HITRUST, ISO 27001, SOC 2, and NIST 800-171 frameworks, working directly with the external audit firm
• Maintain the compliance calendar and drive sprint‑by‑sprint execution against framework deadlines
• Manage sub‑processor and DPA tracking for portfolio company privacy programs, including gap identification and remediation follow‑up
• Support DSR and privacy program operations, including data inventory maintenance and deletion workflow tracking
• Build and maintain GRC automation using AI tools (Claude, Jira automation, Zapier) to reduce manual burden on recurring compliance tasks
• Produce clear, accurate reporting on compliance posture for the CISO and cross‑functional stakeholders

• 3–6 years of hands‑on GRC experience, ideally in a fast‑moving tech or life sciences environment
• Direct experience working in Jira as a compliance or GRC tool — not just a project management tool; you should understand issue types, custom fields, bulk operations, and reporting
• Working knowledge of at least two of: HITRUST CSF, ISO 27001, NIST 800-171/CMMC, SOC 2, HIPAA
• Experience running vendor risk assessments — intake to decision — not just filling out questionnaires
• Comfort with AI‑assisted work: you should already be using tools like Claude or ChatGPT to accelerate your GRC work, not learning to do so for the first time
• Strong written communication — you'll be producing evidence narratives, audit responses, and control documentation that external auditors and regulators will read
• Ability to operate with high autonomy; the CISO will provide direction but not day‑to‑day supervision

• CISA, CRISC, CISM, or equivalent certification
• Experience with privacy program operations (CCPA, GDPR, DSR workflows)
• Familiarity with Drata, Vanta, or similar compliance automation platforms
• Experience supporting a portfolio company or multi‑entity compliance program

You’ll own a real compliance program, not support someone else’s. The CISO is your direct partner, not a distant approver. You’ll use modern tools — Jira, Claude, Zapier — to do GRC work that most teams still do in spreadsheets. And you’ll have visibility into a genuinely diverse security environment spanning drug discovery AI, clinical platforms, and life sciences infrastructure.

The salary range for this role is $88,000 - $121,000. Compensation for the role will depend on a number of factors, including a candidate’s qualifications, skills, competencies, and experience. Flagship Pioneering currently offers healthcare coverage, annual incentive program, retirement benefits and a broad range of other benefits. Compensation and benefits information is based on Flagship Pioneering's good faith estimate as of the date of publication and may be modified in the future.

All qualified applicants will be considered for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, protected veteran status, or any other characteristic protected by law.