GRC Analyst II

Utah-based hybrid position which will require some regular in-office days each week. Employment with Bamboo

HR is contingent on passing both a background and credit check.

The GRC Analyst II is an important contributor on Bamboo

HR's Governance, Risk, and Compliance (GRC) team, helping to execute and support day-to-day compliance activities across information security, policy management, risk management, data classification, vendor risk, privacy, audit, and security awareness. This role partners closely with more senior GRC and security team members to implement and maintain information security policies and documentation; assess adherence to existing policies and standards; and help respond to and support security-related requirements from customers.

The GRC Analyst II assists with performing and documenting security and vendor risk assessments, monitoring and tracking compliance status, and supporting the development and continuous improvement of GRC processes, procedures, standards, and guidance. The role also helps evaluate risks and controls that support Bamboo

HR's NIST CSF, ISO 27001, ISO 27018, ISO 42001, SOC 1, SOC 2, HITRUST, FedRAMP, and other regulatory and compliance initiatives.

• Collaborate with internal stakeholder teams (e.g., Engineering, IT, Product, Legal, HR) to document the implementation of security compliance controls across technical, management, and operational requirements.
• Support and perform gap analyses of current policies, procedures, and practices against established guidelines and frameworks, including NIST, FISMA, HIPAA, and other applicable regulatory standards.
• Assist with and conduct risk assessments of technology infrastructure, business processes, and security controls for assigned areas, documenting findings and recommended remediation steps.
• Embrace AI as a core tool to enhance GRC accuracy, efficiency, and proactive risk management, while following internal standards for responsible AI use.
• Use AI-powered platforms, under guidance from senior team members, for continuous controls monitoring, predictive risk analysis, and identification of potential compliance gaps.
• Improve team efficiency in evidence collection, organization, and analysis - leveraging AI and automation where appropriate - so the GRC function can focus more time on higher-value risk and compliance activities. Contribute to the build‑out, maintenance, and ongoing refinement of the enterprise controls matrix, ensuring alignment and mapping across multiple compliance frameworks (e.g., SOC 1, SOC 2, PCI DSS, NIST CSF, ISO 27001, ISO 27018, ISO 42001, HITRUST, HIPAA).
• Assist in developing, updating, and maintaining security and compliance documentation, which may include the key documents required by the above standards.
• Support the delivery, tracking, and ongoing improvement of information security training and awareness programs for employees and contractors.
• Perform vendor security and risk assessments for new and existing vendors, document results, and occasionally interface directly with vendor contacts to clarify responses or request additional information.
• Assist with tracking and coordinating activities related to threat and vulnerability management, including monitoring assessment results, following up on remediation efforts, and helping to ensure that vulnerabilities are addressed within defined time frames.

• Bachelor's degree in Computer Science, Information Technology, or related field
• Minimum of 2 years of experience in compliance, audit, and/or information security
• CISSP, CISA, CCSA, or equivalent certification preferred
• Familiarity with enterprise-level compliance tools such as Drata, Vanta, Service Now, Archer, IBM GRC or other industry equivalent software
• Foundational understanding and eagerness to learn NIST CSF, NIST RMF, ISO 27001, ISO 27018, ISO 42001, SOC 1, SOC 2, HIPAA and HITRUST
• Basic understanding of cloud based environments for production applications, including Amazon Web Services, Google Cloud, or other large-scale cloud deployments
• Experience in the vulnerability assessment lifecycle from the point of identification to…