Philippines

Global role working closely with customers, suppliers and internal stakeholders to support Sandstone’s risk and compliance program within Sandstone. We are currently on the lookout for a bright, talented and dedicated Risk and Compliance Officer responsible for risk, compliance, and security policies and ensuring compliance with these policies, including driving an awareness programme and culture within Sandstone. The role will also be responsible for the ongoing risk assessments of new and existing vendors, as well as leading customer audits and response to due diligence questionnaire.

The role will be reporting to the Risk and Compliance Manager and the successful candidate will be a key member in risk, compliance and security discussions with Sandstone customers and suppliers.

Responsibilities will include:

ISO 27001 Management

• Overall oversight of the organisation’s ISO 27001, supporting the Risk and Compliance Manager (RCM) as the main responsible for the organisation’s ISO certification.
• Leads the maintenance of the Information Security policies and the related procedures, perform periodic reviews (at least annually)
• Leads ISO 27001 maintenance processes:

• • Statement of Applicability, Scope and Objectives, ISMS Risk Register
  • ISMS metrics, KPIs and controls monitoring.
  • Periodic reporting to senior stakeholders.
• Drives ISO 27001 compliance across the organisation, establishing responsibilities, ensuring acknowledgement of requirements, and identifying gaps.
• Leads the ISO 27001 Internal and External Audits and maintain certification.
• Leads the mitigation of ISO 27001 non-conformities and other improvement actions.

Corporate Risk Management 

• Supports the risk management policies and procedures, perform periodic policy reviews.
• Carry out the regular risk registers reviews with the identified risk owners, identifying any gaps, ongoing mitigation actions and follow them through completion.
• Leads the risk management process, using the corporate tools (e.g. Protecht):

• • Runs periodic reviews.
  • Ensures stakeholder acceptance of risks and/or definition and assignment of treatment plans.
  • Identifies and follows up and monitor the status of treatment plans.
  • Reports to and escalates any issues to the Risk and Compliance Manager and other stakeholders, as needed.
  • Supports the implementation of a systematic, periodic, and automated enterprise risk management processes on an ERM/GRC platform (Protecht)

SOC 2 Compliance 

• Supports SOC2 gap assessment, implementation, and audit.
• Supports the mitigation of any SOC 2 audit findings.
• Supports the ongoing operationalisation and maintenance of the SOC 2 compliance activities.

Third-Party Vendor Management

• Leads the Third-Party onboarding risk assessment.
• Leads Third-Party periodic risk governance and assessments.

 Customer Assessments and Audits

• Be the main responsible (focal point) for customer assessments and audits:

• Runs the engagement process including request forms, scope definition, timelines, internal team assignment, efforts estimation.
• Performs the assessment/audit process including sections/questions assignment to internal SMEs, reviewing evidence, ensures completion with quality and on time.
• Maintains the assessment/audit central repository, including systems (e.g. CyberGRX), forms, questionnaires, evidence, reports and any other relevant artifacts.
• Reviews the assessment/audit report, validating findings with internal SMEs, discussing, and providing rebuttal with assessors/auditors when required.
• Maintains customer audit treatment plans register, driving prioritisation/acceptance of issues and monitoring remediation status
• Maintains the client assurance packs

Other Risk and Compliance Management

• • Work with the Legal team to identify and ensure compliance with the legal, regulatory and contractual obligations applicable to Sandstone (identify and assign responsibilities, ex: Fair Work is assigned to HR).
  • Monitors the market/industry/customer agreements for regulatory and new contractual requirements applicable to Sandstone
  • Supports the overall Privacy’s and data compliance management activities
  • Leads internal assessments/audits to ensure compliance with established and defined regulatory, legal, contractual and industry requirements.
  • Supports new compliance and risk management initiatives as deemed necessary by the business.

About You:

• 3+ years in risk and/or compliance
• Experience with security governance, policies, principles, practices, standards and controls including ISO 27001:2022
• Proven experience leading ISO 27001 (preferably 2022 version) compliance and audits at an enterprise level
• Experience carrying out vendor due diligence assessments
• Identify and resolve security risks using analytical and problem-solving skills
• Proven ability to be highly organised and responsive
• Strong communication and negotiation/influencing skills
• Knowledge and experience maintaining ISO 27001:2022 certification
• Knowledge and experience with enterprise-level risk management and standards; e.g. ISO 31000

Preferred:

• Experience responding to customers audit and due diligence assessments
• Financial Services sector experience or Software house experience
• Working knowledge of SOC 2 and PCI compliance

Desirable:

• Working knowledge of financial regulatory environment (APRA, FCA)
• Legal or software education
• Knowledge and experience with SOC 2 audit and PCI certification
• Working knowledge of privacy legislation including GDPR, Australian Privacy Act, Australian Privacy Principles

Why Sandstone?

• Flexibility and Work/life balance
• Fantastic team culture and Work From Home set up
• Exciting performance-based bonuses (service reward, performance and loyalty)
• Non-taxable allowances (clothing, rice, meal and medicine reimbursement)
• Annual salary increase and other competitive benefits
• HMO Benefits

If you like the sound of this challenge and you are interested in working with us, apply now with your up to date resume.