Risk & Compliance Analyst – Risk Register Management
Domain: Governance, Risk & Compliance (GRC) | Risk Register | Framework Alignment
Contract: 12-month engagement | Operational from Week 2
We are seeking a Risk & Compliance Analyst to take ownership of the enterprise Risk Register, ensuring it remains a living, authoritative source of truth for all information security and technology risks.
This role sits at the heart of the organisation's Governance, Risk & Compliance (GRC) function, translating technical security findings into structured, business-owned risk decisions aligned to NIST CSF 2.0, ISO 27001, NIST SP 800-37 RMF, and UAE Information Assurance (UAE IA) requirements.
You will ensure risks are consistently captured, properly assessed, actively managed, and clearly reported to executive stakeholders.
Key Responsibilities
- Own and maintain the enterprise Risk Register as the single source of truth for all security and technology risks.
- Facilitate risk identification workshops with technical teams, business stakeholders, and control owners.
- Define and document risks using a structured format: threat × vulnerability × asset × impact.
- Perform and maintain inherent and residual risk scoring, including tracking risk acceptance decisions.
- Ensure every risk has a clearly defined owner, treatment plan, and review cycle.
- Coordinate periodic risk reviews and ensure remediation progress is tracked to closure.
- Map risks to relevant frameworks including:
- NIST CSF 2.0 (GV.RM, GV.RR)
- ISO 27001 controls
- UAE IA requirements
- NIST SP 800-37 Risk Management Framework
- Produce risk heatmaps, trend analysis, and monthly executive dashboards.
- Integrate inputs from vulnerability management, penetration testing, audit findings, security incidents, and policy exceptions into the Risk Register.
- Ensure risk data is audit-ready and supports regulatory and internal assurance requirements.
Objectives & Success Criteria
Core Outcomes
- A complete, accurate, and defensible enterprise Risk Register
- Every material risk has an accountable owner and active treatment plan
- Executive reporting provides clear visibility of risk posture and trends
SMART Milestones
- Within 30 days:
- Baseline the existing Risk Register, identify gaps, stale entries, and inconsistencies.
- Within 60 days:
- Complete a full refresh cycle ensuring all risks have owners, treatment status, and review dates.
- Within 90 days:
- Deliver first executive risk dashboard and heatmap; integrate vulnerability, pentest, and audit inputs.
- Ongoing:
- Ensure 100% of material risks are reviewed at least quarterly with zero orphaned risks.
Tools & Platforms
- Excel / SharePoint (Risk Register management)
- Jira / Confluence / YouTrack
- Integration with security tooling outputs (VM, pentest, audit, incident tracking systems)
Required Skills & Experience
- 3+ years experience in GRC, risk management, cybersecurity governance, or similar roles
- Hands-on experience with Risk Registers or equivalent enterprise risk tooling
- Strong understanding of NIST CSF 2.0, ISO 27001, MITRE ATT&CK, and UAE IA regulations
- Ability to perform structured risk analysis and scoring methodologies
- Experience working with cross-functional technical and business stakeholders
- Strong communication skills with the ability to present to both engineers and executive leadership
- Experience integrating security findings from VM, audit, and pentesting processes
Please apply to be contacted with further information.
