Security Compliance Manager (MSOC)

1. Audit Management & Certification

Aligns with Manager's responsibility for Audit & Compliance Facilitation

• External Audit Lead: Act as the primary interface for external auditors and client audit teams. You will organize, validate, and present evidence to demonstrate compliance with standards such as ISO 27001, SOC 2, HIPAA, and PCI DSS.
• Internal Readiness: Conduct periodic internal mock audits of the Operations and Engineering teams to identify gaps before an external auditor finds them.
• Evidence Collection: Coordinate with the Technical Architects and Onboarding Specialists to gather necessary logs, access reports, and configuration files required for audit evidence.

2. Contractual Governance (ToR & SLAs)

Aligns with Manager's responsibility for Terms of Reference (ToR) Compliance

• ToR Enforcement: Review active client engagements to ensure that service delivery execution matches the signed Terms of Reference (ToR). You identify scope creep or under-delivery risks.
• Obligation Tracking: Maintain a Obligations Register for every key account, tracking critical contractual deadlines (e.g., Annual Penetration Test due by Oct 31st) and alerting the Service Operations Manager before breaches occur.
• SLA Validation: Audit the monthly SLA reports generated for clients to ensure the data is accurate and legally defensible before it is presented in Business Reviews.

3. Documentation & Policy Control

Aligns with Manager's responsibility for Documentation Management

• Central Library Management: Own the implementation of Documentation Standardization, Maintenance, and Control7. You ensure that all Service Guides, Runbooks, and Policy Manuals are version-controlled, up-to-date, and stored securely.
• Policy Development: Draft and update internal operational policies (e.g., Incident Notification Policy, Data Handling Policy) to align with changing regulations (e.g., GDPR, local Data Privacy Acts).

4. Risk & Governance Reporting

Aligns with Manager's responsibility for Executive & Board Reporting

• Risk Reporting: Provide the Service Operations Manager with data on compliance risks and audit readiness, which will be integrated into executive-level governance reporting and Board presentations.
• Vendor Risk Management: If the MSSP uses third-party vendors to deliver services, you oversee their compliance to ensure they do not introduce risk to our clients.

QUALIFICATIONS:

• 4+ years of experience in GRC (Governance, Risk, and Compliance), IT Audit, or Quality Assurance.
• Experience working in an MSSP or Service Provider environment is a strong plus.
• Direct experience managing audits for ISO 27001, SOC 2 Type II, or PCI DSS.
• Bachelor's degree in Business, Law, Cybersecurity, or Information Systems

Skills & Competencies:

• Regulatory Knowledge: Deep understanding of frameworks like NIST, GDPR, and local Data Privacy laws.
• Attention to Detail: Ability to spot a missing signature or an outdated version number in a 50-page contract.
• Firmness: Ability to say No to Operations teams when a process violates compliance, even under pressure.

Certifications (Highly Desirable):

• CISA (Certified Information Systems Auditor)
• CISM (Certified Information Security Manager)
• CRISC (Certified in Risk and Information Systems Control)
• ISO 27001 Lead Auditor/Implementer

Success Metrics

• Audit Pass Rate: Zero major non-conformities in external ISO/SOC 2 audits.
• Contract Compliance: Reduction in Service Credit penalties paid to clients due to missed contractual obligations.

Documentation Hygiene: 100% of active Client Service Guides are reviewed and updated within the last 12 months