Atmosera empowers businesses to redefine what's possible with modern technology and human expertise. Our exceptional experience across Applications, Data & AI, DevOps, Security, and the Microsoft Azure platform enables organizations to accelerate innovation, enhance security, and optimize operational agility. As a Microsoft Partner with seven specializations, GitHub AI Partner of the Year, a member of the GitHub Advisory Board, and a member of the prestigious Microsoft Intelligent Security Association (MISA), Atmosera expertly delivers cutting-edge, integrated solutions that deliver business value.
The GRC Analyst delivers day-to-day Governance, Risk, and Compliance (GRC) services as part of Atmosera’s Managed GRC (MGRC) offering. This role focuses on operational execution, coordination, and reporting across compliance, security assurance, and governance activities to help clients achieve and maintain regulatory alignment, security maturity, and operational trust.
The selected candidate will be responsible for client audits, evidence gathering, managing compliance tools, supporting security questionnaires, monitoring security controls, facilitating regulatory alignment, and overseeing ongoing governance activities throughout the Atmosera client portfolio.
The GRC Analyst operates within defined service hours (Monday–Friday, 8am–5pm PT) and works closely with Client Success Managers, security engineers, and subject-matter experts. This role does not perform executive security leadership, risk ownership, or vCISO decision-making responsibilities.
Core Responsibilities
Cloud Governance & Compliance Operations
Validate that client environments meet MGRC baselines and support ongoing security policy alignment to:
Microsoft Cloud Security Benchmark (MCSB)
NIST frameworks (NIST SP 800-171, NIST SP 800-53, etc.)
HIPAA (where applicable)
FedRAMP
CMMC 3.0
ISO 27001-2022
GDPR
Assist with governance documentation updates and maintenance
Support compliance tracking and evidence organization
Provide consultative guidance on compliance and security-related questions by coordinating access to Atmosera cybersecurity experts
Monitor security posture through Defender for Cloud and Azure Policy compliance recommendations
Track misconfigurations, policy drifts, and high impact findings for remediation.
Security Questionnaires
Assist with basic security questionnaires using Atmosera’s standard response library
Provide standardized responses through coordination with the Account Management or Client Success team
Support optional full Security Questionnaire Management services when contracted, including:
Intake and tracking
Drafting and coordination of responses
Supporting documentation preparation
Audit & Assurance Support
Participate directly in client audits (SOC 2, HIPAA, PCI where applicable)
Support ongoing audit readiness and management activities when included in scope, including:
Evidence gathering and organization
Audit request tracking
Coordination with internal teams and external auditors
Ensure ongoing audit readiness for clients enrolled in MGRC that is consistent with MGRC service definitions in shared documentation
Maintain audit readiness documentation throughout the year
Maintain audit request trackers and coordinate responses with internal SMEs.
Support project management activities related to compliance audits (e.g., SOC 2)
Security Operations Governance Support
Ensure proper documentation to support compliance with client governance requirements and client specific requirements
Take ownership of monthly and quarterly MGRC reporting
Assist with the development and maintenance of custom response playbooks for:
Azure Sentinel SOAR (Security Orchestration, Automation, and Response)
Support governance oversight of:
CyberSOC reporting with enhanced security insights
Actionable threat intelligence reporting
Proactive threat hunting outputs
Ensure governance artifacts align with managed detection and response activities
Security Readiness & Preparedness Activities
Coordinate and support:
Monthly phishing simulation preparedness activities
Yearly tabletop exercise planning and execution support
Bi-annual penetration testing preparedness and coordination
Track outcomes, findings, and remediation activities for readiness exercises
Attack Surface & Security Posture Management
Support Attack Surface Management activities, including:
Continuous discovery and monitoring of exposed assets
Documentation of digital attack surface insights
Assist with security posture tracking and compliance reporting for:
Executives
Auditors
Internal stakeholders
Monthly Server vulnerability Scanning
Design and implement workflows that improve the service
Track findings, prepare client-facing reports, and coordinate remediation with security engineers
Penetration Test Coordination
Serve as the primary coordinator for client penetration testing engagements
Manage scheduling, scope alignment, retesting cycles, evidence handoff and management of the relationship with penetration testing teams.
Maintain communication and set expectations with organizations being tested
Cloud Governance Support
Support Azure Policy implementation and monitoring using advanced governance features
Assist with ensuring Azure resources and configurations remain compliant with defined security baselines
Track and report service misconfigurations, compliance drift and remediation status
Monitor security posture through Defender for Cloud and Azure Policy compliance results
Validate that client environments meet MGRC baselines. Microsoft Cloud Security Benchmarks, and any additional client-specific compliance requirements supported by Azure
Collaboration & Service Delivery
Work closely with:
Client Success Managers
Security Analysts and Engineers
CyberSOC teams
Account Management representatives
Escalate issues, risks, or scope concerns to appropriate senior resources
Operate within defined MGRC service boundaries and SLAs
Purview Compliance Manager Administration
Own and manage Purview Compliance Manager for all subscribed MGRC clients.
Track regulatory control posture, improvement actions, and evidence assignments.
Guide clients through remediation and maintain year-round compliance readiness.
Partner with engineering teams on policy and control mappings (Azure Policy, Defender for Cloud) that support compliance scoring as discussed in internal service map documentation.
Required Skills & Experience
2+ years of experience in GRC, IT risk, compliance, or security operations support
Hands-on experience with Microsoft Purview Compliance Manager, including control mapping, evidence tasks, and regulatory templates
Familiarity with Defender for Cloud, including secure score, recommendations, and compliance dashboards
Working experience with Azure Policy concepts including assignments, compliance scanning and configuring and remediation tasks
Familiarity with:
NIST frameworks
SOC 2 concepts
CIS Controls
HIPAA compliance
Experience supporting audits, questionnaires, or compliance programs
Strong documentation, evidence collection, and organizational skills
Ability to manage multiple client workstreams simultaneously
Strong public speaking and presentation skills using Microsoft PowerPoint
SC-900 Microsoft Certified: Security, Compliance, and Identity Fundamentals – within 90 days of hire
Preferred Skills & Experience
Prior experience in managed services or MSSP environment
Experience coordinating penetration tests or annual security testing cycles
Ability to translate technical findings into clear business-oriented summaries
Familiarity with Entra ID, Azure RBAC, Conditional Access, and cloud governance fundamentals
Comfort working with security engineering teams and client facing roles
Certifications (any of the following)
SC-100 (Microsoft Certified: Cybersecurity Architect Expert)
ISC2 CISSP (Certified Information Systems Security Professional)
ISC2 CGRC – (Certified Governance, Risk and Compliance)
GRCP (GRC Professional)
CRISC (Certified in Risk and Information Systems Control)
CISA (Certified Information Systems Auditor)
CISM (Certified Information Security Manager)
Success Indicators
The analyst will be successful when they:
Maintain predictable, well organized evidence pipelines for client audits
Keep Purview Compliance Manager workstreams accurate and up to date across all MGRC clients
Deliver clear and reliable monthly vulnerability and governance reports
Maintain consistent alignment to MGRC service definitions as structured by Jorge and reflected in the MGRC Analyst role materials
Reduce client audit friction and improve audit pass rates
