ISO Analyst
Indexed description
Must Have Technical/Functional Skills
- 5+ years in information security with at least 3 years focused on cloud security architecture and compliance reviews (AWS, GCP, or Azure).
- Hands-on familiarity with cloud infrastructure and services: VPC/VNet, compute (EC2, GCE), storage (S3, GCS), IAM, networking,
- Strong knowledge of security controls and implementation patterns in IaC/CI-CD pipelines (Terraform, policy-as-code concepts preferred).
- In-depth understanding of compliance and risk frameworks: NIST (800-53/CSF), ISO/IEC 27001, SOC2, and enterprise ISRP-style review
- Experience producing audit-ready evidence and formal compliance reports; comfortable interacting with auditors, risk owners, and business
- Excellent written and verbal communication; ability to present residual risk and remediation trade-offs to technical and non-technical audiences.
- Relevant certifications preferred: CISSP, CISM, CRISC, CCSK, AWS/GCP security certs, or ISO 27001 Lead Auditor.
- Prior experience participating in cloud solution certification programs or gate-based security reviews.
- Familiarity with MITRE ATT&CK mapping and interpreting threat model outputs.
- Ability to work cross-functionally with threat modelers, control engineers, IAM, SOC, and business owners; pragmatic approach to
- Strong organizational skills; ability to maintain and present consolidated evidence bundles and tracking for multiple concurrent services.
- Timely ISRP/ISO review reports and certification gate sign-off recommendations.
- Policy compliance checklists, gap analyses, and prioritized remediation/corrective action plans with owners and timelines.
- Audit-ready evidence bundles for each certified service (diagrams, test results, control artifacts).
- Documented residual risk decisions, accepted exceptions, and monitoring or remediation commitments.
- Regular status reports on certification progress, non-compliance items, and escalations.
As an ISO Analyst with deep cloud security and architecture expertise, you will validate solutions against enterprise security policy,
drive ISRP/ISO reviews for cloud services and enable certification readiness. You will work closely with threat modelers,
security controls engineers, cloud IAM engineers, architects, and business owners to assess residual risk, document compliance evidence,
and support certification gates across cloud-native deployments (GCP/AWS).
Key Responsibilities
- Perform ISRP/ISO reviews of cloud solutions from design through certification, validating adherence to enterprise security policies,
- Assess cloud infrastructure and architecture (VPC/VNet, subnets, routing, NSGs, firewalls, EC2/GCE, S3/GCS, IAM, KMS/CMEK,
- Verify implementation evidence for preventative, detective, and auto-remediation controls produced by security controls engineers and
- Map solution controls and risks to compliance and risk frameworks (NIST CSF/800-53, ISO/IEC 27001, relevant regulatory requirements)
- Drive residual risk decisions and coordinate risk exception or corrective action plans with business owners, CSP/vendor representatives,
- Prepare and maintain audit-ready documentation: review reports, policy checklists, evidence bundles, sign-off forms, and remediation tracking.
- Liaise with onboarding and training leads to ensure external consultants meet required entitlements and threat-modeling certifications prior to
- Participate in stakeholder reviews and certification gate meetings; provide formal sign-off recommendations.
- Track and report certification progress, outstanding non-compliance items, remediation timelines, and escalations.
Qualifications: BACHELOR OF COMPUTER SCIENCE
Create a free Caio profile to unlock more results and save your role and location preferences.
Unlock free search