Skip to content
Astra

GRC Program Manager

Owns end-to-end execution of GRC programs including SOC 1/2, PCI DSS, and ISO 27001 audits, control design, risk assessments, and vendor management. Partners with engineering to implement technical controls and documentation for scalable compliance in fintech.

95k – 135kUnited StatesSecurity EngineeringRemote3+ YOE
Apply

About the role

What You’ll Do

Audit Execution & Readiness

  • Own day-to-day execution of SOC 1, SOC 2, PCI DSS, and ISO 27001 readiness and audit cycles – including scoping, control testing, evidence collection, auditor coordination, and remediation tracking.

Control Design & Documentation

  • Develop and maintain policies, procedures, risk assessments, control narratives, and supporting documentation that meet auditor expectations and scale with the business.

Cross-Framework Mapping

  • Map controls across SOC, ISO, PCI, and NIST frameworks to identify overlap, gaps, automation opportunities, and control maturity improvements.

Risk Management

  • Facilitate risk assessments for systems, vendors, products, and business initiatives. Maintain risk registers, mitigation plans, and executive reporting on residual risk.

Engineering Partnership

  • Partner with engineering and infrastructure teams to translate security requirements into practical technical controls across cloud infrastructure, SDLC, access management, logging, monitoring, and incident response.

Vendor Risk Management

  • Manage vendor security reviews, questionnaires, evidence validation, risk scoring, and ongoing monitoring for critical third parties and partners.

Customer Trust & Due Diligence

  • Support customer security reviews, security questionnaires, and trust documentation that enable enterprise sales and bank partnerships.

Continuous Compliance

  • Help build scalable compliance workflows, tooling, and automation to reduce manual effort and improve evidence quality as Astra grows.

Metrics & Reporting

  • Maintain dashboards and reporting on audit status, control health, remediation progress, and risk posture for leadership.

What We’re Looking For

Required Experience

  • 3–6+ years of experience in governance, risk, compliance, audit, or information security roles.
  • Hands-on experience supporting or leading SOC 1 and/or SOC 2 audits; experience with PCI DSS and ISO 27001 is strongly preferred.
  • Strong working knowledge of compliance frameworks (SOC, ISO 27001, NIST CSF, PCI DSS) and how controls operate in practice.
  • Experience working cross-functionally with engineering, product, and operations teams in a technical environment.
  • Proven ability to build and maintain high-quality documentation, evidence, and audit artifacts.
  • Comfort operating in fast-moving environments where priorities evolve and ambiguity is common.
  • Ambition to structure and systems 0 to 1, and comfort in creating frameworks, templates, and playbooks that scale.
  • Experience collaborating with Product, Sales, and Engineering teams to align on priorities and drive outcomes.

Education
Bachelor’s degree in Information Systems, Computer Science, Business, Risk Management, or related field (or equivalent practical experience).

Preferred Experience

  • Fintech / Payments: Experience operating in regulated environments involving payments, banking partners, PCI, or financial audits.
  • ISO 27001: Experience supporting certification or operating within an ISO-aligned ISMS.
  • Automation & Tooling: Experience implementing compliance tooling, evidence automation, or GRC platforms.
  • Vendor Risk Programs: Hands-on ownership of third-party risk management workflows.
  • Startup Environment: Experience building or scaling compliance programs in high-growth companies.

Key Skills

  • Audit Operations: Scoping, walkthroughs, evidence management, remediation tracking, auditor coordination.
  • Control Design: Ability to translate regulatory requirements into clear, testable, and scalable controls.
  • Risk Assessment: Experience performing system, vendor, and operational risk assessments with structured methodologies.
  • Technical Fluency: Working understanding of cloud infrastructure, identity and access management, logging, monitoring, SDLC, and security tooling.
  • Documentation & Writing: Strong ability to produce clear policies, procedures, narratives, and evidence artifacts.
  • Project Management: Ability to manage multiple parallel audits, initiatives, and stakeholders while maintaining quality and deadlines.
  • Communication: Ability to explain complex compliance concepts clearly to engineers, auditors, leadership, and external partners.
  • Operational Rigor: Highly organized with strong attention to detail and follow-through.

What We Offer

  • Competitive compensation with equity in a growing fintech company.
  • Remote-first culture with flexible working arrangements.
  • Small team, big impact — your work directly supports Astra’s ability to scale responsibly.
  • Professional growth opportunities in compliance and risk management.
  • Mission-driven — build infrastructure that powers financial innovation while meeting the highest regulatory standards.

Skills

Soc 1SOC 2Pci DssISO 27001Nist CsfGrc PlatformsCloud InfrastructureSDLCIdentity And Access ManagementLoggingMonitoringRisk AssessmentVendor Risk ManagementAudit ManagementControl Design

Similar roles

Security Engineering jobs
Harvey

Compliance Analyst

This Compliance Analyst role at Harvey involves owning and maintaining compliance documentation, coordinating evidence collection, and supporting third-party assessments. The role requires hands-on compliance work, close collaboration with Engineering and Security teams, and a detail-oriented approach to ensure program health and continuous monitoring.

99k – 149kSan Francisco, CASecurity EngineeringHybrid3+ YOESaaSCloud Environments
Trail of Bits

Security Engineer, Application Security

Conduct low-level code security assessments, architecture reviews, and threat modeling for client applications. Build custom security tools bridging vulnerability research and application security. Requires manual code review, binary analysis, and programming proficiency in multiple languages.

100k – 200kUnited StatesSecurity EngineeringRemote5+ YOECGo
BlackCloak

Security Engineer (Security Operations, Zero Trust)

Security Engineer focused on security operations, incident response, and Zero Trust implementation. Designs, deploys, and supports security tools like SIEM, EDR, and Cloudflare; triages alerts, automates responses, and collaborates on cloud/IAM security. Requires 3-5 years experience in cloud-native security engineering.

100k – 140kUnited StatesSecurity EngineeringRemote3+ YOEEdrGCP
Metropolis

Security Engineer II

Security Engineer II responsible for monitoring security alerts, responding to incidents, administering enterprise security tools, and supporting cloud and identity security initiatives. Requires 3+ years in cybersecurity or related fields with strong scripting and troubleshooting skills.

105k – 150kLos Angeles, CASecurity EngineeringOn-site3+ YOEAWSmacOS
BlackCloak

CyberSecurity & Identity Protection Engineer (Tier 3)

Tier 3 engineer deploys/manages EDR tools, conducts incident response, vulnerability assessments, and identity protection for clients. Monitors threats, automates workflows with SOAR/Python, and handles fraud resolution. Requires 3+ years cybersecurity experience.

110k – 130kUnited StatesSecurity EngineeringRemote3+ YOEAIEdr