Job role: Information Security & Compliance Officer (Alternate Title: Infosec Auditor & Governance Manager) Salary range (in-hand): - 40-70k Location: Mumbai (or Hybrid as per business need) Reporting To: Chief Information Security Officer (CISO) / Head of Technology Purpose of the Role: To manage and coordinate all Information Security audits, respond to auditor/banker queries, track remediation timelines, maintain audit-ready documentation, implement security controls, and ensure compliance with ISO 27001, RBI guidelines, CICRA (Credit Information Companies Regulation Act), and other regulatory requirements. Key Responsibilities: 1. Audit & Compliance Management • Own end-to-end audit lifecycle across internal, external, partner, and regulatory audits (ISO 27001, RBI, CISA, Bank Infosec teams, CICs). • Liaise with banks, auditors, NBFC partners to provide timely responses and evidence. • Maintain an exhaustive audit tracker with timelines, evidence folders, and closure reports. • Prepare documentation and ensure regular reviews of quarterly and half-yearly items (UARs, VAPT, password policy reviews, etc.). 2. Policy Implementation & Review • Coordinate implementation and periodic review of all security policies such as: o Information Security Policy o Access Control Policy o Encryption & Cryptographic Policy o Password Policy o Cloud Security Policy o DLP, Antivirus & Patch Management Policy o Data Retention & Disposal Policy o Change Management & SDLC o HR Policy Security Clauses (Separation, Laptop return, Fidelity declaration) • Ensure all policies are updated, approved, communicated, and enforced. 3. Security Controls & Infrastructure Compliance • Maintain evidence of: o AWS security group reviews and hardening reports o VPN tools and access mechanisms o IDS/IPS deployment o Email encryption o Endpoint protection software, patch deployment o DR/BCP drills and logs o Cloud/network diagrams and access logs • Coordinate with infra & DevOps team to track VAPT, SIEM, and firewall configurations. 4. Vendor, Cloud & Third-Party Governance • Monitor and govern cloud configurations and vendor relationships for: o AWS (Encryption, KMS, access control, VPC architecture) o Anti-virus/DLP/MDM/USB blocking tools o VAPT / Penetration Test vendors o Subcontractor compliance with privacy & data sharing agreements 5. Documentation, Evidence & Automation • Maintain updated SOPs, policy documents, declaration forms, signed NDAs, audit reports. • Create periodic evidence checklists and trackers (UAR logs, patch updates, policy review minutes, Form III declarations). • Work with tech & HR to automate compliance triggers (alerts for quarterly reviews, policy expiry, form sign-offs, etc.) Qualifications: • Bachelor’s degree in IT, Computer Science, Cybersecurity or equivalent. • Preferred: CISA, ISO 27001 Lead Implementer/Auditor, CEH, or other infosec certifications. Experience: • 3–7 years of hands-on experience in information security audits, IT compliance, or governance roles. • Experience with ISO 27001, RBI IT frameworks, CICRA, or financial sector infosec requirements preferred. Key Skills: • Excellent understanding of IT security domains (cloud, application, infra) • Strong documentation and audit response skills • Familiarity with AWS cloud, SIEM tools, endpoint protection, patching cycles • Working knowledge of SDLC and DevSecOps frameworks • Comfortable working cross-functionally with Tech, HR, Admin, Vendors, and Legal teams • Strong command over Excel trackers, file documentation, and policy drafting Bonus Skills: • Knowledge of Indian regulatory requirements (CICRA, RBI Circulars) • Experience in fintech or BFSI domain • Familiarity with VAPT report analysis and remediation tracking