Risk and Compliance Officer

Role Summary

The Risk & Compliance Officer owns the day-to-day operation of the organization's

Governance, Risk, and Compliance program. The role identifies and assesses risks,

maintains the control framework, drives remediation with control owners, and ensures

ongoing compliance with applicable standards, contracts, and regulations (e.g., ISO

27001:2022, SOC 2, PCI DSS, Data Privacy Act of 2012, HIPAA as applicable). The officer

partners with IT, Security, Operations, Legal, HR, and third parties to keep risk within

appetite and audit-ready.

Key Responsibilities:

1) Governance & Policy

• Maintain the Information Security & Privacy policies, standards, and procedures;

run annual reviews and board approvals.

• Ensure policy dissemination (briefings, acknowledgments) and map policies to

control frameworks.

2) Enterprise Risk Management

• Run periodic risk assessments (business, cyber, operational, vendor); document

risks, likelihood/impact, and treatment plans.

• Maintain the Risk Register; track mitigations to closure and report residual risk vs.

appetite.

• Facilitate risk acceptances/exceptions with defined expiry and compensating

controls.

3) Compliance & Audits

• Plan and execute internal control testing; collect evidence for external audits and

customer due-diligence.

• Lead readiness for ISO 27001, SOC 2, PCI DSS (as applicable), and client

assessments; coordinate gap remediation.

• Monitor regulatory obligations (e.g., NPC/PH Data Privacy Act) and ensure

compliance.

4) Third-Party/Vendor Risk Management

• Operate supplier onboarding due diligence, security questionnaires (SIG/CAIQ),

contract clause reviews, and ongoing monitoring.

• Maintain a Supply Chain Risk Register; track KRIs (e.g., cert validity, patch latency,

incident notifications).

5) Security Control Assurance

• Validate operation of key controls: access management, PAM/JIT, vulnerability

management, EDR/XDR, logging/SIEM, backup/DR, encryption, MDM/Intune.

• Coordinate quarterly segmentation/penetration testing and monthly vulnerability

scans; track findings to closure.

6) Training & Awareness

• Run the annual security/privacy training program (employees & third parties); track

completion and escalate non-compliance.

• Conduct targeted trainings (e.g., phishing simulations, secure handling of customer

data).

7) Incident & Change Support

• Support incident response (documentation, regulatory/customer notifications,

post-incident RCA & corrective actions).

• Participate in change advisory reviews to ensure security and compliance impacts

are addressed.

8) Reporting & Stakeholder Management

• Produce monthly/quarterly GRC dashboards for leadership (risk heatmap, control

health, exceptions, audit status).

• Act as customer/auditor point of contact for security questionnaires and contract

exhibits.

Required Qualifications:

• Bachelor's degree in IT, Information Security, Business, Accounting, or related field

(or equivalent experience).

• 3–7+ years in risk, audit, information security, or compliance (GRC) roles.

• Hands-on experience with at least two frameworks: ISO 27001:2022, SOC 2, PCI

DSS, NIST CSF/800-53, HIPAA, PH Data Privacy Act.

• Strong understanding of access control, vulnerability management, incident

response, logging/SIEM, cloud/SaaS security.

• Excellent communication skills; capable of translating technical risk into business

impact and clear actions.

Preferred (nice to have) Certifications:

• ISO 27001 Lead Implementer/Lead Auditor, CISA, CISM, CRISC, PCI ISA/PCIP,

CIPM/CIPT, ITIL.

• PH Data Privacy certifications (e.g., DPO training) if handling personal data.

Tools & Technologies (familiarity desired)

• GRC/IRM: ServiceNow, Archer, OneTrust, Drata, Tugboat, or similar.

• Identity & Devices: Entra ID/Azure AD, Intune/MDM, LAPS/PAM, Okta/SSO.

• Security Ops: SIEM (e.g., Microsoft Sentinel), EDR/XDR (e.g., Defender, Palo Alto,

Wazuh), vulnerability scanners (Tenable/Qualys/OpenVAS).

• Collab & Evidence: Microsoft 365, SharePoint, Confluence/Jira, ticketing

(ServiceNow/Jira).

• Cloud: Azure/AWS/GCP basics, logging & IAM concepts.

Competencies:

• Risk analysis & prioritization
  • Control testing
  • Vendor management
  • Policy writing

• Stakeholder influence
  • Project management
  • Analytical & documentation rigor

• Integrity, discretion, and strong ownership of outcomes

KPIs / Success Measures

• % of controls tested and passing (quarterly)

• % audit findings/corrective actions closed within SLA

• Risk register freshness (≤30 days) & reduction in high risks over time

• Training compliance rate (employees & third parties)

• Vendor due-diligence coverage and on-time renewals Vulnerability remediation SLA adherence (e.g., critical ≤ 15 days)

Job Type: Full-time

Pay: Php30, Php80,000.00 per month

Application Question(s):

• Do you have a Bachelor's degree in IT, Information Security, Business, Accounting, or any related field?
• Do you have at least 3–7+ years in risk, audit, information security, or compliance (GRC) roles?
• Do you have hands-on experience with at least two frameworks: ISO 27001:2022, SOC 2, PCI DSS, NIST CSF/800-53, HIPAA, PH Data Privacy Act?
• Can you start ASAP?
• How much is your expected salary?
• Are you okay working 100% onsite, in Ortigas Pasig?

Work Location: In person