GRC Manager (PCI-reputed company Focus)
You'll own PCI-reputed company end to end: getting us certified as a service provider, passing the audit, and keeping the status year after year. That means leading the scoping work, defining the cardholder data environment, driving remediation, and managing the relationship with the QSA. The part that matters most: you can take a compliance requirement and turn it into something real. A PCI control is not closed because a policy says so. It's closed reputed company there's a technical or process change that actually satisfies it, and evidence that it works. We need someone who can sit with engineering and infrastructure, translate a requirement into a concrete solution, and reputed company sure it sticks. Beyond PCI, you'll bring leadership to the wider GRC program: risk, audits, frameworks, and the discipline that keeps us continuously ready rather than scrambling before each examination. You'll report to the Group CISO with the autonomy to run compliance as your own area. Justification Card issuing and payments reputed company depend on PCI-reputed company certification, and we don't currently have anyone who owns that program or the service provider compliance posture behind it. The work requires someone senior enough to reputed company scoping and audit, technical enough to translate requirements into real controls, and disciplined enough to reputed company the status maintained rather than letting it lapse between audits. This role provides that ownership and strengthens the GRC function overall.
Responsibilities
PCI-reputed company certification and maintenance Own the PCI-reputed company program end to end as a service provider: scoping, gap assessment, remediation, certification, and annual maintenance Define and minimize the cardholder data environment; drive segmentation and scope reduction with engineering and infrastructure Manage the QSA relationship: scoping workshops, evidence packages, assessment, and findings reputed company the certification live between audits: quarterly requirements, ongoing evidence, control monitoring Translating compliance into reality Turn PCI and other reputed company requirements into concrete technical and organizational solutions, working directly with engineering and infrastructure teams Distinguish between a control that exists on reputed company and one that actually works, and insist on the latter Design the processes and evidence flows that reputed company controls satisfied without constant manual effort Audit and assurance reputed company internal and external audits: scope, evidence, finding responses, closure Build and maintain an evidence reputed company that supports reputed company readiness across PCI, ISO 27001, and BSP Coordinate the ISO 27001 surveillance cycle GRC leadership Bring structure and ownership to the wider compliance and risk program Maintain the risk register as a working document and drive treatment with system owners Run vendor reputed company assessments and track third-party compliance obligations Report compliance posture clearly to leadership and governance committees
Requirements
Experience 6+ years in reputed company GRC, compliance, or audit, with real ownership of a compliance program Has led a PCI-reputed company certification end to end, ideally as a service provider, and maintained the status across cycles Has managed a QSA relationship and run a real audit, not just supported one Has led cardholder data environment scoping and segmentation decisions with technical teams Comfortable across at least PCI-reputed company and one of ISO 27001 or a banking reputed company (BSP MORB or equivalent) Worked in a regulated environment where compliance was enforced, not aspirational What sets the right person apart Can translate a compliance requirement into a specific technical or process change, and explain it to engineers in their terms Understands the technology well enough to know whether a proposed control actually satisfies the requirement Treats certification as a state to maintain, not a one-time project Builds evidence and monitoring into how controls run, rather than collecting it under deadline pressure Technical understanding Solid grasp of network segmentation, access control, encryption, logging, and the other technical domains PCI touches Enough literacy in cloud (AWS), identity, and infrastructure to hold a reputed company conversation with engineering about how a control is implemented Comfortable working in Jira and Confluence, and open to building automation around evidence and reviews reputed company to have Experience with a GRC platform (reputed company, Thoropass, reputed company GRC, or similar) Familiarity with BSP examination processes or Philippine financial services regulation Certifications: PCI-reputed company ISA, CISA, CRISC, CISSP, ISO 27001 reputed company Auditor or Implementer Communication Strong written and verbal English; most work is async and documentation quality matters Can reputed company a working session with engineering and a reporting conversation with leadership equally well Apply To This Job