Governance, Risk, and Compliance (GRC) Specialist

18 Minutes ago • 3-6 Years
Risk Management

Job Description

Thales is seeking an Intermediate Governance, Risk, and Compliance (GRC) Specialist to provide advisory and hands-on execution across various compliance frameworks including CPCSC, CMMC, and ISO 2700x. The role involves leading readiness assessments, designing and improving control environments, guiding clients through audits and certifications, and translating complex requirements into pragmatic roadmaps. The specialist will work directly with stakeholders, facilitate workshops, and build sustainable GRC solutions, contributing to a safer, greener, and more inclusive future.
Good To Have:
  • Exposure to NIST 800-53, SOC 2, PCI DSS, GDPR/CCPA.
  • Experience in defense industrial base or regulated sectors.
  • Familiarity with GRC platforms and ITSM tools (Jira, ServiceNow).
  • Experience building control crosswalks and maintaining control libraries.
  • Comfort with data classification, encryption key management, cloud security controls.
  • Relevant certifications (CISM, CISA, CISSP, ISO 27001 Lead Implementer/Auditor, CC, CRISC, PMP).
  • Current/eligible CMMC related credentials (RP/RPO affiliation, CCP/CCA).
Must Have:
  • Deliver advisory and hands-on execution across CPCSC, CMMC, ISO 2700x.
  • Lead readiness assessments and design control environments.
  • Guide clients through audits and certifications.
  • Translate complex requirements into business-aligned roadmaps.
  • Conduct gap assessments and remediation planning for CPCSC.
  • Perform NIST SP 800-171/CMMC readiness assessments.
  • Build or mature ISMS programs for ISO 27001/27002.
  • Design and document GRC policies, standards, and procedures.
  • Perform control testing and evidence reviews.
  • Facilitate formal risk assessments.
  • Prepare clients for external audits and assessments.
  • 3-6 years of experience in GRC, cybersecurity compliance, or IT audit.
  • Practical knowledge of CMMC (v2), NIST SP 800-171, ISO 27001/27002.
  • Strong understanding of core security domains.
  • Demonstrated consulting and client-facing communication skills.
Perks:
  • Company paid Extended Health, Dental, HSA, Life, AD&D, Short-term Disability, Cancer Care Program, travel insurance, Employee Assistance Plan and Well-Being program.
  • Retirement Savings Plans (RRSP, DCPP, TFSA) with a company contribution and a match to a DCPP, with no vesting period.
  • Company paid holidays, vacation days, and paid sick leave.
  • Voluntary Life, AD&D, Critical Illness, Long-Term Disability.
  • Employee Discounts on home, auto, and gym membership.

Add these skills to join the top 1% applicants for this job

cross-functional
communication
risk-management
internal-audit
risk-assessment
game-texts
software-development-lifecycle-sdlc
incident-response
cloud-security
monday
jira

Position Summary

At Thales, we are proud to work together to imagine innovative solutions that contribute to building a future that is safer, greener and more inclusive. A future that we can all trust. But these technologies don’t just come from anywhere. At Thales, it all starts with Human Intelligence. That is why our ambition is to create the best possible experience for you. We strive to create the conditions that enable your growth, to facilitate your work-life balance and daily work, and to broaden your prospects.

In Canada, Thales is relied on to innovate for customers with high-stakes goals, critical missions and big ambitions. Our commitment to mastering digital capabilities in Canada strengthens the nation’s economy – through high-technology jobs, investments in domestic research and technology, and solutions for the aerospace, defence, digital identity and security sectors.

Driven by purpose, values, innovation, and a commitment to building a future we can all trust, Thales Canada seeks to increase digital trust and resilience, offering integrated digital solutions to organizations, mission critical systems and critical infrastructure in both the commercial and the defence community.

Thales is seeking an Intermediate level Governance, Risk, and Compliance (GRC) Specialist to deliver advisory and hands-on execution across CPCSC, CMMC, ISO 2700x, and other compliance frameworks. This role will lead readiness assessments, design and improve control of environments, guide clients through audits/certifications, and translate complex requirements into pragmatic, business-aligned roadmaps. This role is ideal for a consultant who is comfortable working directly with stakeholders, facilitating workshops, and building sustainable GRC solutions built on customer intimacy.

Key Areas of Responsibility

Advisory and Client Engagement

  • Lead discovery sessions, stakeholder interviews, and workshops to understand business context, scope, and compliance objectives.
  • Translate regulatory and framework requirements into actionable program plans, control designs, and implementation roadmaps.
  • Present findings and recommendations to technical and executive audiences; prepare high-quality client deliverables.

Framework Readiness and Implementation

  • CPCSC: Conduct gap assessments, control mapping, and remediation planning against the applicable CPCSC requirements (or equivalent regional compliance scheme). Provide guidance on scoping, data flows, and evidence requirements.
  • CMMC (v2): Perform NIST SP 800-171/CMMC readiness assessments; develop SSPs and POA&Ms; define enclaves and scoping; establish evidence collection processes; support clients through RPO/RP-led journeys.
  • ISO 27001/27002 (2700x family): Build or mature ISMS programs; conduct risk assessments; develop the Statement of Applicability; support internal audits and management reviews; prepare for external certification.

Control Design, Testing, and Continuous Improvement

  • Design and document policies, standards, procedures, and control narratives aligned to applicable frameworks.
  • Build crosswalks/control catalogs across CPCSC, CMMC, ISO 27001/27002, and related frameworks (e.g., NIST 800-53).
  • Perform control testing, sampling, and evidence reviews; track remediation and validate closure.
  • Define and operationalize KRIs/KPIs and compliance metrics dashboards.

Risk Management and Security Governance

  • Facilitate formal risk assessments and treatment plans using recognized methods (ISO 27005, NIST 800-30, FAIR optional).
  • Advise on secure configurations, IAM, vulnerability and patch management, logging/monitoring, and incident response alignment with compliance needs.
  • Support third-party/vendor risk assessments and continuous monitoring activities.

Audit and Certification Support

  • Prepare clients for external audits/assessments; coordinate evidence, walkthroughs, and sampling with assessors/certification bodies.
  • Guide remediation and readiness sprints; develop playbooks for recurring audit cycles.

Training and Enablement

  • Deliver targeted training and awareness for control owners, process owners, and stakeholders.
  • Create reusable templates, accelerators, and best practices to scale program delivery.

Minimum Qualifications

  • Bachelor’s degree in Information Security, Information Systems, Computer Science, Risk/Compliance, or related field; or equivalent experience.
  • 3–6 years of experience in GRC, cybersecurity compliance, or IT audit, with hands-on work in at least two of: CMMC/NIST 800-171, ISO 27001/27002, CPCSC or a similar regional cybersecurity compliance scheme.
  • Demonstrated consulting/advisory experience: client-facing communication, facilitation, slideware, and report writing.
  • Practical knowledge of:
  • CMMC (v2) practices, NIST SP 800-171 requirements, SSP/POA&M, scoping/enclave concepts, evidence management.
  • ISO 27001:2022 and ISO 27002:2022 controls, ISMS lifecycle, risk assessment, SoA, internal audit, and certification processes.
  • Control design and testing, governance documentation (policies, standards, procedures), and audit readiness.
  • Strong understanding of core security domains: asset/configuration management, access control, vulnerability management, logging/monitoring, business continuity, incident response, and change management.
  • Excellent communication skills and ability to translate technical concepts into business outcomes.

Key Competencies

  • Advisory mindset: structured problem-solving, stakeholder management, and clear executive communication.
  • Project delivery: scoping, planning, tracking, and on-time delivery of milestones and artifacts.
  • Analytical rigor: evidence-based assessment, root-cause analysis, and pragmatic recommendations.
  • Collaboration: ability to work with cross-functional teams (Security, IT, Legal, Engineering, Procurement).
  • Adaptability: comfortable with evolving standards and working across multiple client environments.

Preferred Qualifications

Skills and Abilities:

  • Exposure to additional frameworks/requirements: NIST 800-53, SOC 2, PCI DSS, privacy regimes (e.g., GDPR/CCPA), secure SDLC/DevSecOps integration.
  • Experience working within the defense industrial base or regulated sectors (e.g., aerospace/defense, critical infrastructure, fintech, healthcare).
  • Familiarity with compliance and GRC platforms and ticketing/ITSM tools (e.g., Jira, ServiceNow).
  • Experience building control crosswalks and maintaining control libraries.
  • Comfort with data classification and handling requirements, encryption key management guidance, and cloud security controls (ISO 27017/27018).

Education:

  • One or more relevant certifications preferred: CISM, CISA, CISSP, ISO 27001 Lead Implementer/Lead Auditor, CC (for CMMC), CRISC, PMP, or comparable.
  • For CMMC advisory, current/eligible CMMC related credentials (e.g., RP/RPO affiliation, CCP/CCA when applicable) are a plus.

Special Position Requirements

Schedule:

Core business hours Monday-Friday; eight-hour work-day.

Physical Environment:

Access to R&D facilities, cyber-ranges, and Cyber Security Operations Centres.

Travel:

Travel required in supported of customer requirements regionally and nationally. Travel expected 25% of time.

Customer Location Based or Site Visits:

Travel will be required to customer location.

What We Offer

  • Thales provides an extensive benefits program for all full-time employees working 24 or more hours per week and their eligible dependents, including the following:
  • Company paid Extended Health, Dental, HSA, Life, AD&D, Short-term Disability, Cancer Care Program, travel insurance, Employee Assistance Plan and Well-Being program.
  • Retirement Savings Plans (RRSP, DCPP, TFSA) with a company contribution and a match to a DCPP, with no vesting period.
  • Company paid holidays, vacation days, and paid sick leave.
  • Voluntary Life, AD&D, Critical Illness, Long-Term Disability.
  • Employee Discounts on home, auto, and gym membership.

Why Join Us?

Say HI and learn more about working at Thales click here_

.

#LI-Hybrid

#LI-PD1

Set alerts for more jobs like Governance, Risk, and Compliance (GRC) Specialist
Set alerts for new jobs by Thales
Set alerts for new Risk Management jobs in Canada
Set alerts for new jobs in Canada
Set alerts for Risk Management (Remote) jobs

Contact Us
hello@outscal.com
Made in INDIA 💛💙