Summary:

The GRC Analyst (Security Compliance & Risk) plays a crucial role in ensuring that our organisation adheres to security compliance standards and effectively manages risks within the building and construction industry. Based in South Yarra, Victoria, this permanent full-time position is essential for safeguarding our operations and maintaining our reputation in the market. The successful candidate will collaborate with various teams to implement and monitor compliance frameworks, ensuring that we meet both regulatory and internal standards.

Key Responsibilities:

• Maintain and operate ISO 27001 ISMS and SOC 2 Type II compliance programs
• Support DISP compliance and ongoing obligations
• Collect, review, and manage audit evidence across controls
• Prepare for and coordinate internal and external audits
• Track and remediate audit findings and control gaps
• Maintain documentation across personnel, physical, and information security domains
• Assist with DISP reporting and audit activities
• Maintain and update security policies, standards, and procedures
• Ensure controls are implemented and operating effectively
• Work with teams across engineering, IT, and operations to enforce compliance
• Maintain risk registers and track risk treatment plans
• Conduct risk assessments and support business impact analysis
• Follow up with stakeholders to ensure mitigation actions are completed
• Perform vendor security assessments and due diligence
• Maintain third-party risk records and periodic reviews
• Support security requirements in vendor onboarding and contracts
• Plan and execute internal audits
• Monitor control effectiveness and continuous compliance
• Ensure ongoing audit readiness (not just point-in-time preparation)

Must have Experience:

• 4–8 years’ experience in GRC, security compliance, or risk roles
• Hands-on experience with ISO 27001 and/or SOC 2 audits
• Proven experience collecting audit evidence and working with auditors
• Strong organisational skills and attention to detail
• Ability to drive tasks, follow up, and hold stakeholders accountable

Nice to have:

• Experience with DISP or other government security frameworks
• Experience in regulated industries (defense, finance, SaaS, etc.)
• Familiarity with GRC platforms (Drata, Vanta, OneTrust, etc.)
• Relevant certifications (ISO 27001 Lead Implementer/Auditor, CISA, CISM, etc.)

Equal Opportunity Employer

STACK provides equal employment opportunities to all employees and applicants for employment and prohibits discrimination and harassment of any type without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.

This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation and training.

Reasonable accommodations may be made to enable individuals with disabilities to perform these essential functions.

• Maintain and operate ISO 27001 ISMS and SOC 2 Type II compliance programs
• Support DISP compliance and ongoing obligations
• Collect, review, and manage audit evidence across controls
• Prepare for and coordinate internal and external audits
• Track and remediate audit findings and control gaps
• Maintain documentation across personnel, physical, and information security domains
• Assist with DISP reporting and audit activities
• Maintain and update security policies, standards, and procedures
• Ensure controls are implemented and operating effectively
• Work with teams across engineering, IT, and operations to enforce compliance
• Maintain risk registers and track risk treatment plans
• Conduct risk assessments and support business impact analysis
• Follow up with stakeholders to ensure mitigation actions are completed
• Perform vendor security assessments and due diligence
• Maintain third-party risk records and periodic reviews
• Support security requirements in vendor onboarding and contracts
• Plan and execute internal audits
• Monitor control effectiveness and continuous compliance
• Ensure ongoing audit readiness (not just point-in-time preparation)

• Strong organisational skills
• Attention to detail
• Ability to drive tasks
• Ability to follow up
• Ability to hold stakeholders accountable

• 4–8 years’ experience in GRC, security compliance, or risk roles
• Hands-on experience with ISO 27001 and/or SOC 2 audits
• Proven experience collecting audit evidence and working with auditors
• Experience with DISP or other government security frameworks (Nice to have)
• Experience in regulated industries (defense, finance, SaaS, etc.) (Nice to have)
• Familiarity with GRC platforms (Drata, Vanta, OneTrust, etc.) (Nice to have)
• Relevant certifications (ISO 27001 Lead Implementer/Auditor, CISA, CISM, etc.) (Nice to have)