As a Senior GRC Analyst
As a Senior GRC Analyst, you will report to the Security Engineering Manager – GRC and own the buildout and operation of Docker's risk management program. You will design and implement enterprise risk management processes, including security risk assessments, third-party risk management, and the risk register. You will also lead Docker's AI governance initiative, developing the policies, assessments, and controls needed to ensure responsible AI use across the company. This role requires a builder's mindset: someone who can take ambiguous problem spaces, define what good looks like, and deliver operational programs that scale. You will collaborate cross-functionally with Engineering, Product, Legal, IT, and Security Engineering to embed risk awareness into Docker's decision-making processes.
Responsibilities:
Own and drive the compliance program roadmap, aligning framework requirements (SOC 2, ISO 27001, ISO 27701, ISO 42001) with business objectives and product strategy
Lead cross-functional compliance initiatives with Engineering, Product, Legal, and IT, serving as the authoritative voice on governance and risk matters
Design and maintain Docker’s unified control framework, including cross-mapping to NIST 800-53 and identifying control gaps across multiple standards
Plan and execute internal audits end-to-end: scoping, evidence collection, control testing, findings management, and external auditor coordination
Advise GRC Engineering on correct integrations to configure and controls that require automated monitoring
Perform and lead risk assessments across systems, processes, third-party tools, and cloud configurations, translating findings into actionable risk treatment plans
Own the vendor risk management program, evaluating third-party vendors against compliance and security standards and driving remediation of identified gaps
Draft, review, and maintain corporate security policies and map them to relevant control standards, ensuring alignment across frameworks
Establish and report on compliance metrics and KPIs, providing data-driven visibility into program maturity to leadership
Stay current with evolving regulatory and industry standards (e.g., ISO 27xxx, SOC 2, GDPR, AI governance regulations) and proactively assess their impact on Docker’s compliance posture
Qualifications:
4 to 6 years of experience in Information Security, Governance, Risk, and Compliance
Demonstrated experience building or operating an enterprise risk management program, including risk assessments, risk registers, and risk treatment planning
Experience with third-party risk management, including vendor security assessments and due diligence
Working knowledge of security frameworks and standards including ISO 27001, SOC 2, NIST 800-53, and GDPR
Familiarity with AI governance concepts and emerging frameworks (ISO 42001, NIST AI RMF) or a demonstrated ability to learn and apply new frameworks quickly
Experience designing metrics and reporting for GRC programs, including dashboards and executive-level summaries
Familiarity with cloud environments (AWS, GCP, Azure) and their risk and compliance implications
Strong written and verbal communication skills with the ability to translate risk and compliance topics for both technical and non-technical audiences
Track record of building and maturing GRC programs from the ground up, including defining processes, creating documentation, and operationalizing workflows
Self-motivated with experience thriving in remote-first, fast-paced environments
Nice to Have: Relevant industry certifications such as CRISC, CISA, CISSP, or CCSK
Nice to Have: Experience with GRC platforms (Anecdotes, ServiceNow GRC, OneTrust, or similar)
Nice to Have: Experience with automation or scripting for risk management workflows
What to Expect
First 30 days
Learn Docker's risk landscape, key business processes, and existing risk documentation
Meet with key stakeholders across Security, Legal, IT, Engineering, and Product
Gain access to GRC platforms, risk management tools, and relevant documentation
Review the current risk register, vendor inventory, and third-party assessment process
Understand Docker's compliance frameworks (ISO 27001, ISO 27701, SOC 2) and how risk management integrates with assurance activities
First 90 days
Conduct a maturity assessment of the risk management program and identify priority gaps
Begin operationalizing the risk register with consistent scoring, ownership assignment, and treatment tracking
Take ownership of third-party risk management, including the vendor assessment queue
Kick off the AI governance initiative: inventory existing AI use cases and draft an AI governance policy
Design an initial GRC metrics framework and deliver the first iteration of risk reporting to leadership
Support audit activities as needed, providing evidence and coordinating with control owners
First year
Own and mature Docker's enterprise risk management program with documented processes, regular risk reviews, and executive reporting
Deliver a fully operational third-party risk management program with defined SLAs, assessment workflows, and remediation tracking
Establish Docker's AI governance program, including policy, assessment process, and alignment toward ISO 42001 readiness
Deliver recurring GRC metrics and dashboards that provide leadership visibility into risk posture and program health
Contribute to audit readiness and evidence collection for SOC 2, ISO 27001, and ISO 27701 cycles
Serve as a trusted advisor on risk matters across cross-functional teams
Perks
Freedom & flexibility; fit your work around your life
Designated quarterly Whaleness Days plus end of year Whaleness break
Home office setup; we want you comfortable while you work
16 weeks of paid Parental leave (after 6 months of employment)
Technology stipend equivalent to $100 USD net/month
PTO plan that encourages you to take time to do the things you enjoy
Training stipend for conferences, courses and classes
Equity; we are a growing start-up and want all employees to have a share in the success of the company
Docker Swag
Medical benefits, retirement and holidays vary by country
Remote-first culture, with offices in Seattle and Paris