Overview
The GRC Analyst is responsible for the operational execution of OneRail's governance, risk, and compliance program. This role owns the day-to-day work that keeps OneRail's ISO 27001:2022 ISMS, SOC 2 Type II attestation, and regulatory compliance programs running — including risk register maintenance, vendor security assessments, policy management, evidence collection, corrective action tracking, and security awareness delivery.
The GRC Analyst works closely with the CISO and across every team in the organization to collect evidence, manage findings, and ensure that compliance obligations are met continuously — not just during audit windows. This is a highly cross-functional role that requires both strong process discipline and the ability to build trusted relationships with stakeholders in Engineering, HR, Legal, Finance, and Operations.

Responsibilities
RISK MANAGEMENT

• Maintain the enterprise security risk register — score risks using NIST likelihood/impact methodology, assign owners, track mitigation status, and report monthly to the CISO.
• Maintain dedicated AI Risk Log and Shadow IT Risk Log — identify, score, and document risks from unsanctioned AI tools and unapproved SaaS applications.
• Support the CISO in drafting risk acceptance memos for policy exceptions or residual risks above threshold.
• Assist in preparing the monthly SRC (Security & Risk Committee) security dashboard.

• Coordinate ISO 27001:2022 internal audit evidence collection across all Annex A control domains. Prepare documentation packages for CISO review and external auditor submission.
• Own SOC 2 Type II evidence collection and management across all five Trust Service Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy).
• Monitor regulatory compliance obligations under GDPR, HIPAA, and CCPA — track data processing activities, update ROPA, and flag new data flows for assessment.
• Manage the Corrective Action Plan (CAP) tracker — track all open audit findings and nonconformities from identification to closure, validating remediation evidence before closure.

• Coordinate the annual information security policy review cycle — draft updates, route for stakeholder review, obtain CISO sign-off, and publish to the policy portal.
• Manage the policy exception log — track all active exceptions with expiration dates, initiate renewal or closure reviews.
• Administer the annual policy attestation program — ensure all employees read and attest to key policies (AUP, Data Classification, Password, Remote Work). Escalate non-completions to HR and department managers.

• Conduct pre-procurement vendor security assessments using the SIG Lite questionnaire. Score vendor posture, collect SOC 2 or ISO 27001 evidence, and document results.
• Manage the annual vendor re-assessment cycle for Tier 1 and Tier 2 vendors.
• Maintain the DPA (Data Processing Agreement) inventory — track execution status, review terms for GDPR/HIPAA/CCPA alignment, and flag expirations for renewal.
• Maintain the vendor risk register and provide status reporting to the CISO.

• Perform initial security assessment for new SaaS application requests — review SSO/SAML support, data residency, encryption practices, and SOC 2 attestation. Escalate to the Security Engineering Lead for complex assessments.
• Maintain and publish the approved SaaS application catalog. Flag and document unapproved tools identified through browser telemetry, expense reports, or employee tickets.
• Update the Shadow IT Risk Log with findings from shadow IT detection activities.

• Own the annual security awareness training program — manage the training platform, track completion, send escalating reminders, and report completion rates to the CISO.
• Coordinate quarterly phishing simulation campaigns with the Associate Security Analyst — analyze results, auto-enroll failures in targeted remediation, and present trends to the SRC.
• Deliver new hire security onboarding briefings on or before Day 1, covering AUP, data classification, incident reporting, phishing awareness, password/MFA policy, and BYOD requirements.

• 3+ years of experience in GRC, information security compliance, or audit roles.
• Working knowledge of ISO 27001, SOC 2 Trust Service Criteria, GDPR, HIPAA, and CCPA.
• Experience collecting and managing compliance evidence and coordinating with external auditors.
• Strong organizational skills — ability to manage multiple concurrent workstreams with defined deadlines.
• Excellent written communication — able to draft clear policies, risk memos, and compliance reports.
• Comfortable working cross-functionally with Engineering, HR, Legal, and Finance stakeholders.

• CGRC, CISA, CRISC, or equivalent GRC/compliance certification.
• CIPT, CIPP/E, or CIPP/US for privacy compliance responsibilities.
• Experience with GRC platforms (Drata, Vanta, Tugboat Logic) or policy management tools (GitBook, Confluence).
• Familiarity with NIST RMF, NIST CSF, and SIG Lite vendor questionnaire framework.
• Experience in a SaaS technology company or logistics/supply chain sector.

About OneRail

OneRail is a leading omnichannel fulfillment solution pairing best-in-class software with logistics as a service to provide dependability and speed to help businesses meet their delivery promise. With a real-time connected network of 12 million drivers, OneRail matches the right vehicle for the right delivery so brands lower expenses and increase capacity to rapidly scale their businesses. This people-plus-platform approach features a 24/7 USA-based exceptions team who maintain a 98% on-time delivery rate. By optimizing fulfillment processes, reducing costs and improving order accuracy with store-shelf-to-doorstep visibility, OneRail is committed to empowering clients and improving the customer experience.

OneRail was named to the Deloitte Technology Fast 500™ two years in a row, was ranked 19th in the 2025 FreightTech 25, named for the fifth year in a row to the FreightTech 100, was honored as one of Inc. magazine’s Best Workplaces 2023, was listed on Forbes’ lists of America’s Best Startup Employers for the last three years, was named to the Inc. 5000 two years in a row and was selected as the Last Mile Company of the Year for the 2024 SupplyTech Breakthrough Awards. To learn more about OneRail, visit OneRail.com.