Org Blueprint
R-037HumanComplianceP0 · CriticalUnfilled

GRC Manager

Owns Governance, Risk, and Compliance — frameworks, audit prep, control evidence collection.

Live Ops

Due-diligence relevance

Diligence teams will request the GRC evidence room first. Mature companies hand over a curated control evidence library in 24 hours. Companies without a GRC function take 4-6 weeks to assemble equivalent evidence — that delay alone has killed deals.

Responsibilities

  • Maintain the control framework (SOC 2 / ISO 27001)
  • Collect and validate control evidence
  • Run the risk-register cadence
  • Prepare for and respond to audits
  • Internal compliance training

Inputs

  • · Control framework
  • · Audit findings
  • · Risk register

Outputs

  • · Audit-ready evidence repository
  • · Quarterly risk update

Qualifications

  • CISA or equivalent
  • Has prepared a company for SOC 2 Type II or ISO 27001
  • Detail-oriented and systematic

KPIs

Control evidence freshnessAudit findings count

Interfaces

R-035Data Protection Officer (DPO)R-036CISOR-089Internal Audit