Job Description

Closing Date 2025/07/25
Reference Number AEC250710-5
Pillar Head Office
Job Title Governance Risk and Compliance Lead
Job Type Classification Permanent
Job Grade DU
Number of Positions 1
Location - Town / Site Woodmead
Location - Province Gauteng
Location - Country South Africa

Purpose of the Job
The purpose of this role is to lead and strengthen the organisation's Governance, Risk, and Compliance (GRC) capabilities within the digital and information security domains, with a strong emphasis on Identity Governance and Administration (IGA), Identity and Access Management (IAM), IT Risk Management in line with ISO27001 ,and enterprise-wide Cybersecurity Awareness. The incumbent is accountable for ensuring that identity, access, and compliance practices are secure, efficient, and aligned with regulatory and business requirements.
Key Internal Stakeholders

• Information Security Team - to ensure alignment between compliance requirements and technical security controls (e.g., IAM, RBAC, PAM).
• Internal Audit - for coordinating audit readiness, evidence collection, and control testing.
• IT Infrastructure and Operations - for implementing and maintaining access controls, provisioning/deprovisioning, and remediation of audit findings.
• SAP Security and Application Owners - to ensure secure access governance and compliance within enterprise systems.
• Senior Leadership - for reporting on risk posture, compliance status, and strategic recommendations.

Key External Stakeholders

• Regulatory Authorities - for compliance reporting, audit inquiries, and regulatory updates.
• External Auditors - for formal audits, control assessments, and compliance verification.
• Third-party Vendors and Service Providers - for vendor risk assessments, compliance assurance, and contract alignment with security standards.
• Industry Bodies and Certification Authorities - for maintaining certifications (e.g., ISO 27001) and staying current with evolving compliance frameworks

• Identity Governance and Access Management
• Access certification reports (attestation cycles)
• Role lifecycle definitions and SoD policy matrices
• RBAC/PAM audit logs
• Policy documents, violation logs, compliance dashboards Monitor and enforce compliance by reviewing policies, tracking violations, and driving corrective actions.
• IAM systems and access review reports Oversee the IAM program, ensuring proper access controls (RBAC, PAM) and conducting periodic access reviews.
• User provisioning/deprovisioning logs Manage user identities and permissions, enforcing least-privilege principles and ensuring timely access changes.
• Audit schedules and evidence repositories Lead audit readiness initiatives, preparing documentation and evidence for internal and external audits.
• Risk metrics and executive dashboards Report on risk posture, providing actionable insights and recommendations to senior leadership.

Qualifications & Experience

• o Bachelor's degree in Information Systems, Computer Science, Cybersecurity, or a related technical or business discipline.

• Postgraduate qualification (e.g., Honours or Master's degree in Information Security, IT Governance, or Risk Management) is advantageous and preferred for strategic and senior-level roles.
• Professional certifications in risk, compliance, identity governance, and information security, including at least one or more of the following:
• Certified Information Systems Auditor (CISA) - for audit, controls, and risk governance
• Certified Information Security Manager (CISM) - for managing and aligning cybersecurity programs to business goals
• Certified in Risk and Information Systems Control (CRISC) - for enterprise risk management and control monitoring
• ISO/IEC 27001 Lead Implementer or Lead Auditor - for governance frameworks and audit readiness
• Certified Data Privacy Solutions Engineer (CDPSE) - advantageous for aligning access and compliance with data protection regulations (POPIA, GDPR)
• Microsoft Certifications relevant to identity, compliance, and data governance:
• SC-900: Microsoft Security, Compliance, and Identity Fundamentals
• SC-300: Microsoft Identity and Access Administrator - for IAM, RBAC, and privileged access oversight
• SC-400: Microsoft Information Protection Administrator - for data classification, DLP, and compliance tooling in Microsoft Purview
• (Optional but beneficial): Certifications in security awareness and behavioural change:
• Certified Cybersecurity Awareness Professional (CCAP) or equivalent
• SANS Security Awareness Professional (SSAP) - for designing and managing enterprise awareness programs
• Familiarity with SAP security and access governance is highly advantageous, especially for managing SoD, provisioning, and audit trail requirements within ERP environments.
• Experience or certification in GRC platforms and IGA tools (e.g., SailPoint, Saviynt, Microsoft Entra ID Governance, ServiceNow GRC) will be a strong differentiator.
• 8-10 years of progressive experience in information security, IT risk management, compliance, or related governance roles, with a demonstrated track record of delivering measurable improvements in cyber risk posture, access governance, and regulatory compliance.
• Proven experience designing, implementing, and maintaining compliance with international standards and frameworks, including ISO/IEC 27001, NIST CSF, COBIT, POPIA, GDPR, and PCI-DSS.
• Demonstrated ability to conduct enterprise-wide cyber risk assessments, vendor risk evaluations, and internal control audits, and to lead remediation planning and execution.
• Substantial experience in preparing for, managing, and responding to internal and external audits, including the development of audit-ready documentation, evidence logs, and management response packs.
• Exposure to enterprise IT environments, including identity integration with ERP platforms such as SAP, and the ability to design and align technical access controls to compliance and SoD requirements.
• Experience in the development and enforcement of security policies and standards, including tracking policy violations, root cause analysis, and reporting to executive stakeholders and governance forums.
• Proven capability in designing and executing organisation-wide cybersecurity awareness and training programs, including simulated phishing campaigns, behavioural metrics tracking, and executive reporting.
• Strong interpersonal and cross-functional collaboration skills, with the ability to communicate complex risk and compliance issues in a clear, actionable, and business-aligned manner to senior leadership and non-technical audiences.