GRC Analyst.

A Governance, Risk, and Compliance specialist who maintains an organization's security control framework, runs internal and third-party assessments, prepares for audits (SOC 2, ISO 27001, PCI), and translates technical reality into policy and risk language. 它属于网络安全的 角色与职业 分类。

A Governance, Risk, and Compliance specialist who maintains an organization's security control framework, runs internal and third-party assessments, prepares for audits (SOC 2, ISO 27001, PCI), and translates technical reality into policy and risk language.

A GRC (Governance, Risk, and Compliance) analyst sits at the intersection of security, legal, and audit. The role owns or supports the organization's control framework — typically built around ISO 27001, NIST CSF, NIST SP 800-53, SOC 2, PCI DSS, HIPAA, or sector-specific equivalents — and the underlying policies, standards, and procedures. Daily work includes vendor and third-party risk assessments, internal control testing, evidence collection for external audits, gap remediation tracking, risk register maintenance, security questionnaire responses (CAIQ, SIG, custom RFPs), incident-reporting compliance (SEC, GDPR Article 33, DORA, NIS2, HIPAA Breach Notification), and producing the reporting that boards and regulators consume. GRC analysts increasingly work with automated control-evidence platforms (Vanta, Drata, Secureframe, Tugboat Logic, Hyperproof) that ingest data directly from cloud APIs to demonstrate continuous control operation. Common credentials: CISA, CISM, CRISC, ISO 27001 Lead Auditor / Lead Implementer, Security+, and increasingly cloud-specific compliance badges. Strong GRC analysts have credibility with engineers — able to translate a SOC 2 CC6 control into a Kubernetes admission policy and back — and clarity with executives.

针对 GRC Analyst 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: GRC specialist, Compliance analyst, Risk analyst。