Job Functions
What a junior GRC analyst actually does
Job Functions

What a junior GRC analyst actually does

Twenty-five concrete responsibilities, each explained with inputs, outputs, documents, a beginner example, and the common mistakes that get juniors into trouble.

26 functions

Risk Assessments

Risk

A structured exercise to identify what could go wrong, how bad it would be, and how likely it is — across assets, processes, or projects.

Why it matters

Risk assessments are the input to almost everything else GRC does: which controls to prioritize, which findings matter, what to tell leadership.

When it's done

Annually at minimum, plus when launching new systems, vendors, products, or after a significant incident.

How it shows up in the role

Expect to facilitate 2–6 risk workshops per quarter and own the risk register hygiene.

Inputs
  • Asset inventory
  • Threat intelligence
  • Existing control list
  • Incident history
  • Business context interviews
Outputs
  • Ranked list of risks
  • Inherent and residual ratings
  • Recommended treatments
  • Updates to the risk register
Documents
  • Risk assessment report
  • Risk register entries
  • Treatment plan
Beginner example

A junior analyst interviews the engineering lead about a new customer-facing API, identifies 'unauthenticated endpoint exposes PII' as a risk, rates it High inherent, and recommends WAF + rate limiting + auth middleware to bring it to Low residual.

Common mistakes
  • Treating likelihood/impact as gut feeling without a defined scale.
  • Identifying 'risks' that are actually controls (e.g., 'no MFA') instead of the underlying risk (e.g., 'credential theft leads to data exposure').
  • Never updating ratings as controls are implemented.

Risk Register Maintenance

Risk

The living catalog of identified risks with owners, ratings, treatments, due dates, and current status.

Why it matters

Without a register, risks live in slide decks and emails and nothing gets actioned.

When it's done

Continuously — updates after every assessment, control change, or incident.

How it shows up in the role

Often the analyst owns weekly register hygiene and a monthly aging report.

Inputs
  • Risk assessment outputs
  • Incident reports
  • Audit findings
  • Control change tickets
Outputs
  • Up-to-date register
  • Aging report
  • Trend metrics for leadership
Documents
  • Risk register (spreadsheet or GRC tool)
  • Risk acceptance memos
Beginner example

Closing out R-024 ('Lack of MFA on admin portal') after engineering deploys Okta SSO + MFA and provides screenshots as evidence.

Common mistakes
  • Letting risks sit 'Open — In Progress' for 18 months.
  • No owner field, so nothing moves.
  • Mixing risk language ('what bad thing could happen') with control language ('we don't do X').

Asset, Threat & Vulnerability Identification

Risk

The triple at the core of any risk: what we're protecting (assets), what could harm it (threats), and the weaknesses that let it happen (vulnerabilities).

Why it matters

Risk ratings only make sense in this triple. 'A breach' isn't a risk; 'theft of customer PII via SQL injection on the public API' is.

When it's done

Inside every risk assessment.

How it shows up in the role

You'll partner with security engineering to translate scanner output into business-relevant risks.

Inputs
  • CMDB / asset inventory
  • Data classification
  • Threat intel feeds
  • Vulnerability scanner output
  • Pen test reports
Outputs
  • A-T-V statements ready to be scored
Documents
  • Asset register
  • Threat catalog
  • Vulnerability list
Beginner example

Asset: customer database. Threat: external attacker. Vulnerability: unpatched CVE-2024-XXXX on the bastion host.

Common mistakes
  • Skipping the asset step and jumping straight to scenarios.
  • Treating every CVE as a separate risk instead of grouping by attack chain.

Likelihood & Impact Scoring

Risk

Assigning a defensible rating to how often something might happen and how bad it would be if it did.

Why it matters

Drives prioritization. Without consistent scoring, the loudest stakeholder always 'wins.'

When it's done

Every risk assessment and risk register update.

How it shows up in the role

Expect to defend ratings in management review — be ready to point at the scale.

Inputs
  • Scoring scale definitions
  • Historical incident data
  • Industry benchmarks
Outputs
  • Numeric or qualitative ratings (e.g., 1–5)
  • Heat map placement
Documents
  • Risk scoring methodology
  • Risk register
Beginner example

Using a 5x5 matrix where Likelihood 4 = 'happens annually' and Impact 5 = '>$10M loss or major regulatory action.'

Common mistakes
  • Re-defining the scale per assessment.
  • Compressing everything into 'medium.'
  • Confusing inherent vs residual.

Risk Treatment Decisions

Risk

Choosing what to do with each risk: treat, transfer, tolerate, or terminate.

Why it matters

Every risk needs an explicit decision and an owner. Defaulting to 'we'll fix it eventually' is not a treatment.

When it's done

After scoring and before the risk hits the register as 'open.'

How it shows up in the role

You won't sign acceptance memos as a junior, but you'll draft them and chase the signatures.

Inputs
  • Risk rating
  • Cost of treatment
  • Business context
  • Risk appetite
Outputs
  • Documented treatment decision
  • Risk acceptance memo if tolerating
Documents
  • Risk treatment plan
  • Risk acceptance memos signed by an appropriate executive
Beginner example

A risk rated Medium with $500k remediation cost and $50k potential loss is tolerated for 12 months with the CFO signing the acceptance memo.

Common mistakes
  • Accepting risks without an authorized signer.
  • Choosing 'treat' but never assigning a fix-by date.

Documenting Controls

Controls

Writing clear, auditable descriptions of how a control works — owner, frequency, evidence, system of record.

Why it matters

An undocumented control is an unauditable control. Auditors test what's written, not what people remember.

When it's done

When a new control is implemented, when ownership changes, and at least annually.

How it shows up in the role

Expect to interview 1–3 control owners per week during a SOC 2 audit window.

Inputs
  • Process walkthroughs with control owners
  • Sample evidence
  • System screenshots
Outputs
  • Control narrative
  • Updated control matrix entry
Documents
  • Control matrix
  • Process narratives
  • Evidence index
Beginner example

Documenting CC6.2 (new-hire access provisioning) including: ticket system, approver, SLA, screenshot of the access form, frequency of review.

Common mistakes
  • Describing tools instead of process.
  • Listing 'we use X tool' with no actual control activity.

Control Mapping

Controls

Showing that one control satisfies obligations across multiple frameworks (e.g., MFA = CSF PR.AA-02 + ISO A.8.5 + SOC 2 CC6.1).

Why it matters

You don't want to run separate audits per framework. Mapping enables one control to cover many requirements.

When it's done

When picking up a new framework or building a unified control framework (UCF).

How it shows up in the role

The Secure Controls Framework (SCF) is your friend for cross-framework mapping work.

Inputs
  • Existing control matrix
  • New framework requirements
  • Authoritative crosswalks (NIST, CSA CCM, SCF)
Outputs
  • Mapping table
  • Gap list (requirements not yet covered)
Documents
  • Unified control matrix
  • Framework mapping spreadsheet
Beginner example

Mapping one 'Annual Access Review' control to SOC 2 CC6.3, ISO A.5.18, and HIPAA §164.308(a)(4).

Common mistakes
  • Mapping by keyword instead of by intent.
  • Creating phantom coverage — claiming a control satisfies a requirement it actually doesn't.

Policy, Standard & Procedure Writing

Controls

Drafting the hierarchical documents that tell the organization what it must do (policy), the specific rules (standard), and the steps to do it (procedure).

Why it matters

Policies set the floor for control expectations and are foundational evidence in every audit.

When it's done

Initial program setup, annual review cycle, and when controls change materially.

How it shows up in the role

You'll often be the first drafter and the librarian — owning the review cycle calendar.

Inputs
  • Existing policy library
  • Framework requirements
  • Stakeholder interviews
Outputs
  • Draft document
  • Reviewer comments
  • Approved policy with version history
Documents
  • Policy
  • Standards
  • Procedures
  • Approval record
Beginner example

Writing an Access Control Policy (principle) backed by an MFA Standard (must use phishing-resistant MFA for admin roles) and a Joiner-Mover-Leaver Procedure (the actual steps).

Common mistakes
  • Cramming procedures into the policy itself.
  • Never updating the version table.
  • Policies that read like legal disclaimers and tell no one what to do.

Evidence Collection

Compliance

Gathering proof that a control operated as designed during the audit period — tickets, screenshots, exports, signed forms.

Why it matters

Auditors don't take your word. Evidence is the currency of compliance work.

When it's done

Year-round for Type II audits; spikes during fieldwork.

How it shows up in the role

This is 30–60% of a junior SOC 2 analyst's life during audit fieldwork.

Inputs
  • PBC list (Provided By Client)
  • Sample selections
  • Control matrix
Outputs
  • Evidence package per control
  • Cross-reference index
Documents
  • Evidence index
  • Auditor request tracker
Beginner example

For sample item #12 (a Q2 production change), pulling the Jira ticket, the PR with code review approval, the change-advisory-board ticket, and the deployment log.

Common mistakes
  • Sending raw exports without context.
  • Pulling screenshots after the period ends.
  • Missing the sample window.

Audit Support

Compliance

Acting as the central coordinator between auditors and internal control owners — scheduling walkthroughs, fielding questions, tracking requests.

Why it matters

Without a coordinator, auditors interrupt engineers randomly and findings multiply.

When it's done

Throughout fieldwork plus pre-kickoff and post-fieldwork phases.

How it shows up in the role

Plan to be in the audit Slack channel 4–6 hours/day during fieldwork.

Inputs
  • Audit plan
  • PBC list
  • Control owner contacts
Outputs
  • Walkthrough schedule
  • Request tracker
  • Findings log
Documents
  • Auditor request tracker
  • Walkthrough notes
Beginner example

Scheduling a 30-minute walkthrough between the auditor and the SRE lead, with the change management procedure pre-shared.

Common mistakes
  • Letting auditors talk directly to engineers without prep.
  • No single source of truth for outstanding requests.

Internal Audit Readiness

Compliance

Running mock audits before the real one to catch broken controls early.

Why it matters

It's cheaper to find a broken control yourself than to take an exception in the final report.

When it's done

Quarterly for mature programs; at minimum once before the audit window opens.

How it shows up in the role

Often you run the testing while your manager reviews and signs off.

Inputs
  • Control matrix
  • Sample populations
  • Test scripts
Outputs
  • Internal audit report
  • Remediation list
Documents
  • Test scripts
  • Internal audit findings
Beginner example

Sampling 5 of 50 quarterly access reviews and finding 2 were completed but not signed; opening remediation tickets before the auditor sees them.

Common mistakes
  • Treating internal audit as box-ticking.
  • Not actioning findings.

External Audit Readiness

Compliance

All the prep work before external auditors arrive: scope confirmation, kickoff, PBC prep, walkthrough prep.

Why it matters

Half the audit's success is set before fieldwork starts.

When it's done

4–8 weeks before fieldwork.

How it shows up in the role

You'll often own the PBC tracker end-to-end.

Inputs
  • Last year's report
  • Updated control matrix
  • PBC list
Outputs
  • Kickoff deck
  • Pre-populated PBC
  • Walkthrough schedule
Documents
  • Kickoff deck
  • Updated SSP / system description
Beginner example

Updating the SOC 2 system description with new product lines and pre-pulling 60% of the PBC items before the auditors send their request list.

Common mistakes
  • Scope creep discovered in fieldwork.
  • Stale system description.

Gap Assessments

Compliance

Comparing current state to a target framework or standard and listing what's missing.

Why it matters

Before you can certify or comply, you have to know what's missing.

When it's done

Before adopting a new framework, after major org changes, or as a customer requirement.

How it shows up in the role

A common 'first big project' for a new junior GRC analyst.

Inputs
  • Framework requirements
  • Current control matrix
  • Process interviews
Outputs
  • Gap list with severity and effort estimates
  • Remediation roadmap
Documents
  • Gap assessment report
Beginner example

Comparing the existing security program to ISO 27001:2022 and finding 14 gaps — most around supplier management (A.5.19–A.5.22).

Common mistakes
  • Calling 'no documentation' the same severity as 'no control.'
  • Producing a gap list without effort estimates — leadership can't prioritize.

Remediation Tracking

Compliance

Owning the list of open findings and chasing them to closure with evidence.

Why it matters

Findings that linger become repeat findings, which become qualified opinions or failed certifications.

When it's done

Continuously after any audit, assessment, or pen test.

How it shows up in the role

Usually the analyst's responsibility, with escalation paths to a manager when items slip.

Inputs
  • Findings
  • Owners
  • Target dates
Outputs
  • Weekly aging report
  • Closure evidence
Documents
  • Remediation tracker
  • Closure memos
Beginner example

F-2024-08 (no quarterly firewall rule review) — owner: Network Eng; due: 2024-11-30; evidence: signed review log in SharePoint.

Common mistakes
  • No SLA per severity.
  • Closing items without evidence.

Exception Management

Compliance

Formally documenting where the org is operating outside a policy or control, with compensating measures and an expiration date.

Why it matters

Reality demands exceptions. Undocumented exceptions are findings; documented ones are managed risks.

When it's done

Whenever an exception is requested by a business unit or surfaced by an audit.

How it shows up in the role

You'll often draft the exception, the engineering team will sign as owner, the CISO will sign as approver.

Inputs
  • Exception request
  • Risk rating
  • Compensating controls
Outputs
  • Approved exception record
  • Renewal calendar
Documents
  • Exception register
  • Approval memos
Beginner example

Engineering can't enable MFA on a legacy service account for 90 days; exception is approved with conditions: IP allow-listing and rotation every 30 days.

Common mistakes
  • Exceptions with no end date.
  • Compensating controls that aren't actually compensating.

Compliance Tracking

Compliance

Maintaining a calendar/dashboard of all the certifications, audits, assessments, and reports the org owes, with due dates and statuses.

Why it matters

Missing a recertification deadline can be a contractual breach.

When it's done

Always — typically a recurring weekly check.

How it shows up in the role

A simple, high-leverage thing a junior analyst can own outright.

Inputs
  • Certificate expiry dates
  • Customer contracts
  • Regulatory calendars
Outputs
  • Compliance calendar
  • Status dashboard
Documents
  • Compliance tracker
Beginner example

Tracking SOC 2 Type II window (Apr-Dec), ISO 27001 surveillance audit (Sept), PCI DSS SAQ (Feb).

Common mistakes
  • Not building 60-day buffer for prep.
  • No backup owner.

Third-Party Risk Management

Vendor

Assessing and monitoring the security and resilience of vendors that touch your data or systems.

Why it matters

Most breaches involve a third party. Your customers will ask how you manage yours.

When it's done

Pre-contract for new vendors; annually or by tier thereafter.

How it shows up in the role

Often run a queue of 5–20 active vendor reviews at any time.

Inputs
  • Vendor list
  • Data shared
  • Service criticality
  • Vendor evidence (SOC 2, ISO cert)
Outputs
  • Vendor risk rating
  • Approval/conditions/rejection
  • Re-assessment date
Documents
  • Vendor inventory
  • TPRM questionnaire
  • Risk assessment per vendor
Beginner example

A new analytics vendor that processes pseudonymized event data is rated Medium; approved with SCCs in the DPA and re-assessment in 12 months.

Common mistakes
  • Treating all vendors the same.
  • Trusting a SOC 2 report cover page without reading the exceptions.

Vendor Questionnaire Review

Vendor

Reading the security responses a vendor sends (CAIQ, SIG, custom) and turning them into a risk rating + follow-up questions.

Why it matters

Questionnaires are noisy. Skilled review is what extracts real risk signal.

When it's done

Inside every TPRM review for a new or material vendor.

How it shows up in the role

This is daily work in vendor-heavy orgs.

Inputs
  • Completed questionnaire
  • Supporting evidence (SOC 2, pen test summary)
Outputs
  • Findings list
  • Follow-up questions
  • Rating recommendation
Documents
  • Reviewed questionnaire with annotations
Beginner example

Vendor answers 'Yes — MFA enforced' but their SOC 2 report has an exception for admin users; follow up before approving.

Common mistakes
  • Accepting Yes/No answers at face value.
  • Ignoring exceptions in the SOC 2 report.

Issue Tracking

Compliance

Logging every control deficiency, audit finding, or self-identified issue in a single tracker with severity, owner, due date, and status.

Why it matters

Issues scattered across emails and slides never close. A single tracker is the management view.

When it's done

Continuously.

How it shows up in the role

Often paired with remediation tracking under one role.

Inputs
  • Audit findings
  • Self-identified issues
  • Incident lessons-learned
Outputs
  • Issue log
  • Aging metrics
Documents
  • Issue log
Beginner example

Logging I-2024-031 (segregation of duties — same engineer can deploy and approve) with severity High and owner Platform Eng Manager.

Common mistakes
  • Severity inflation.
  • Closing without evidence.

Metrics & Reporting

Reporting

Distilling program activity into a small number of metrics leadership can act on.

Why it matters

If leadership doesn't see progress, the program loses funding.

When it's done

Monthly for execs; quarterly for the board.

How it shows up in the role

You'll often build the slides. Your manager will deliver them.

Inputs
  • Risk register
  • Issue log
  • Training completion
  • Vendor inventory
  • Audit status
Outputs
  • Exec dashboard
  • Board pack
Documents
  • Metrics standard
  • Dashboard
Beginner example

Reporting % of critical vendors reassessed in the last 12 months, % of high-risk findings closed within SLA, and trend of open risks by severity.

Common mistakes
  • Vanity metrics (e.g., 'number of policies').
  • No commentary — just numbers.

Stakeholder Communication

Reporting

Translating between security/engineering and business stakeholders — managers, auditors, executives, customers.

Why it matters

GRC sits at the boundary. Clear writing and calm meetings are the actual deliverable half the time.

When it's done

Daily.

How it shows up in the role

A career-defining skill — undervalued by juniors, prized by hiring managers.

Inputs
  • Technical context
  • Audience expertise level
  • Decision needed
Outputs
  • Briefing notes
  • Decision memos
  • Customer responses
Documents
  • Decision memo templates
  • Customer security review responses
Beginner example

Translating an auditor's '20 user accounts in the sample lacked evidence of review' into 'we need to fix our quarterly review process before next audit.'

Common mistakes
  • Speaking auditor-ese to engineers.
  • Speaking engineer-ese to leadership.

Awareness & Training Coordination

Operations

Owning the cadence of security awareness training — content, scheduling, completion tracking, phishing simulations.

Why it matters

Required by nearly every framework, and one of the best ROI investments in security.

When it's done

At hire, annually, and when role/risk changes.

How it shows up in the role

Usually a discrete chunk of the analyst's job — often 5–10% of time.

Inputs
  • Training platform
  • HRIS feed
  • Phishing tool
Outputs
  • Completion reports
  • Phishing campaign results
Documents
  • Training plan
  • Completion records
  • Sanction policy
Beginner example

Quarterly phishing simulation with results reviewed by department; repeat clickers assigned remedial training.

Common mistakes
  • Treating training as one-off.
  • No completion enforcement.

Business Continuity Governance

Operations

Ensuring the BCP is current, tested, and aligned with risk appetite.

Why it matters

Resilience is a board-level concern; the GRC team usually owns the program even if engineers run the technology.

When it's done

Annual plan refresh, quarterly tests, post-incident reviews.

How it shows up in the role

You may coordinate; SRE or IT operations runs the technical recovery.

Inputs
  • Business impact analysis (BIA)
  • Recovery objectives (RTO/RPO)
  • Test results
Outputs
  • Updated BCP
  • Test reports
Documents
  • BCP
  • BIA
  • Tabletop exercise notes
Beginner example

Running an annual tabletop simulating loss of the primary data center; updating the BCP based on gaps found.

Common mistakes
  • Untested plans.
  • BIA based on guesses, not interviews.

Disaster Recovery Governance

Operations

Governance counterpart to BCP for technology recovery — owners, runbooks, evidence of testing.

Why it matters

Auditors will ask for evidence of DR tests at least annually.

When it's done

At least annually; ideally quarterly partial tests.

How it shows up in the role

Coordinator and evidence collector, rarely the executor.

Inputs
  • DR runbooks
  • Test schedule
  • RTO/RPO targets
Outputs
  • DR test results
  • Updated runbooks
Documents
  • DR plan
  • Test reports
Beginner example

Quarterly failover test from primary to DR region; documenting that recovery time hit the 2-hour RTO.

Common mistakes
  • Backup testing confused with DR testing.
  • Plans untested for 2+ years.

Incident Governance Support

Operations

The governance layer around incident response — making sure plans exist, are tested, lessons learned are captured and acted on.

Why it matters

Incidents are inevitable. Good governance turns each one into a control improvement.

When it's done

Plan review annually, tabletop quarterly, after-action immediately post-incident.

How it shows up in the role

GRC supports IR; SecOps leads it.

Inputs
  • IR plan
  • Post-incident reviews
  • Trend data
Outputs
  • Updated IR plan
  • Lessons-learned tracker
  • Improvement actions
Documents
  • IR plan
  • PIR template
  • Improvement backlog
Beginner example

After a credential-stuffing incident, opening 3 control improvement items: rate limiting, breached-password monitoring, MFA on a missed endpoint.

Common mistakes
  • PIRs that name no actions.
  • Actions that are never closed.

Security Documentation Management

Operations

Owning the library — policies, standards, procedures, plans — with versioning, ownership, review dates, and access controls.

Why it matters

Auditors will ask: who owns this, when was it last reviewed, who approved it. A messy library = repeat findings.

When it's done

Continuously.

How it shows up in the role

A simple, high-trust thing for a junior to own from day one.

Inputs
  • Document inventory
  • Review calendar
Outputs
  • Up-to-date library
  • Review calendar
  • Approval records
Documents
  • Document index
  • Review schedule
Beginner example

Maintaining a single inventory of 32 security documents with owner, last review date, next review date, and approval evidence link.

Common mistakes
  • Multiple versions floating in different SharePoints.
  • No retirement process for old docs.