What a junior GRC analyst actually does
Twenty-five concrete responsibilities, each explained with inputs, outputs, documents, a beginner example, and the common mistakes that get juniors into trouble.
Risk Assessments
A structured exercise to identify what could go wrong, how bad it would be, and how likely it is — across assets, processes, or projects.
Risk assessments are the input to almost everything else GRC does: which controls to prioritize, which findings matter, what to tell leadership.
Annually at minimum, plus when launching new systems, vendors, products, or after a significant incident.
Expect to facilitate 2–6 risk workshops per quarter and own the risk register hygiene.
- • Asset inventory
- • Threat intelligence
- • Existing control list
- • Incident history
- • Business context interviews
- • Ranked list of risks
- • Inherent and residual ratings
- • Recommended treatments
- • Updates to the risk register
- • Risk assessment report
- • Risk register entries
- • Treatment plan
A junior analyst interviews the engineering lead about a new customer-facing API, identifies 'unauthenticated endpoint exposes PII' as a risk, rates it High inherent, and recommends WAF + rate limiting + auth middleware to bring it to Low residual.
- • Treating likelihood/impact as gut feeling without a defined scale.
- • Identifying 'risks' that are actually controls (e.g., 'no MFA') instead of the underlying risk (e.g., 'credential theft leads to data exposure').
- • Never updating ratings as controls are implemented.
Risk Register Maintenance
The living catalog of identified risks with owners, ratings, treatments, due dates, and current status.
Without a register, risks live in slide decks and emails and nothing gets actioned.
Continuously — updates after every assessment, control change, or incident.
Often the analyst owns weekly register hygiene and a monthly aging report.
- • Risk assessment outputs
- • Incident reports
- • Audit findings
- • Control change tickets
- • Up-to-date register
- • Aging report
- • Trend metrics for leadership
- • Risk register (spreadsheet or GRC tool)
- • Risk acceptance memos
Closing out R-024 ('Lack of MFA on admin portal') after engineering deploys Okta SSO + MFA and provides screenshots as evidence.
- • Letting risks sit 'Open — In Progress' for 18 months.
- • No owner field, so nothing moves.
- • Mixing risk language ('what bad thing could happen') with control language ('we don't do X').
Asset, Threat & Vulnerability Identification
The triple at the core of any risk: what we're protecting (assets), what could harm it (threats), and the weaknesses that let it happen (vulnerabilities).
Risk ratings only make sense in this triple. 'A breach' isn't a risk; 'theft of customer PII via SQL injection on the public API' is.
Inside every risk assessment.
You'll partner with security engineering to translate scanner output into business-relevant risks.
- • CMDB / asset inventory
- • Data classification
- • Threat intel feeds
- • Vulnerability scanner output
- • Pen test reports
- • A-T-V statements ready to be scored
- • Asset register
- • Threat catalog
- • Vulnerability list
Asset: customer database. Threat: external attacker. Vulnerability: unpatched CVE-2024-XXXX on the bastion host.
- • Skipping the asset step and jumping straight to scenarios.
- • Treating every CVE as a separate risk instead of grouping by attack chain.
Likelihood & Impact Scoring
Assigning a defensible rating to how often something might happen and how bad it would be if it did.
Drives prioritization. Without consistent scoring, the loudest stakeholder always 'wins.'
Every risk assessment and risk register update.
Expect to defend ratings in management review — be ready to point at the scale.
- • Scoring scale definitions
- • Historical incident data
- • Industry benchmarks
- • Numeric or qualitative ratings (e.g., 1–5)
- • Heat map placement
- • Risk scoring methodology
- • Risk register
Using a 5x5 matrix where Likelihood 4 = 'happens annually' and Impact 5 = '>$10M loss or major regulatory action.'
- • Re-defining the scale per assessment.
- • Compressing everything into 'medium.'
- • Confusing inherent vs residual.
Risk Treatment Decisions
Choosing what to do with each risk: treat, transfer, tolerate, or terminate.
Every risk needs an explicit decision and an owner. Defaulting to 'we'll fix it eventually' is not a treatment.
After scoring and before the risk hits the register as 'open.'
You won't sign acceptance memos as a junior, but you'll draft them and chase the signatures.
- • Risk rating
- • Cost of treatment
- • Business context
- • Risk appetite
- • Documented treatment decision
- • Risk acceptance memo if tolerating
- • Risk treatment plan
- • Risk acceptance memos signed by an appropriate executive
A risk rated Medium with $500k remediation cost and $50k potential loss is tolerated for 12 months with the CFO signing the acceptance memo.
- • Accepting risks without an authorized signer.
- • Choosing 'treat' but never assigning a fix-by date.
Documenting Controls
Writing clear, auditable descriptions of how a control works — owner, frequency, evidence, system of record.
An undocumented control is an unauditable control. Auditors test what's written, not what people remember.
When a new control is implemented, when ownership changes, and at least annually.
Expect to interview 1–3 control owners per week during a SOC 2 audit window.
- • Process walkthroughs with control owners
- • Sample evidence
- • System screenshots
- • Control narrative
- • Updated control matrix entry
- • Control matrix
- • Process narratives
- • Evidence index
Documenting CC6.2 (new-hire access provisioning) including: ticket system, approver, SLA, screenshot of the access form, frequency of review.
- • Describing tools instead of process.
- • Listing 'we use X tool' with no actual control activity.
Control Mapping
Showing that one control satisfies obligations across multiple frameworks (e.g., MFA = CSF PR.AA-02 + ISO A.8.5 + SOC 2 CC6.1).
You don't want to run separate audits per framework. Mapping enables one control to cover many requirements.
When picking up a new framework or building a unified control framework (UCF).
The Secure Controls Framework (SCF) is your friend for cross-framework mapping work.
- • Existing control matrix
- • New framework requirements
- • Authoritative crosswalks (NIST, CSA CCM, SCF)
- • Mapping table
- • Gap list (requirements not yet covered)
- • Unified control matrix
- • Framework mapping spreadsheet
Mapping one 'Annual Access Review' control to SOC 2 CC6.3, ISO A.5.18, and HIPAA §164.308(a)(4).
- • Mapping by keyword instead of by intent.
- • Creating phantom coverage — claiming a control satisfies a requirement it actually doesn't.
Policy, Standard & Procedure Writing
Drafting the hierarchical documents that tell the organization what it must do (policy), the specific rules (standard), and the steps to do it (procedure).
Policies set the floor for control expectations and are foundational evidence in every audit.
Initial program setup, annual review cycle, and when controls change materially.
You'll often be the first drafter and the librarian — owning the review cycle calendar.
- • Existing policy library
- • Framework requirements
- • Stakeholder interviews
- • Draft document
- • Reviewer comments
- • Approved policy with version history
- • Policy
- • Standards
- • Procedures
- • Approval record
Writing an Access Control Policy (principle) backed by an MFA Standard (must use phishing-resistant MFA for admin roles) and a Joiner-Mover-Leaver Procedure (the actual steps).
- • Cramming procedures into the policy itself.
- • Never updating the version table.
- • Policies that read like legal disclaimers and tell no one what to do.
Evidence Collection
Gathering proof that a control operated as designed during the audit period — tickets, screenshots, exports, signed forms.
Auditors don't take your word. Evidence is the currency of compliance work.
Year-round for Type II audits; spikes during fieldwork.
This is 30–60% of a junior SOC 2 analyst's life during audit fieldwork.
- • PBC list (Provided By Client)
- • Sample selections
- • Control matrix
- • Evidence package per control
- • Cross-reference index
- • Evidence index
- • Auditor request tracker
For sample item #12 (a Q2 production change), pulling the Jira ticket, the PR with code review approval, the change-advisory-board ticket, and the deployment log.
- • Sending raw exports without context.
- • Pulling screenshots after the period ends.
- • Missing the sample window.
Audit Support
Acting as the central coordinator between auditors and internal control owners — scheduling walkthroughs, fielding questions, tracking requests.
Without a coordinator, auditors interrupt engineers randomly and findings multiply.
Throughout fieldwork plus pre-kickoff and post-fieldwork phases.
Plan to be in the audit Slack channel 4–6 hours/day during fieldwork.
- • Audit plan
- • PBC list
- • Control owner contacts
- • Walkthrough schedule
- • Request tracker
- • Findings log
- • Auditor request tracker
- • Walkthrough notes
Scheduling a 30-minute walkthrough between the auditor and the SRE lead, with the change management procedure pre-shared.
- • Letting auditors talk directly to engineers without prep.
- • No single source of truth for outstanding requests.
Internal Audit Readiness
Running mock audits before the real one to catch broken controls early.
It's cheaper to find a broken control yourself than to take an exception in the final report.
Quarterly for mature programs; at minimum once before the audit window opens.
Often you run the testing while your manager reviews and signs off.
- • Control matrix
- • Sample populations
- • Test scripts
- • Internal audit report
- • Remediation list
- • Test scripts
- • Internal audit findings
Sampling 5 of 50 quarterly access reviews and finding 2 were completed but not signed; opening remediation tickets before the auditor sees them.
- • Treating internal audit as box-ticking.
- • Not actioning findings.
External Audit Readiness
All the prep work before external auditors arrive: scope confirmation, kickoff, PBC prep, walkthrough prep.
Half the audit's success is set before fieldwork starts.
4–8 weeks before fieldwork.
You'll often own the PBC tracker end-to-end.
- • Last year's report
- • Updated control matrix
- • PBC list
- • Kickoff deck
- • Pre-populated PBC
- • Walkthrough schedule
- • Kickoff deck
- • Updated SSP / system description
Updating the SOC 2 system description with new product lines and pre-pulling 60% of the PBC items before the auditors send their request list.
- • Scope creep discovered in fieldwork.
- • Stale system description.
Gap Assessments
Comparing current state to a target framework or standard and listing what's missing.
Before you can certify or comply, you have to know what's missing.
Before adopting a new framework, after major org changes, or as a customer requirement.
A common 'first big project' for a new junior GRC analyst.
- • Framework requirements
- • Current control matrix
- • Process interviews
- • Gap list with severity and effort estimates
- • Remediation roadmap
- • Gap assessment report
Comparing the existing security program to ISO 27001:2022 and finding 14 gaps — most around supplier management (A.5.19–A.5.22).
- • Calling 'no documentation' the same severity as 'no control.'
- • Producing a gap list without effort estimates — leadership can't prioritize.
Remediation Tracking
Owning the list of open findings and chasing them to closure with evidence.
Findings that linger become repeat findings, which become qualified opinions or failed certifications.
Continuously after any audit, assessment, or pen test.
Usually the analyst's responsibility, with escalation paths to a manager when items slip.
- • Findings
- • Owners
- • Target dates
- • Weekly aging report
- • Closure evidence
- • Remediation tracker
- • Closure memos
F-2024-08 (no quarterly firewall rule review) — owner: Network Eng; due: 2024-11-30; evidence: signed review log in SharePoint.
- • No SLA per severity.
- • Closing items without evidence.
Exception Management
Formally documenting where the org is operating outside a policy or control, with compensating measures and an expiration date.
Reality demands exceptions. Undocumented exceptions are findings; documented ones are managed risks.
Whenever an exception is requested by a business unit or surfaced by an audit.
You'll often draft the exception, the engineering team will sign as owner, the CISO will sign as approver.
- • Exception request
- • Risk rating
- • Compensating controls
- • Approved exception record
- • Renewal calendar
- • Exception register
- • Approval memos
Engineering can't enable MFA on a legacy service account for 90 days; exception is approved with conditions: IP allow-listing and rotation every 30 days.
- • Exceptions with no end date.
- • Compensating controls that aren't actually compensating.
Compliance Tracking
Maintaining a calendar/dashboard of all the certifications, audits, assessments, and reports the org owes, with due dates and statuses.
Missing a recertification deadline can be a contractual breach.
Always — typically a recurring weekly check.
A simple, high-leverage thing a junior analyst can own outright.
- • Certificate expiry dates
- • Customer contracts
- • Regulatory calendars
- • Compliance calendar
- • Status dashboard
- • Compliance tracker
Tracking SOC 2 Type II window (Apr-Dec), ISO 27001 surveillance audit (Sept), PCI DSS SAQ (Feb).
- • Not building 60-day buffer for prep.
- • No backup owner.
Third-Party Risk Management
Assessing and monitoring the security and resilience of vendors that touch your data or systems.
Most breaches involve a third party. Your customers will ask how you manage yours.
Pre-contract for new vendors; annually or by tier thereafter.
Often run a queue of 5–20 active vendor reviews at any time.
- • Vendor list
- • Data shared
- • Service criticality
- • Vendor evidence (SOC 2, ISO cert)
- • Vendor risk rating
- • Approval/conditions/rejection
- • Re-assessment date
- • Vendor inventory
- • TPRM questionnaire
- • Risk assessment per vendor
A new analytics vendor that processes pseudonymized event data is rated Medium; approved with SCCs in the DPA and re-assessment in 12 months.
- • Treating all vendors the same.
- • Trusting a SOC 2 report cover page without reading the exceptions.
Vendor Questionnaire Review
Reading the security responses a vendor sends (CAIQ, SIG, custom) and turning them into a risk rating + follow-up questions.
Questionnaires are noisy. Skilled review is what extracts real risk signal.
Inside every TPRM review for a new or material vendor.
This is daily work in vendor-heavy orgs.
- • Completed questionnaire
- • Supporting evidence (SOC 2, pen test summary)
- • Findings list
- • Follow-up questions
- • Rating recommendation
- • Reviewed questionnaire with annotations
Vendor answers 'Yes — MFA enforced' but their SOC 2 report has an exception for admin users; follow up before approving.
- • Accepting Yes/No answers at face value.
- • Ignoring exceptions in the SOC 2 report.
Issue Tracking
Logging every control deficiency, audit finding, or self-identified issue in a single tracker with severity, owner, due date, and status.
Issues scattered across emails and slides never close. A single tracker is the management view.
Continuously.
Often paired with remediation tracking under one role.
- • Audit findings
- • Self-identified issues
- • Incident lessons-learned
- • Issue log
- • Aging metrics
- • Issue log
Logging I-2024-031 (segregation of duties — same engineer can deploy and approve) with severity High and owner Platform Eng Manager.
- • Severity inflation.
- • Closing without evidence.
Metrics & Reporting
Distilling program activity into a small number of metrics leadership can act on.
If leadership doesn't see progress, the program loses funding.
Monthly for execs; quarterly for the board.
You'll often build the slides. Your manager will deliver them.
- • Risk register
- • Issue log
- • Training completion
- • Vendor inventory
- • Audit status
- • Exec dashboard
- • Board pack
- • Metrics standard
- • Dashboard
Reporting % of critical vendors reassessed in the last 12 months, % of high-risk findings closed within SLA, and trend of open risks by severity.
- • Vanity metrics (e.g., 'number of policies').
- • No commentary — just numbers.
Stakeholder Communication
Translating between security/engineering and business stakeholders — managers, auditors, executives, customers.
GRC sits at the boundary. Clear writing and calm meetings are the actual deliverable half the time.
Daily.
A career-defining skill — undervalued by juniors, prized by hiring managers.
- • Technical context
- • Audience expertise level
- • Decision needed
- • Briefing notes
- • Decision memos
- • Customer responses
- • Decision memo templates
- • Customer security review responses
Translating an auditor's '20 user accounts in the sample lacked evidence of review' into 'we need to fix our quarterly review process before next audit.'
- • Speaking auditor-ese to engineers.
- • Speaking engineer-ese to leadership.
Awareness & Training Coordination
Owning the cadence of security awareness training — content, scheduling, completion tracking, phishing simulations.
Required by nearly every framework, and one of the best ROI investments in security.
At hire, annually, and when role/risk changes.
Usually a discrete chunk of the analyst's job — often 5–10% of time.
- • Training platform
- • HRIS feed
- • Phishing tool
- • Completion reports
- • Phishing campaign results
- • Training plan
- • Completion records
- • Sanction policy
Quarterly phishing simulation with results reviewed by department; repeat clickers assigned remedial training.
- • Treating training as one-off.
- • No completion enforcement.
Business Continuity Governance
Ensuring the BCP is current, tested, and aligned with risk appetite.
Resilience is a board-level concern; the GRC team usually owns the program even if engineers run the technology.
Annual plan refresh, quarterly tests, post-incident reviews.
You may coordinate; SRE or IT operations runs the technical recovery.
- • Business impact analysis (BIA)
- • Recovery objectives (RTO/RPO)
- • Test results
- • Updated BCP
- • Test reports
- • BCP
- • BIA
- • Tabletop exercise notes
Running an annual tabletop simulating loss of the primary data center; updating the BCP based on gaps found.
- • Untested plans.
- • BIA based on guesses, not interviews.
Disaster Recovery Governance
Governance counterpart to BCP for technology recovery — owners, runbooks, evidence of testing.
Auditors will ask for evidence of DR tests at least annually.
At least annually; ideally quarterly partial tests.
Coordinator and evidence collector, rarely the executor.
- • DR runbooks
- • Test schedule
- • RTO/RPO targets
- • DR test results
- • Updated runbooks
- • DR plan
- • Test reports
Quarterly failover test from primary to DR region; documenting that recovery time hit the 2-hour RTO.
- • Backup testing confused with DR testing.
- • Plans untested for 2+ years.
Incident Governance Support
The governance layer around incident response — making sure plans exist, are tested, lessons learned are captured and acted on.
Incidents are inevitable. Good governance turns each one into a control improvement.
Plan review annually, tabletop quarterly, after-action immediately post-incident.
GRC supports IR; SecOps leads it.
- • IR plan
- • Post-incident reviews
- • Trend data
- • Updated IR plan
- • Lessons-learned tracker
- • Improvement actions
- • IR plan
- • PIR template
- • Improvement backlog
After a credential-stuffing incident, opening 3 control improvement items: rate limiting, breached-password monitoring, MFA on a missed endpoint.
- • PIRs that name no actions.
- • Actions that are never closed.
Security Documentation Management
Owning the library — policies, standards, procedures, plans — with versioning, ownership, review dates, and access controls.
Auditors will ask: who owns this, when was it last reviewed, who approved it. A messy library = repeat findings.
Continuously.
A simple, high-trust thing for a junior to own from day one.
- • Document inventory
- • Review calendar
- • Up-to-date library
- • Review calendar
- • Approval records
- • Document index
- • Review schedule
Maintaining a single inventory of 32 security documents with owner, last review date, next review date, and approval evidence link.
- • Multiple versions floating in different SharePoints.
- • No retirement process for old docs.