Information Security & Compliance Analyst

Information Security & Compliance Analyst 

In Office | Full-Time | Gurugram, India 

About the Role 

We are a healthcare services and technology company serving 270+ healthcare organizations across the US. Our Information Security program is in a high-growth phase, with active certification and compliance initiatives underway across HITRUST, SOC 2, and ISO 27001. 

We are looking for a hands-on compliance execution specialist who will drive our day-to-day security compliance operations. You will work under the direction of our Information Security Lead (a senior consultant with deep healthcare security expertise) and alongside a dedicated Security Operations team. This role focuses on audit readiness, evidence management, vendor compliance, and policy lifecycle management. Our compliance operations run on the Sprinto GRC platform. 

Responsibilities 

Audit Readiness & Evidence Management 

• Own the end-to-end evidence collection pipeline for HITRUST, SOC 2, and ISO 27001 audits 

• Maintain and organize the evidence repository (via Sprinto) with zero gaps and audit-trail integrity 

• Coordinate with cross-functional teams (IT, HR, Operations) to gather evidence on schedule 

• Prepare audit working papers and support internal and external audit engagements 

• Track audit findings, remediation action items, and closure timelines 

Policy & Compliance Lifecycle Management 

• Draft, review, and maintain security policies aligned to NIST CSF, ISO 27001, and HIPAA requirements 

• Manage policy version control, approval workflows, and acknowledgment tracking 

• Monitor regulatory changes (HIPAA updates, state privacy laws, emerging standards) and flag implications 

• Respond to customer compliance questionnaires and security assessments accurately and on time 

• Manage BAA (Business Associate Agreement) compliance documentation 

Risk Assessment & Vendor Compliance 

• Support quarterly risk assessments — data collection, evidence gathering, risk scoring 

• Maintain the risk register and track remediation progress against target timelines 

• Conduct vendor security assessments as part of the third-party risk management program 

• Track vendor compliance status, BAA execution, and security posture documentation 

• Support DLP (Data Loss Prevention) controls monitoring and reporting 

Security Awareness & Reporting 

• Develop and coordinate security awareness training content (HIPAA, data handling, incident reporting) 

• Track training completion rates and phishing simulation performance metrics 

• Support incident response documentation and post-incident reporting 

• Prepare monthly compliance status reports for management 

Early Impact Opportunities 

This role offers the chance to make a visible contribution from day one. Within your first six months, you will be directly supporting active HITRUST and SOC 2 certification efforts, building evidence pipelines from the ground up, and establishing the compliance processes that the organization will run on going forward. You will have a front-row seat to three concurrent certification programs — a rare level of exposure at this career stage. 

Scope & Focus 

This role sits squarely in the governance, risk, and compliance (GRC) domain. Security strategy and architecture are owned by the Information Security Lead, while technical security operations (vulnerability management, incident response, access controls) are handled by a separate team. Your focus is on keeping the compliance engine running — evidence, documentation, audit readiness, policy lifecycle, and vendor compliance. If you enjoy building structured, repeatable processes and take pride in keeping things organized and audit-ready, this is the right fit. 

Must-Have Qualifications 

• 2–4 years of experience in GRC, compliance, or internal audit — preferably in healthcare or a regulated industry 

• Working knowledge of HIPAA/HITECH compliance requirements with hands-on audit or compliance program experience 

• Experience with at least one GRC platform (Sprinto, Vanta, Drata, OneTrust, or similar). Sprinto experience is a strong plus. 

• Hands-on experience with evidence collection, audit preparation, and working with external auditors 

• Familiarity with ISO 27001, SOC 2, or HITRUST frameworks (direct experience with at least one required) 

• Strong documentation and written communication skills 

• Self-driven execution style — you take direction well and proactively identify what needs to happen next 

Nice-to-Have 

• Certifications: ISO 27001 Lead Implementer/Internal Auditor, CISA, CRISC, or HITRUST CCSFP 

• Experience in a BPO/KPO or healthcare services environment with multi-geography operations 

• Exposure to vendor risk management and third-party security assessments 

• Experience supporting HITRUST validated or certified assessments 

• Familiarity with NIST CSF framework 

Why Join Us 

• Work directly with a senior security consultant who will mentor your growth in healthcare compliance 

• Exposure to three concurrent certification programs (HITRUST, SOC 2, ISO 27001) — accelerated learning curve 

• Clear growth path to Compliance Manager / GRC Manager within 24–36 months based on performance 

• Multi-geography exposure across US, India, and Philippines operations 

• Performance-linked bonus tied to certification milestones and operational delivery