Umano Medical is building a candidate bank for a GRC Specialist who will help structure, run, and continuously improve our governance, risk, and compliance program across enterprise IT and product/medical device cybersecurity. 

You will translate requirements into practical controls, coordinate evidence for audits and regulatory needs, and maintain risk visibility so teams can move fast without losing control. 
This is a high-collaboration role that interfaces with R&D (software/electrical), Quality/Regulatory, IT/OT, Product, and external partners. 

Specifically, this is what your day might look like

Governance : 

• Maintain and improve information security policies, standards, and procedures
• Define security control objectives and baselines for systems, tooling, and development environments 
• Support governance routines: steering committees, risk reviews, KPI/KRI reporting, control owners, action plans 
• Keep documentation structured and audit-ready

Risk Management :

• Operate the cyber risk management lifecycle: identification, assessment, treatment, acceptance, and monitoring 
• Facilitate risk assessments and threat
• Maintain risk registers for enterprise IT, product/medical device security  and OT/manufacturing and supplier risks 
• Produce concise risk summaries for leadership, including business impact and recommended mitigations 

Compliance & Audit Readiness :

• Support compliance activities aligned to relevant frameworks and expectations
  - ISO 27001 / ISO 27002 and/or NIST CSF (enterprise security program) 
  - Medical device cybersecurity expectations and standards 
  - Quality system environments (ex: ISO 13485-aligned practices where cybersecurity evidence is needed) 
• Coordinate internal audits, gap assessments, and remediation tracking 
• Partner with Quality/Regulatory on evidence packages that support regulatory submissions and customer security questionnaires 

Third-Party & Supply Chain Security 

• Manage third-party security risk assessments (vendors, cloud services, software components, manufacturing partners) 
• Maintain a structured intake and periodic reassessment process (tiering, due diligence, contractual clauses) 
• Improve security requirements in procurement and supplier onboarding (security addendums, minimum controls) 

• Security Awareness Enablement 
  Develop targeted awareness content and lightweight training for different audiences (R&D, IT, operations, leadership) 
• Provide templates and checklists that embed GRC into normal workflows (requirements, design reviews, release gates) 

Metrics, Reporting, and Continuous

• Build and maintain dashboards for compliance posture, audit findings, risk trends, remediation aging 
• Track control effectiveness and close-the-loop improvements 

The profile we're looking for:

• 3–7+ years in GRC, cybersecurity compliance, risk management, or audit coordination 
• Practical experience implementing and operating security controls and evidence programs 
• Familiarity with security frameworks (at least one of: ISO 27001/27002, NIST CSF, CIS Controls) 
• Strong documentation skills: policies, standards, procedures, risk registers, audit evidence mapping 
• Ability to work with engineering teams and translate requirements into implementable controls 

Join a committed and enthusiastic team within a growing company. People are truly first and foremost here, and you'll feel it from day one.