Senior Governance, Risk, and Compliance Lead

Summary

Join Upwork, the world’s largest work marketplace, as a Sr. Lead, GRC (Governance, Risk, and Compliance) to strengthen our Information Security program. Lead audit readiness and compliance operations across global frameworks and vendor requirements. Guide audit processes for ISO 27001, SOC 2 Type 2, and Microsoft SSPA. Maintain and evolve the Information Security Management System (ISMS). Collaborate with cross-functional teams to implement controls and address gaps. Monitor and report on enterprise risk, audit findings, and key compliance metrics. Act as the primary point of contact for auditors and stakeholders. Track and interpret changes in regulatory and compliance frameworks. This role offers the chance to influence security strategy and ensure Upwork meets the highest standards in data security and privacy.

Requirements

• 5+ years of experience in GRC, Information Security, or Compliance, ideally in a technology or cloud-first environment
• Proven expertise with ISO 27001, SOC 2, and third-party compliance programs like Microsoft SSPA
• Demonstrated success managing end-to-end audit processes and cross-functional compliance initiatives
• Strong project management, communication, and analytical skills with a track record of influencing cross-functional stakeholders

Responsibilities

• Lead and manage internal and external audits for ISO 27001 and SOC 2 Type 2, including evidence collection, readiness assessments, and remediation tracking
• Own Upwork’s compliance with Microsoft Supplier Security and Privacy Assurance (SSPA), including completing the annual DPR and attestation
• Maintain and evolve the Information Security Management System (ISMS) and associated documentation to reflect Upwork’s growing business and risk landscape
• Collaborate with Engineering, IT, Legal, and Privacy teams to implement controls and address identified gaps efficiently and effectively
• Monitor and report on the enterprise risk register, audit findings, and key compliance metrics to drive transparency and accountability
• Act as the primary point of contact for auditors, assessors, and external stakeholders during audits and customer due diligence activities
• Track and interpret changes in regulatory and compliance frameworks to guide proactive adaptation and policy updates

Preferred Qualifications

Relevant certifications such as CISA, CRISC, or ISO 27001 Lead Auditor/Implementer are a plus

Benefits

• Comprehensive medical coverage for you and your family
• Unlimited PTO
• A 401(k) plan with matching
• 12 weeks of paid parental leave
• An Employee Stock Purchase Plan