Team Lead Cybersecurity & GRC

About Globals:

The role requires deep fluency in Indian
regulatory frameworks — including the IT Act 2000, CERT -In Directions, and
NCIIPC guidelines — alongside hands -on proficiency in ISO/IEC 27001 audit
execution. The ideal candidate is not expected to personally conduct VAPT
assessments but must be capable of interpreting VAPT findings, translating them
into boardroom -ready compliance reports, and directing the technical team's
audit workflow with authority.

A. ISO 27001 Audit Leadership

• Plan, manage, and close
  end -to -end ISO/IEC 27001 external and internal audit engagements — covering
  scope definition, Statement of Applicability (SoA) review, control testing,
  evidence evaluation, and audit report preparation.
  
• Conduct gap assessments, risk
  treatment plan reviews, and readiness evaluations aligned to ISO/IEC 27001:2022
  Annex A controls.
  
• Lead Stage 1 (Documentation
  Review) and Stage 2 (Implementation Audit) activities, coordinating with client
  stakeholders and certification bodies.
  
• Prepare and issue
  Non -Conformance Reports (NCRs), Observations, and Corrective Action Plans
  (CAPAs) with clear remediation guidance.
  
• Maintain audit programme
  documentation including audit plans, checklists, working papers, and formal
  audit reports to professional CB -grade standards.
  

B. GRC – Governance, Risk & Compliance
Engagements

• Lead IT Security Posture
  Assessments (ISPA) and risk -based control evaluations for enterprise clients,
  producing structured GRC reports with risk registers and treatment roadmaps.
  
• Design and implement GRC
  control frameworks tailored to client operating environments — covering policy
  governance, asset management, access control, incident management, and vendor
  risk.
  
• Coordinate compliance gap
  analyses against multiple frameworks simultaneously — ISO 27001, SOC 2, GDPR,
  HIPAA, and sector -specific mandates — and produce consolidated compliance
  dashboards.
  
• Manage compliance automation
  tool workflows (Sprinto, Drata, Vanta, OneTrust, or equivalent) to track
  evidence collection, control status, and audit readiness.
  
  

C. CERT -In & Regulatory Reporting
(India -Specific)

• Own the end -to -end process for
  CERT -In incident reporting for clients under the CERT -In Directions 2022 —
  including 6 -hour and 24 -hour mandatory reporting workflows, log retention
  compliance, and NTP synchronisation advisory.
  
• Prepare and submit structured
  incident reports, vulnerability disclosures, and advisory responses to CERT -In
  on behalf of clients as authorised representative.
  
• Advise clients on NCIIPC
  compliance obligations under the National Cyber Security Policy for operators
  of Critical Information Infrastructure (CII) — including sector -specific
  security guidelines for Power, Telecom, Finance, and Government.
  
• Conduct compliance readiness
  reviews against the IT Act 2000, IT (Amendment) Act 2008, and associated Rules
  including the IT (Reasonable Security Practices and Procedures and Sensitive
  Personal Data or Information) Rules 2011.
  
• Support DPDP Act 2023 (Digital
  Personal Data Protection Act) compliance advisory as it pertains to client data
  handling and security obligations.
  
• Liaise with regulatory bodies
  including CERT -In, NCIIPC, MEITY, RBI CISO advisories, and SEBI cybersecurity
  circulars where applicable.
  

D. VAPT Team Management & Report
Oversight

•  Lead and manage a team of VAPT
  engineers and security analysts — assigning engagements, reviewing scope
  documents, and ensuring delivery quality and timeliness.
  
• Review and validate VAPT
  reports (Network PT, Web App PT, API Security Testing, Thick Client, Wireless,
  and Cloud Security Reviews) for technical accuracy, risk rating calibration
  (CVSS), and narrative clarity before client submission.
  
• Translate complex technical
  VAPT findings into executive -level security risk summaries suitable for client
  CISOs, Boards, and Audit Committees.
  
• Define and enforce
  engagement -specific Rules of Engagement (RoE), scoping documents, and test
  plans in coordination with the client and technical team.
  
• Drive remediation verification
  cycles — scheduling re -testing post -fix and issuing closure certificates with
  updated report revisions.
  
• Maintain quality assurance over
  deliverables — ensuring OWASP, PTES, OSSTMM, and NIST SP 800 -115 methodology
  alignment where applicable.
  

E. Client & Stakeholder Management

• Act as the primary
  client -facing point of contact for all cybersecurity audit and compliance
  engagements — managing expectations, presenting findings, and driving closure.
  
• Conduct executive debrief
  sessions, boardroom presentations, and risk workshops with client leadership
  including CISOs, CTOs, Compliance Officers, and Legal teams.
  
•  Manage multi -client engagement
  calendars, coordinating internal VAPT team bandwidth with client timelines and
  regulatory deadlines.
  
•  Build long -term client
  relationships, identifying opportunities to expand compliance and security
  advisory scope.
   
  

Requirements

Regulatory & Compliance Knowledge

• Thorough working knowledge of
  the Indian IT Act 2000 and IT (Amendment) Act 2008, including provisions on
  cybersecurity obligations, SPDI Rules, and intermediary liability.
  
• Demonstrated experience
  preparing and submitting CERT -In incident reports under the CERT -In Directions
  2022 (mandatory reporting timelines, log formats, and compliance obligations).
  
• Familiarity with NCIIPC's
  guidelines for Critical Information Infrastructure operators and
  sector -specific advisories from MeitY, RBI, and SEBI.
  
•  Sound understanding of DPDP Act
  2023 implications for cybersecurity and data handling compliance.
  
  

ISO 27001 Audit Expertise

•  Minimum 2 years of hands -on
  ISO/IEC 27001 audit experience — either as a lead auditor, internal auditor, or
  consulting engagement lead.
  
• Ability to independently plan,
  execute, and close ISO 27001 audit cycles including evidence review, control
  testing, NCR issuance, and formal report writing.
  
• Working knowledge of ISO/IEC
  27001:2022 changes (new Annex A structure, Clause 6.3 planning of changes,
  etc.).
  
• ISO 27001 Lead Auditor
  certification (IRCA/PECB/BSI or equivalent) is mandatory.
  

GRC & Report Writing Skills

•  Proven ability to produce
  high -quality, structured audit and compliance reports suitable for regulatory
  submission, Board review, and certification body assessment.
  
• Experience designing GRC
  frameworks, risk registers, control matrices, and compliance dashboards for
  enterprise clients.
  
• Proficiency with at least one
  compliance automation platform (Sprinto, Drata, Vanta, OneTrust, Cypago,
  CyberSierra, or equivalent).
  

VAPT Management Skills

• Ability to review, critique,
  and sign off on VAPT reports across domains — without necessarily conducting
  the assessments personally.
  
• Sufficient technical
  understanding of common vulnerability classes (OWASP Top 10, CVEs, CVSS
  scoring, network attack surfaces) to validate findings and challenge
  assumptions.
  
• Experience managing or
  coordinating a team of penetration testers or security analysts in a delivery
  context.
  

• ISO/IEC 42001 (AI Management
  System) awareness or audit experience is a strong advantage, given Globals
  ITES's AI governance practice.
  
• Additional certifications
  valued: ISC2 CC, CISA, CISSP, CEH, CompTIA Security+, ISO 27701 Lead Auditor,
  or ISO 9001 Lead Auditor.
  
• Experience with other
  frameworks: SOC 2 Type II, HIPAA, GDPR, PCI -DSS, or NIST CSF.
  
• Familiarity with OT/ICS
  security frameworks (IEC 62443, NERC CIP) is a plus, given Globals' defence and
  critical infrastructure client base.
  
•  Prior exposure to government or
  defence sector compliance engagements in India (e.g. DRDO, DPSUs, PSUs) is
  advantageous.
  
•  B.Tech / B.E. in Computer
  Science, Information Technology, or a related discipline. MBA or post -graduate
  qualification in Information Security Management is a bonus.
  
  
  

Benefits

• Leadership role in a
  fast -growing cybersecurity practice with defence, national security, and
  enterprise clientele.
  
• Exposure to cutting -edge
  domains including AI -driven security, offensive and defensive cyber
  capabilities, and SOC operations.
  
• Opportunity to build and shape
  a compliance and audit practice from the ground up, with direct input on
  service line strategy.
  
• Meritocratic growth path into a
  CISO advisory or Practice Head role.
  
•  International exposure through
  Globals' operations in the Middle East and Europe, including The Hague,
  Netherlands.
  
• Work in a Great Place to Work®
  certified organisation with a strong people -first culture.
  
•  Competitive compensation
  commensurate with experience and certifications.