Group Governance Risk & Compliance (GRC) Analyst

Contact name: Jonathan Savage

Contact email:
Job ref: 079916
Published: about 1 month ago

The Group Information Security Team is responsible for developing and managing technology solutions, services and processes that apply across all Grafton business units to reduce information security risk.

The Group GRC Analyst is a primary contributor to the design, implementation and maintenance of Grafton Group’s information security governance, risk, compliance and culture and awareness programme, to ensure that information security risks are effectively managed, in line with business objectives, strategy and risk appetite.

The role holder will work to improve information security controls in the business, adapting as new security threats emerge and the threat landscape evolves, to reduce the risk of losses to the business.

The role holder will provide specialist security knowledge and be responsible for driving security culture and awareness across Grafton Brands, with the focus expected to be in following areas:

*       Create and support Business Units to deliver comprehensive training and awareness campaigns including videos, e-learning, news bulletins and simulated phishing campaigns.

*       Implementation and operation of information security processes such a third-party security assessment and mergers and acquisitions framework.

*       Work with subsidiaries to achieve and maintain PCI DSS compliance.

*       Support subsidiaries to track status and progress against the Cyber Security Controls Framework and KPI dashboards.

*       Work with subsidiaries to assist them in identifying and effectively managing cyber security risk.

*       Champion cyber security across the business to embed it into the business culture.

*       Implement and manage a programme of end-to-end controls testing.

*       Provide 2nd line assurance testing and review conformance to control frameworks by tracking actions and determine effectiveness.

*       Maintain Grafton’s suite of policies and standards and support adoption across subsidiaries.

The role holder will be a resourceful, self-motivated individual who is comfortable getting things done in matrix structures. They will have the opportunity to both shape and deliver projects and solutions. They will be expected to apply information security and data protection best practices with pragmatism and common sense.

Key Responsibilities 

*         Creation, maintenance and communication of information security technology standards, procedures, and guidelines.

*         Perform security reviews of third parties who provide IT solutions and/or process data for Grafton Group.

*         Reporting on security KPIs such as endpoint EDR coverage, unsupported OS, and vulnerabilities

*         Work closely with Group and business unit IT teams to ensure appropriate information security and data protection controls are embedded within projects.

*         Perform compliance reporting against appropriate control frameworks and international standards.

*         Complete 2nd line assurance reviews to determine the effectiveness of controls embedded in the business units to ensure compliance with internal security policies, regulations (e.g., GDPR) and industry standards (e.g., PCI DSS).

*         Create training and awareness material and support Business units in delivering it consistently across their businesses.



*       Knowledge of Information Security and risk management practices.

*       Excellent written and oral communication skills, with the ability to effectively communicate at all levels of the organisation.

*       Build and maintain strong, collaborative relationships with technical and non-technical stakeholders.

*       Ability to carry out high-quality data analysis and formal report writing.

*       Experience in designing and implementing written and technical information security standards.

*       Passion for information security and supporting the business in reducing risk, with a proactive attitude toward maintaining up-to-date knowledge.

*       Broad knowledge of IT systems, networking principles and associated technology-based security controls.

*       Knowledge and experience of logical access control management and administration.

*       High level of personal and professional integrity.


*       Knowledge of data protection and information security standards and processes, and delivery of information security projects.

*       Knowledge of PCI-DSS.

*       Experience in delivering security projects relating to Microsoft technologies, including Office 365 security, Azure cloud services security.

*       Knowledge of technical frameworks and best practices.

*       Knowledge of cloud computing and the associated security and control considerations.

At Grafton, we pride ourselves in our people and put diversity, equality and inclusion at the forefront of our recruitment process. We realise how important and valuable it is to have a diverse workforce and of the benefits that this brings.

We place great importance on the communities that we operate in. We undertake many local community and charitable support projects and have high levels of longevity within our Teams. We are keen to hear from candidates who are proud to work for a socially responsible company.

We also have many sustainability initiatives on our roadmap to ensure we are operating in ways that are environmentally and socially aware.

We are keen to hear from candidates who share in these values, who are keen to build a career that can grow and develop with our support over time and who have a passion for making a difference.

We also realised that no candidate will meet every single desired qualification on our job requirements so even if your experience looks a little different from what we have identified and you think you can bring value to the role, we would love to learn more about you.

Company Overview:

Grafton Group is an international business that distributes building materials to tradespeople in the UK, Ireland, Netherlands and Finland and operates in the DIY, Home and Garden retailing market in Ireland.

We also manufacture dry mortar and staircases in the UK. We are a FTSE 250 listed business and what we do is central to the building, construction and renovation industries across Europe creating the places that we live, work and play and working collaboratively to make this industry more sustainable.