Associate Compliance Manager

Certifications & external audits

Own the certification and surveillance cycle for ISO 27001:2022 and SOC 2 Type II; act as the single point of contact for external auditors.

Plan and execute readiness assessments, gap closure, evidence collection, control walkthroughs, and management responses.

Maintain audit calendars, evidence repositories, and bridge letters between audit windows.

Drive PCI DSS v4.0.1 scope-reduction and assessment activities for in-scope environments.

Maintain Meesho's ISMS aligned to ISO 27001:2022 - all 93 Annex A controls mapped across Organizational, People, Physical and Technological themes, with named owners and live evidence.

Author, review, version-control and socialise security policies, standards, and procedures.

Map controls across frameworks: ISO 27001:2022, SOC 2 TSC, PCI DSS v4.0.1, NIST CSF 2.0, CIS Controls v8, DPDP.

Design, test and continuously improve IT General Controls: access management, change management, IT operations, and SDLC.

Plan and execute internal audits; track findings to closure with engineering and IT.

Build and maintain the enterprise risk register; run RCSA, define KRIs, drive risk treatment plans and residual-risk acceptance with leadership.

Run the full vendor lifecycle: intake → tiering → security due diligence (SIG / CAIQ / SOC 2 / ISO reviews) → contractual controls → continuous monitoring → offboarding.

Partner with Legal and Procurement to embed security clauses in MSAs, DPAs, and sub-processor agreements.

Conduct on-site / virtual vendor audits for tier-1 vendors and report to the security council.

Operationalise the DPDP Act 2023 + DPDP Rules 2025 across the business: DPIAs, consent and notice flows, data-principal rights, 72-hour breach notification, and Records of Processing Activity.

Prepare Meesho for likely Significant Data Fiduciary (SDF) obligations: independent data-auditor coordination, DPO interfacing, algorithmic transparency, and children's-data safeguards.

Track IT Act, CERT-In directions, and sector-specific guidelines as relevant.

Maintain BCP and DR aligned to ISO 22301 - BIAs, RTO/RPO definitions, and annual DR / failover testing.

Run organisation-wide security and privacy awareness: onboarding, refreshers, phishing simulations, and role-based modules.

Respond to seller, partner and enterprise security questionnaires; maintain the Trust Center and security collateral.

4–6 years in security compliance, IT audit, or GRC at a product company (SaaS, fintech, e-commerce, payments, consumer internet).

Hands-on experience driving ISO 27001:2022 end-to-end: gap → implementation → certification → surveillance.

Hands-on experience driving SOC 2 Type II end-to-end, including auditor management.

Strong ITGC experience: access, change, ops, and SDLC control design and testing.

Strong TPRM experience across the full vendor lifecycle.

Working knowledge of cloud (AWS and/or GCP) - shared-responsibility model, CIS benchmarks, native services for evidence (AWS Config, GCP SCC, CloudTrail, IAM Analyzer).

Demonstrated stakeholder management with Engineering, IT, Legal, Product, and external auditors.

Excellent written communication - you'll author policies, audit responses, and risk reports read by senior leadership.

DPDP Act 2023 / DPDP Rules 2025 implementation experience; familiarity with GDPR or ISO 27701.

Hands-on with a GRC platform: Sprinto, Vanta, Drata, OneTrust, AuditBoard, MetricStream, ServiceNow GRC, or Archer.

ISO 22301 BCMS experience.

Exposure to RBI / SEBI / IRDAI sectoral compliance.

PCI DSS v4.0.1 experience.