Information Security GRC Analyst III

Brand:

Purpose Financial

Address:

 322 Rhett Street, Greenville, South Carolina, United States

•  29601 Purpose Financial, Inc.

is an innovative consumer financial services company that offers a diverse suite of credit products, promoting financial inclusion and meeting consumers wherever they are. Through its brands, the company is committed to helping customers achieve their version of financial stability in the moment and in the future. Since 1997, Purpose Financial has been a pioneer in the consumer credit and financial services market offering money solutions in over 800 storefronts locations and online lending. Providing services in over 23 states, Purpose Financial employs over 2,500 team members. At Purpose Financial we are always on the lookout for motivated individuals who share in our values of mutual respect to join our team of outstanding professionals. We offer: Competitive Wages Health/Life Benefits Health Savings Account plus Employer Seed 401(k) Savings Plan with Company Match Paid Parental Leave Company Paid Holidays Paid Time Off including Volunteer Time Tuition Reimbursement Business Casual Environment Rewards & Recognition Program Employee Assistance Program Office in downtown Greenville that offers free parking, onsite gym, free snacks/drinks To learn more about Purpose Financial visit Purpose Financial Website. Position Summary Design, implement, audit, and maintain governance, risk management, and compliance (GRC) controls for Purpose Financials information security program. This role is the operational backbone of our compliance posture owing to SOC 2 Type II readiness and certification, driving

ISO 27001

certification and ongoing ISMS maintenance, and supporting the broader Information Security Program across

NIST CSF, NIST SP 800-53/800-171, CIS

Controls, and PCI DSS. The ideal candidate brings an organized, project-managed approach to policy, risk, third-party oversight, audit readiness, and continuous compliance. Partnering closely with IT, SecOps, Legal, Internal Audit, and business stakeholders to protect the information assets owned by or entrusted to the Company.

Job Responsibility Governance & Policy

• Maintain and evolve the Company's information security policies, standards, and controls mapped to

SOC 2, ISO

27001, NIST, and CIS frameworks; manage the policy exception process with documented justification and approval. Risk Management

• Conduct risk assessments, maintain the risk register, and support risk acceptance decisions with structured evidence; escalate material risks to leadership with mitigation plans. Compliance & Audit Readiness
• Own end-to-end audit preparation for SOC 2 Type II and

ISO 27001

certification, including control testing, evidence collection, gap remediation, and findings tracking. Maintain the Company's ISMS, conduct Statement of Applicability (SoA) reviews, support internal audits and management reviews, and serve as the primary liaison with external certification bodies throughout the certification and surveillance audit lifecycle. Control Implementation & Monitoring

• Partner with IT and SecOps to operationalize controls across access management, encryption, logging, vulnerability management, and backup/DR; define evidence sources and test cadence. Continuous Monitoring
• Leverage GRC platform automated monitoring capabilities to maintain real-time visibility into control health; triage failing controls, coordinating remediation with owners, and ensure evidence remains audit-ready throughout the observation period. Evidence Collection & Management
• Maintain a structured evidence repository (e.

g., SharePoint, GRC platform) to support SOC 2 Type II and

ISO 27001

audit cycles; coordinate evidence requests from external auditors, establish and enforce evidence collection cadences (monthly, quarterly, and annual), and ensure completeness and integrity of the evidence package throughout the audit observation period. Third-Party Risk Management (TPRM)

• Manage the third-party risk management program including vendor risk assessments, security questionnaires (SIG/CAIQ), contract review support, and ongoing monitoring of critical vendors to ensure alignment with the Company's security and compliance requirements. Change Management & Control Lifecycle
• Manage the full control lifecycle including new control design, change management, deprecation, and exception handling; ensure all control changes are documented, reviewed, and aligned with SOC 2 Type II and

ISO 27001

audit requirements. Stakeholder Communications & Training

• Develop and deliver control owner training, security awareness materials, and compliance guidance to drive adoption of security controls across business units; serve as a trusted advisor to cross-functional teams on GRC-related obligations and best practices. Metrics & Reporting
• Produce dashboards and status reports on risk posture, control health, and audit readiness for both technical teams and executive/Board-level stakeholders. Operational Support
• Support incident response, BCP/DR planning, and privacy obligations; publish practical guidance and job aids to drive control adoption across the organization.

Job Responsibilities Cont. Education Required Bachelor's degree in Information Security or equivalent experience.

Experience Required 3-5+ years of experience in information security GRC, compliance, or audit roles. Hands-on experience with SOC 2 Type II audits (as auditee, control owner, or auditor). Working knowledge of 

SOC 2, ISO 27001, NIST CSF, NIST SP

800-53, and CIS Controls. Experience maintaining risk registers, conducting risk assessments, and managing remediation tracking. Strong written communication skills

• ability to produce clear policy documents, audit evidence packages, and executive-level reports.

Demonstrated ability to manage multiple workstreams with a project-managed approach. Experience with GRC platforms. Knowledge Required Excellent written and verbal communications skills; adaptability and flexibility to changing environment; and comfortable working in a dynamic, high volume, fast-paced environment. Ability to understand and ensure compliance with policies, procedures, and laws governing our industry/business and products.

Preferred Qualifications:

Experience in financial services, fintech, or consumer lending environments. Familiarity with PCI DSS requirements and control environments.

Certifications:

CISA, CRISC, CISSP, ISO 27001

Lead Auditor/Implementer, or equivalent. Exposure to privacy frameworks (GLBA, CCPA, state-level financial privacy regulations) Ability to work collaboratively with cross-functional teams and influence stakeholders. Physical Requirements Sitting for long periods of time; standing occasionally; walking; bending; squatting; kneeling; pushing/pulling; reaching; twisting; frequent lifting of less than 10 lbs., occasional lifting of up to 20 lbs.; driving and having access during the workday to an insured and reliable transportation; typing; data entry; grasping; transferring items between hands and/or to another person or receptacle; use of office equipment to include computers; ability to travel to, be physically present at, and complete the physical requirements of the position at any assigned location.

Competencies OKRTravel 0-10%Attire Business CasualOther Must be eligible to work in the USA and able to pass a background checkAll qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, or disability.

Requisition ID:

46232