Security Assurance & Compliance Specialist full time

The Security Assurance & Compliance Specialist protects the confidentiality, integrity, and availability of Mercans’ global payroll SaaS platform and internal infrastructure. This role leads Governance, Risk, and Compliance (GRC) initiatives, ensuring adherence to international data protection laws and maintenance of key security certifications.

Acting as a guardian of sensitive payroll and financial PII, the specialist strengthens client trust through audit management, internal control oversight, and risk governance.

• Maintain compliance with ISO 27001, ISO 27701, and SOC 1 / SOC 2 Type II frameworks.
• Monitor global data privacy regulations (e.g., GDPR, LGPD) and assess operational impact.
• Lead the full lifecycle of external audits, serving as the primary liaison between auditors and internal teams.
• Conduct internal audits and gap assessments to ensure cloud and operational controls meet security objectives.

• Maintain and evolve the Information Security Management System (ISMS).
• Facilitate company-wide risk assessments and DPIAs for new SaaS features and vendors.
• Manage the lifecycle of information security policies, ensuring timely review and approval.
• Define and track KPIs and KRIs for executive reporting.
• Implement AI-driven tools to streamline compliance monitoring and repetitive security tasks.

• Lead responses to enterprise security questionnaires (SIG, CAIQ) and RFPs.
• Collaborate with Legal on security addendums and Data Processing Agreements (DPAs).
• Assess and monitor third-party vendors and sub-processors.
• Maintain Security Trust Center documentation, certifications, and whitepapers.

• Coordinate annual external penetration testing for SaaS platforms and applications.
• Manage vulnerability scanning programs, prioritize findings (CVSS-based), and enforce remediation SLAs.
• Monitor SIEM tools for suspicious activity and unauthorized access.
• Oversee SAST and DAST integration within CI/CD pipelines.
• Utilize AI-enhanced detection tools to improve anomaly monitoring and reduce false positives.

• Lead incident response efforts, including breach notification obligations.
• Conduct post-incident reviews and root cause analysis.
• Oversee Business Continuity and Disaster Recovery (BCDR) planning.
• Coordinate annual Disaster Recovery tests and Tabletop Exercises (TTX).

• Deliver training on secure handling of PII and financial data.
• Conduct phishing simulations and social engineering resilience testing.
• Promote a strong security-first culture across the organization.

• 3+ years of experience in Information Security, GRC, or IT Audit, preferably within SaaS, Fintech, or Payroll environments.
• Strong knowledge of PII protection and data classification standards.
• Experience managing or supporting ISO 27001 or SOC 2 audits.
• Familiarity with global privacy regulations such as GDPR.
• Experience responding to enterprise security questionnaires (SIG, CAIQ).
• Experience with Business Continuity and Disaster Recovery frameworks.
• Strong written and verbal English communication skills.

• Relevant certifications such as CISSP, CISM, CEH, OSCP, or equivalent.
• Familiarity with cloud security practices (AWS, Azure, or GCP).
• Knowledge of scripting languages for security automation (Python, PowerShell, or Bash).