GRC Manager

Boston, MA
Information Security & IT /
On-site
At WHOOP, we're on a mission to unlock human performance. WHOOP empowers members to perform at a higher level through a deeper understanding of their bodies and daily lives.

WHOOP is seeking a GRC Manager to drive the development, implementation, and maintenance of our Governance, Risk, and Compliance (GRC) program. Reporting directly to the Chief Information Security Officer (CISO), you will play a pivotal role in shaping our security landscape by applying standards-based best practices, ensuring compliance with global regulations, and communicating effectively with internal and external stakeholders. As a hands-on leader, you spearhead initiatives to grow and mature the GRC team and processes, while also managing and resolving GRC support tickets.

RESPONSIBILITIES:

    • Develop and Implement GRC Framework: Design, implement, and maintain an effective GRC framework aligned with industry best practices and regulatory requirements, including ISO 27001 and GDPR. Apply standards-based best practices to ensure the security program meets organizational needs.
    • Policy Development and Management: Develop, review, and update security policies, standards, and procedures in collaboration with relevant stakeholders to ensure global regulatory compliance. Communicate effectively about our policies and practices to internal and external stakeholders.
    • Risk Assessment and Management: Conduct risk assessments, maintain the risk register, and provide appropriate reporting to Executive leadership. Track and keep abreast of emerging risks, threats, legal and regulatory changes, and other developments in the security field.
    • Compliance Monitoring: Monitor and ensure compliance with internal policies, relevant regulations, standards, and contractual obligations (e.g., GDPR, ISO 27001) across global operations.
    • Vendor Risk Management: Assess and manage risks associated with third-party vendors and service providers through effective vendor risk management processes.
    • Incident Response and Investigation: Develop and maintain an incident response plan, coordinate incident response activities, and conduct post-incident investigations as needed.
    • Security Awareness and Training: Develop and deliver security awareness and training programs to educate employees on security policies, procedures, and best practices.
    • Audit Coordination: Serve as the primary point of contact for internal and external audits, coordinate audit activities, and ensure timely remediation of audit findings.
    • Privacy Impact Assessments (PIAs) and Data Protection Impact Assessments (DPIAs): Lead the execution of PIAs and DPIAs to ensure compliance with privacy regulations and organizational policies.
    • GRC Queue Management: Actively participate in the GRC support queue, responding to and resolving inquiries and requests in a timely manner, demonstrating a commitment to providing excellent service.
    • Team Expansion Planning: Develop strategies and plans for expanding the GRC team and tools to support the growth and maturity of the GRC program.
    • Continuous Improvement: Identify process improvements and tools to improve security posture. Identify areas for improvement within the GRC program and partners,, implement enhancements, and drive continuous improvement initiatives.

QUALIFICATIONS:

    • Degree in Information Security, Computer Science, or related field; Master's degree preferred or industry-recognized certifications such as CISSP, CISM, CISA CRISC, or equivalent.
    • Minimum of 5 years of experience in information security, risk management, audit, or compliance roles.
    • Understand a risk-informed approach to security that respects and supports business needs without compromising key security priorities.
    • Strong understanding of relevant regulations, standards, and frameworks (e.g., GDPR, SOC2, ISO 27001, NIST Cybersecurity Framework, etc.).
    • Experience with global regulatory compliance and familiarity with regional data protection laws.
    • Excellent communication skills with the ability to effectively collaborate with cross-functional teams.
    • Proven track record of building and maturing GRC programs in complex, fast paced environments.
    • Strong analytical and problem-solving skills with attention to detail.
    • Detail-oriented with superior organizational and time-management skills - balancing multiple projects, deadlines, and requests.
    • Driven with a can-do attitude and determination to succeed.
Interested in the role, but don’t meet every qualification? We encourage you to still apply! At WHOOP, we believe there is much more to a candidate than what is written on paper, and we value character as much as experience. As we continue to build a diverse and inclusive environment, we encourage anyone who is interested in this role to apply.

WHOOP is an Equal Opportunity Employer and participates in E-verify to determine employment eligibility.