Overview

Security GRC Analyst Jobs in Cape Town, South Africa at Zappi

Compensation: R660,000 – R780,000 / year

Location: Cape Town, SA

Description

We are looking for a mid-level Security GRC Analyst with a specialism in Privacy and AI Governance to join our Security Function. You will be joining an established team that spans Security GRC, Security Engineering, and Security Operations — a cohesive unit that works closely across disciplines to deliver a mature, business‑aligned security programme. Reporting into the Head of Security GRC, you will own the day‑to‑day operation of our privacy and AI governance frameworks, bridging the gap between our engineering and product teams and the organisation’s compliance obligations.

This is a high‑visibility role for a structured, analytical professional who wants to shape how a fast‑moving tech company approaches data privacy and responsible AI at scale.

Key Responsibilities

  • Privacy Framework Ownership: Supports the ongoing implementation and continuous improvement of our Privacy Information Management System (PIMS) aligned to ISO 27701. Maintain Records of Processing Activities (RoPA), data flow maps, and consent registers, ensuring compliance with GDPR, UK GDPR, and applicable regional data protection regulations.
  • AI Governance: Supports the operational maintenance of our AI governance programme under ISO 42001. Facilitate AI impact assessments across product and engineering initiatives, identifying bias, explainability, and transparency risks. Maintain the AI systems register and escalates findings to relevant stakeholders.
  • GRC Documentation & Tooling: Collaborate with the team to maintain a clean, audit‑ready repository of GRC artefacts within our GRC platform (e.g. Service Now, Drata, or equivalent). Enforce version control discipline across policies, standards, and procedures. Support evidence collection for ISO 27001, SOC 2, and internal audits.
  • Risk Assessments: Compliment the existing risk assessment process by operating privacy and AI‑specific risk assessments, Data Protection Impact Assessments (DPIAs), and AI Impact Assessments (AIIAs) across product and business initiatives. Identify control gaps, document risk treatment decisions, and track remediation activities through closure in line with NIST or other similar methodologies.
  • Stakeholder Engagement: Act as a trusted advisor to product, engineering, and data science teams. Translate regulatory requirements into practical, actionable guidance. Champion privacy‑by‑design and security‑by‑default principles throughout the SDLC. Comfortable engaging directly with business stakeholders and, where required, with external clients — representing the Security GRC function with confidence and clarity.
  • Vendor & Third‑Party Risk: Support third‑party risk assessments with a focus on data processor obligations, AI sub‑processor relationships, and contractual compliance. Review Data Processing Agreements (DPAs) and standard contractual clauses (SCCs) in partnership with Legal.
  • Incident & Audit Support: Participate in privacy‑related incident response activities, including breach notification workflows under GDPR Article 33/34. Prepare materials for internal and external audits, managing evidence requests and auditor queries.

Skills & Competencies

  • Structured thinker with a natural instinct for documentation, process, and record‑keeping.
  • Strong written and verbal communication skills; able to present complex regulatory concepts clearly to non‑specialist audiences.
  • Ability to build trusted relationships across engineering, product, legal, and leadership without relying on formal authority.
  • Comfortable operating in a fast‑paced, ambiguous environment and managing multiple work streams concurrently.
  • Confident and professional in direct business and client‑facing engagements. You are comfortable representing the GRC function in conversations with internal stakeholders and external parties, and can hold your own in discussions about our security and compliance posture.
  • A team‑first mindset with the flexibility to pick up broader GRC work when colleagues are unavailable. As a small, collaborative unit, everyone covers for each other — whether that means supporting a customer engagement,…

Title: Security GRC Analyst

Company: Zappi

Location: Cape Town, South Africa

Category:

 

Upload your CV/resume or any other relevant file. Max. file size: 800 MB.