Apply on Employer Site

Sword Health · 1 day ago

Governance, Risk & Compliance Analyst

United States

Full-time

Remote

Mid, Senior Level

$35K/yr - $70K/yr

5+ years exp

Sword Health is shifting healthcare from human-first to AI-first through its AI Care platform, making world-class healthcare available anytime, anywhere. As a GRC Analyst, you will be a key driver of trust and regulatory excellence, acting as the primary interface for partners and clients while managing certification lifecycles and ensuring compliance with security standards.

Artificial Intelligence (AI)Health CareMedicalmHealthTherapeutics

No H1B

Responsibilities

Acting as the primary subject matter expert for all security and compliance inquiries, including security questionnaires, RFPs, and M&A due diligence; building and maintaining a robust knowledge base to ensure accurate and efficient responses to partners and clients

Taking end-to-end ownership of certification lifecycles, such as ISO 27001 and Cyber Essentials; ensuring year-round audit readiness, managing the certification process from start to finish, and independently leading external audits

Working closely with the GRC team to improve existing programs, ensuring that our mapping of controls to processes and documentation remains robust and scalable as we grow

Partnering with the Quality Assurance & Regulatory Affairs (QARA) team to bridge the gap between security-focused frameworks and Medical Device Compliance initiatives, ensuring a unified approach to the AI Act and other healthcare-specific regulations

Collaborating with product teams on existing and upcoming initiatives to ensure security-by-design; quickly learning new product architectures and partnering with stakeholders to ensure all necessary compliance and security controls are integrated smoothly into the development lifecycle

Collaborating with Security, Product, Engineering, and IT teams to ensure that security controls are naturally integrated into their existing workflows without creating operational friction

Providing subject matter expertise and support for security and compliance training, as well as other general GRC initiatives as they arise

Qualification

GRC experienceISO 27001Cyber EssentialsHITRUSTGDPRMedical Device regulationsEnglish proficiencyCollaboration skillsProblem-solving

Required

5+ years of hands-on experience in GRC, with a proven track record of leading audits and maintaining certifications for internationally recognized security standards

Hands-on experience with at least three of the following frameworks: ISO 27001, SOC 2, HITRUST, NIS2, Cyber Resilience Act, FedRAMP, CMMC, NIST SP 800-171, NIST SP 800-53, GDPR, HIPAA or PCI DSS

Exceptional command of the English language, both written and spoken. You must be able to communicate complex security concepts clearly and authoritatively to both technical teams and external stakeholders

A strong understanding of how security controls apply to Infrastructure and Product environments to effectively map requirements to technical work instructions

A 'wildcard' mindset—the ability to be dropped into a new project or product initiative, learn the context quickly, and define the necessary compliance path forward

Familiarity with the intersection of cybersecurity (ISO, NIS2) and privacy/regulatory frameworks (GDPR, AI Act, or Medical Device regulations)

Familiarity with Medical Device certifications and regulations, such as ISO 13485 and FDA's Good Manufacturing Practices (GMP)

Experience working across diverse teams such as Legal, Quality, and IT to align on shared compliance goals