1Password - Senior Security Engineer – GRC Controls and Audit

• 5+ years of experience in GRC, compliance, or audit, with a meaningful portion spent as an auditor — public accounting, Big 4, boutique audit firm, or a rigorous internal audit function. • Deep hands-on experience with SOC 2 Type II; strong working knowledge of ISO 27001 and related standards (27017, 27018, 27701). • Demonstrated experience leading technical audit walkthroughs with external auditors and preparing control owners for those interactions — not just coordinating evidence collection. • The ability to define what "good evidence" looks like for each control domain: where it lives in source systems (Drata, Kolide, Trelica/SaaS Manager, HRIS, endpoint tooling, cloud infrastructure), how it maps to trust service criteria, and how it must be formatted to satisfy auditor scrutiny. • Proven ability to design and execute control testing — writing test procedures, assessing operating effectiveness, documenting exceptions, and tracking remediation to closure. • Ability to work cross-functionally with Engineering, IT, Security, and People teams to understand system architectures, identify control owners, and build durable evidence collection workflows at the source. • Strong written and verbal communication skills — you've personally authored control narratives, audit-ready documentation, and compliance reports, and you can run a live auditor walkthrough without notes. • Experience with compliance automation platforms (Drata, Vanta, Secureframe, or equivalent) at a level where you can connect automated evidence to specific control requirements, not just use the dashboard. • A builder's instinct — you look at manual, repetitive GRC processes and ask whether they can be automated or AI-assisted, and you bring specific proposals, not just observations. • CPA, CIA, CISA, or CISSP certification. • Audit or compliance experience in a cloud-native SaaS product environment, including evidence collection from cloud infrastructure and MDM/endpoint tooling. • Experience building or improving continuous control monitoring capabilities. • Familiarity with EU AI Act, NIST AI RMF, or AI governance frameworks — increasingly relevant as 1Password governs access for AI agents alongside human users. • Experience with vendor risk assessments — reviewing SOC 2 reports, evaluating third-party compliance documentation, and advising on vendor risk posture. • At 1Password, we build with AI: • Active and thoughtful AI user: You've used AI tools — not just ChatGPT for writing — to meaningfully speed up audit prep: control narrative drafting, framework cross-mapping, evidence gap identification. You can walk through what you applied, what it produced, and how you validated the output before relying on it.