GRC Analyst
Often searched as information security analyst, risk and compliance analyst or ISO 27001 analyst.
Frameworks, audits, control evidence, translating tech into board language.
"Information security analyst" in UK job ads usually means GRC work, policy, audit, risk register, supplier reviews, not the shift-based monitoring most people picture when they hear "analyst". The label gets used interchangeably with "risk and compliance analyst" and "ISO 27001 analyst" depending on the org. POST uses GRC Analyst because it names the actual function and stops the confusion with the SOC seat.
Boring on the surface, surprisingly stable, and the only security seat that's almost impossible to automate away. Pick it deliberately, not as a fallback.
- You're good at writing for non-technical audiences
- You can hold a control framework in your head without losing the plot
- You're patient with calendars, evidence, and meetings about meetings
- You want regular hours and no pager
- You came into security because you wanted hands-on work
- You can't bear repetitive evidence gathering during audit season
- You think GRC is a soft entry into pentest or detection, the lateral move is hard
- Auditors trust your evidence the first time, every time
- Engineering teams come to you before they ship, not after
- Your risk register reflects reality, not optimism
- You can translate a finding into a control change without losing nuance
The work compounds the wrong way if you stay still. Five years of the same ISO 27001 audit cycle at the same org makes you very good at one company's quirks and almost unmoveable elsewhere. The GRC people who progress rotate frameworks, sectors, and eventually move into risk leadership or security management. The ones who don't end up senior at one employer and stuck there forever.
Tradeoffs at a glance
Hover any chip for the calibrated meaning. Ratings are directional, not absolute.
Promotion ceiling
High. CISO and risk leadership lanes are real.
- +Audit
- +Compliance
- +Senior security IC who likes policy
- −That it's 'not real security', every regulated org runs on this work.
Where this leads
- Security Architect
- Risk Manager
- vCISO
Certifications people pair with this
Listed because the graph connects them to this role, not because you need all of them. Most practitioners pick one or two.
Pathways that pass through here
Where this fits
Roles connect to pathways, certs and other roles. Use one to test the next.
- GRC (Audit, Risk, Compliance)
Governance, risk and compliance. Policy, audit, evidence, frameworks. Biased toward CISA / CRISC / CISM, NOT toward OSCP.
- Security Architect (after 7+ years)
Design the trust boundaries. Pursued after 7+ years of hands-on work, not as a starting lane.
- Cloud Security Engineer
Cloud-native IAM, workload security, policy-as-code. Entered from cloud, not from SOC.
- AI will not delete IT, but it will shrink one kind of IT role
The 'AI replaces all of IT' narrative is wrong. The narrower version is mostly right, and worth planning around.
- Is CISSP actually worth it in 2026?
Yes, but only for a specific person at a specific moment. For everyone else it's 12–18 months optimising for the wrong thing.
- How people actually get their first job in cyber
In progress. Not via the cert stack the influencers sell. Five real patterns, ranked by how often they work.
The serious next step
You've read about the role. The harder question is whether it's the right one for you.
A Career Verdict is the written, practitioner-authored call on your specific route into and out of this role. Six primitives, same format every time.
Built on POST's practitioner-authored assessment framework, calibrated by James from twenty years across helpdesk, infrastructure and security. Framework is human-authored; the verdict applies it to your inputs.