Career roadmap

GRC Analyst

How to break into and grow as a GRC (Governance, Risk, and Compliance) Analyst in cybersecurity — from £35k junior in a Big 4 consultancy to £90k Senior GRC Manager in financial services.

Year-by-year milestones

  1. Year 0 (entry)Junior GRC Analyst / Risk Analyst£32k–£42k

    Evidence collection, control walkthroughs, third-party vendor questionnaires, supporting ISO/SOC 2 audits.

  2. Year 1–2GRC Analyst / Information Security Analyst£45k–£60k

    Run risk assessments, own a control domain end-to-end, support Stage 1/2 audits, manage policy lifecycle.

  3. Year 3–4Senior GRC Analyst / GRC Consultant£60k–£80k

    Lead client-facing ISMS implementations, draft Statement of Applicability, present to risk committees.

  4. Year 5+GRC Manager / Head of GRC£80k–£120k

    Own the GRC programme, manage 3–8 analysts, brief CISO and risk committee, choose GRC tooling (Vanta, Drata, OneTrust, ServiceNow GRC).

GRC sits at the intersection of security, audit, and business risk. GRC Analysts translate frameworks (ISO 27001, NIST CSF, SOC 2, PCI-DSS) into operational controls, run risk assessments, manage third-party assurance, and own evidence collection for audits. It is one of the fastest-growing entry routes into cyber for candidates from audit, consulting, law, or compliance backgrounds. ## Career milestones ### Year 0 (entry) — Junior GRC Analyst / Risk Analyst _Salary: £32k–£42k_ Evidence collection, control walkthroughs, third-party vendor questionnaires, supporting ISO/SOC 2 audits. ### Year 1–2 — GRC Analyst / Information Security Analyst _Salary: £45k–£60k_ Run risk assessments, own a control domain end-to-end, support Stage 1/2 audits, manage policy lifecycle. ### Year 3–4 — Senior GRC Analyst / GRC Consultant _Salary: £60k–£80k_ Lead client-facing ISMS implementations, draft Statement of Applicability, present to risk committees. ### Year 5+ — GRC Manager / Head of GRC _Salary: £80k–£120k_ Own the GRC programme, manage 3–8 analysts, brief CISO and risk committee, choose GRC tooling (Vanta, Drata, OneTrust, ServiceNow GRC). ## Core skills - ISO 27001 ISMS clauses 4–10 + Annex A - NIST CSF 2.0 functions - SOC 2 Trust Services Criteria - Risk register design (likelihood × impact, treatment options) - Evidence collection automation (Vanta/Drata/Hyperproof) - Audit interviewing technique - Policy writing in plain English - GDPR + UK Data Protection Act ## Recommended certifications - `security-plus` - `iso-27001` - `cism` - `crisc` - `cissp` ## First 90 days in the role Map every control in your scope to an owner and an evidence source. Build a risk register from scratch (or rebuild the inherited one). Sit in on every audit walkthrough — silently for the first month, then leading from month 2. ## Common pitfalls Becoming a checklist robot. Senior GRC roles reward people who can argue a risk position to a non-technical executive, not people who can recite Annex A controls. Practise translating a control gap into 'what is the business impact and what would mitigate it?'

Frequently asked questions

Can I move into GRC from audit or compliance?

Yes — it is the single most common conversion. Big 4 internal audit / risk teams routinely move people into cyber GRC within 12–18 months.

Do GRC Analysts need coding?

No, but Python or PowerShell to automate evidence collection is a senior differentiator and a fast-tracking signal.

Is GRC remote-friendly?

Mostly yes — UK Big 4 consultancies and most in-house GRC teams operate hybrid (2–3 days office). Senior roles often go fully remote.

What is the ceiling for a GRC Analyst?

GRC Manager / Head of GRC at £100–£140k; from there, CISO routes via the GRC track (vs the engineering track) often hit £180k+.

Map your own roadmap

Get a personal gap report, AI Career Twin and practice keyed to your target band.

Start free
// related