Jobs · Finance

Compliance and Risk Manager - US Remote

Hexion Inc. · Columbus, OH · 2 days ago
FinanceFull-time

Job Responsibilities

  • Own Hexion's ISO 27001 Information Security Management System (ISMS) and related cloud-specific extensions: Maintain ISO 27001 certification — manage the full audit lifecycle including internal audits, surveillance audits, and recertification, leveraging ISO 27002. Apply ISO 27017 controls cloud service security, governing Hexion's obligations as both a cloud service customer and, where applicable, a cloud service provider. Implement ISO 27018 controls for protection of personally identifiable information (PII) in cloud environments. Manage the Statement of Applicability (SoA), control selection rationale, and exceptions register. Drive continuous improvement of the ISMS through management review cycles, nonconformity tracking, and corrective action management. Coordinate with external certification bodies, manage audit evidence packages, and facilitate auditor access.
  • Lead Hexion's SOC 2 compliance program across all applicable Trust Services Criteria: Define and maintain SOC 2 control mapping across Security, Availability, Confidentiality, Processing Integrity, and Privacy categories. Manage common controls library — identify controls that satisfy multiple frameworks simultaneously to reduce compliance overhead. Coordinate readiness assessments and work with external auditors throughout the Type II observation period. Oversee evidence collection workflows, vendor attestation, and control testing documentation. Track and resolve audit exceptions and management responses. Communicate SOC 2 report status to customers and prospects in coordination with sales and legal.
  • Operationalize the CIS Controls as the enterprise's security baseline framework: Maintain the CIS Controls implementation roadmap, tracking adoption across all 18 control families. Prioritize and govern IG1 (basic cyber hygiene) and IG2 (foundational) controls across IT and OT environments. Partner with security engineering to implement and validate technical controls mapped to CIS safeguards. Measure and report CIS Controls maturity using CIS CSAT or equivalent tooling. Use CIS Controls as a practical lens for remediation prioritization and risk reduction sequencing.
  • Maintain fluency in NIST 800-53 and apply it to enterprise risk governance: Map organizational controls to NIST 800-53 control families to support federal customer requirements, supply chain diligence, and internal governance. Leverage NIST 800-53 as a reference framework for control gap analysis and risk treatment prioritization. Apply NIST Risk Management Framework (RMF) concepts to information system authorization and risk acceptance decisions. Maintain control crosswalks across ISO 27001, SOC 2, CIS Controls, NIST 800-53, and NIST CSF to reduce duplicated effort and provide unified risk visibility and leverage ISO 27005 risk framework.
  • Own The Internal Controls Assurance Program: Design, document, and maintain the enterprise controls library — mapping each control to owning team, testing frequency, and framework coverage. Execute and manage the internal control testing calendar, coordinating evidence collection with control owners across IT, OT, and business functions. Identify control deficiencies, document findings, and drive remediation to closure with defined timelines. Develop control self-assessment (CSA) programs to extend assurance coverage without reliance solely on external audits. Implement GRC tooling to automate evidence collection, control monitoring, and reporting (e.g., ServiceNow GRC, OneTrust, Drata, Vanta).
  • Policy & Standards Governance: Own the information security policy library — drafting, reviewing, publishing, and retiring policies on a defined lifecycle cadence. Ensure policies are mapped to applicable control frameworks and regulatory requirements. Manage policy exception process — intake, risk assessment, approval, and time-bound tracking. Coordinate policy acknowledgment and awareness campaigns with HR and business unit leadership.

Additional Job Responsibilities

  • Translate complex regulatory requirements into plain-language business guidance that operational leaders can act on. Represent compliance and risk in vendor evaluations, M&A due diligence, and enterprise architecture discussions. Maintain credibility that comes only from experience — auditors, regulators, and business leaders alike should view this role as the authority on Hexion's compliance posture.

Minimum Qualifications

  • Bachelor's degree in Information Security, Computer Science, Business Administration, or related field (Master's preferred)
  • 7+ years of progressive experience in information security compliance, GRC, or risk management roles
  • Demonstrated, hands-on experience managing ISO 27001 certification programs — including internal audits, SoA management, and external audit coordination
  • Deep knowledge of ISO 27017 and ISO 27018 cloud security and privacy controls
  • Practical SOC 2 Type II experience — control design, evidence collection, auditor management, and exception resolution
  • Proficiency with CIS Controls (IG1 and IG2) including control mapping, gap assessment, and implementation road mapping
  • Working knowledge of NIST 800-53 control families and the NIST Risk Management Framework
  • Experience operating enterprise risk management programs — risk registers, treatment plans, risk reporting to leadership
  • Ability to build and maintain control crosswalks across multiple frameworks (ISO, SOC 2, CIS, NIST)
  • Strong written communication — able to produce policy documents, audit evidence packages, and executive risk reports

Preferred Qualifications

  • Experience with: OT/ICS environments — familiarity with IEC 62443, NIST SP 800-82, or industrial cybersecurity frameworks
  • Manufacturing or chemical industry regulatory landscape (OSHA PSM, EPA RMP, REACH, or similar)
  • Third-party risk management (TPRM) programs and vendor risk assessment methodologies
  • GDPR, CCPA, or other data privacy regulatory frameworks

Similar jobs