Position Description :
Title : Information Security Risk Analyst
Location : Bangalore, Chennai, Pune, Hyderabad, Mumbai
Shift : UK Shift
Experience : 3–6 years in information security, IT risk, audit, or compliance roles
The Information Security Risk Analyst plays a critical role in identifying, evaluating, and mitigating risks that threaten the confidentiality, integrity, and availability of CGI information systems and data. This individual will contribute to the development of a mature risk management program that aligns with business goals, assurance requirements, and industry best practices.
Working cross-functionally with IT, business stakeholders, compliance, legal, and external partners, the analyst will assess risks associated with new technologies, digital transformation efforts, regulatory changes, and evolving threat landscapes. This role ensures that security risk decisions are data-driven and documented, and that mitigation strategies are prioritized based on business impact and likelihood.
Your future duties and responsibilities :
Risk Identification & Assessment
- Conducting security related risk assessments within the organizational guidelines of
Enterprise Risk Management.
Perform in-depth risk assessments for internal systems, cloud services, third-party vendors, and emerging technologies.Conduct business impact analyses to evaluate the consequences of security incidents and define criticality levels for systems and data.Utilize industry-standard frameworks (NIST RMF, ISO , FAIR, etc.) to quantify and communicate risk posture.Analyze threat intelligence feeds and integrate them into risk models to better anticipate and respond to future risks.Risk Mitigation & Treatment Planning
Develop and maintain a formal risk register that tracks identified risks, treatment plans, and residual risk.Collaborate with asset owners and IT teams to recommend and validate risk mitigation measures.Support decision-making by preparing cost-benefit analyses of remediation strategies vs. accepted risk.Policy, Compliance / Assurance & Governance Support
Ensure that internal policies and procedures reflect risk tolerance and evolving legal / regulatory obligations (e.g., GDPR, HIPAA, SOX, PCI DSS).Assist in conducting gap analyses against compliance standards and frameworks.Partner with audit teams to ensure security risks are tracked through issue management lifecycles.Third-Party & Vendor Risk Management
Conduct due diligence on vendors and partners during onboarding and periodically thereafter.Leverage security questionnaires, SOC 2 / ISO reports, and penetration test results to validate vendor risk posture.Track and report third-party risks and collaborate on vendor exit and contingency planning.Reporting & Metrics
Create risk dashboards and executive-level reports showing trends, key risk indicators (KRIs), and remediation progress.Present findings to stakeholders, boards, or governance committees, translating technical risk into business context.Use GRC tools to automate risk scoring, control tracking, and evidence collection.Awareness & Training
Collaborate with security awareness teams to align training programs with risk findings and trends.Educate internal stakeholders on security risk management practices, control expectations, and emerging threats.Required qualifications to be successful in this role :
Education & Credentials
Bachelor's degree in Information Security, Cybersecurity, Computer Science, Risk Management, or related field.Preferred certifications : - CRISC (Certified in Risk and Information Systems Control) - CISSP (Certified Information Systems Security Professional) - CISM (Certified Information Security Manager) - CISA (Certified Information Systems Auditor)Professional Experience
3–6 years in information security, IT risk, audit, or compliance roles.Proven experience conducting risk assessments and applying controls across complex technical environments (on-prem, cloud, hybrid).Exposure to security tools and platforms such as : - GRC suites (e.g., Archer, ServiceNow GRC, LogicManager) - SIEMs (e.g., Splunk, QRadar) - Vulnerability scanners (e.g., Qualys, Tenable) - Identity & Access Management platforms (e.g., Okta, Azure AD)Success Criteria & Soft Skills
Analytical Thinking : Able to balance qualitative and quantitative risk approaches; excels in root cause analysis.Communication : Can convey risk issues in plain language to technical and non-technical audiences.Collaboration : Effectively builds relationships with cross-functional stakeholders.Adaptability : Thrives in a fast-paced, evolving regulatory and threat landscape.Integrity : Maintains impartiality and protects sensitive information with discretion.Optional / Preferred Experience
Familiarity with :Data privacy laws and data protection impact assessments (DPIAs)Cloud security (e.g., AWS Well-Architected Framework, Azure security benchmarks)Emerging Technologies (Artificial Intelligence, Quantum Computing, etc.)Hands-on experience with quantitative risk analysis methodologies (e.g., FAIR)