SOC 2 Type 2 Five-TSC SaaS / Cloud Compliance Lead

FYI is seeking a SOC 2 Type 2 Five-TSC SaaS / Cloud Compliance Lead to support an active SOC 2 Type 2 program across Security, Availability, Processing Integrity, Confidentiality, and Privacy. This role will own the SOC 2 domain in a fractional capacity, including evidence review, control operation support, auditor communication support, recurring compliance cadence, and SaaS/cloud control maturity. The right candidate has supported real SOC 2 Type 2 audits and can work with engineering, IT, security, HR, operations, leadership, and auditors., * Support SOC 2 Type 2 audit readiness and active auditor-response efforts across all five Trust Services Criteria.

• Review evidence requests and determine whether evidence is complete, partial, missing, stale, unclear, or misaligned to the control being tested.
• Draft and review auditor responses, management explanations, control narratives, and evidence summaries.
• Support control operations for access reviews, vendor risk management, risk assessment, policy review, security awareness, incident response, change management, and security steering activities.
• Review evidence for IAM, MFA, logging, monitoring, encryption, vulnerability management, secure SDLC, code review, release approvals, CI/CD security, SAST, DAST, SCA, backups, availability, confidentiality, processing integrity, and privacy controls.
• Coordinate with control owners to obtain timestamped, complete, and audit-ready artifacts.
• Help maintain the recurring compliance calendar for monthly, quarterly, and annual SOC 2 control activities.
• Support policy and documentation management, version control, approvals, and annual review cadence.
• Identify control design gaps, operating effectiveness gaps, evidence issues, and audit risks.
• Provide concise written status updates, blockers, risks, and next actions to the project manager and CISO/vCISO., Expected deliverables
• SOC 2 Five-TSC evidence and gap tracker inputs.
• Control evidence sufficiency reviews.
• Auditor response drafts and management-response drafts.
• Control narrative and control-description updates.
• Recurring compliance calendar inputs for access reviews, vendor reviews, risk assessments, policy reviews, steering meetings, and evidence refresh cycles.
• Policy, procedure, and documentation review notes.
• SOC 2 blocker, risk, and next-action summaries.

Do you have a valid CPA license?, Do you have experience in SOC 2?, * 8+ years of cybersecurity, GRC, IT audit, compliance, SaaS security, cloud security, security consulting, or related experience.

• GRC platform experience (Drata preferred, others include Vanta or SecureFrame)
• Direct hands-on experience supporting SOC 2 Type 2 audits.
• Experience with SaaS or cloud-hosted application environments.
• Experience reviewing evidence for control design and operating effectiveness.
• Ability to translate audit requirements into operational tasks for engineering, IT, security, HR, legal, operations, and leadership stakeholders.
• Strong written communication skills and ability to produce auditor-ready explanations.
• Ability to drive control owners and follow-ups without constant prompting.
• Ability to work through ambiguity and produce clean, organized, audit-ready documentation.

Nice to have

• Prior SOC 2 auditor, CPA-firm, or audit-support experience.
• Experience with all five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
• CISA, CISSP, CISM, Security+, CPA, ISO 27001 Lead Auditor, or equivalent certification.
• Experience with Drata, Vanta, Secureframe, Hyperproof, Jira, Confluence, AWS, Azure, GCP, CI/CD tooling, SAST, DAST, SCA, vulnerability management, or cloud security tools.
• PCI DSS familiarity, especially where SOC 2 controls overlap with PCI requirements., This role requires a senior operator who can own the SOC 2 lane in a fractional capacity. The contractor must communicate clearly, document next actions, identify blockers early, and coordinate through the project manager. This is not a casual side task. Responsiveness, ownership, and clean written work product are required.

Pulled from the full job description

• Pet insurance
• 401(k), FYI's Benefits/Incentives: What is in it for you?
• Opportunity to work a hybrid work schedule
• A knowledgeable, high-achieving, diverse, experienced, and fun team.
• The chance to be part of a rapidly growing company and the next success story.
• A competitive base salary with a loaded benefits package plus 401K.
• Tuition/education assistance, personal computer allowance, pet insurance.

FYI - For Your Information, Inc. is an SBA certified, Woman-Owned Small Business and GSA schedule holder that is a premier provider of Human Capital, Training, and Information Technology services. We have won awards for being a Great Place to Work and continue to make ground-breaking advancements. For four years in a row, we have been on Inc. Magazine's 5000 list and were recently named one of Inc.'s 2024 Mid-Atlantic Fastest Growing companies.