Senior Cyber GRC Consultant

About Cybertify

Cybertify is Australia's premier compliance-first cybersecurity consulting firm, proudly Australian owned, fully independent, and sovereign in every respect. We specialise in protecting and enabling organisations in the country's most heavily regulated sectors: financial services, superannuation, legal, aged care, healthcare, banking, technology, and government-aligned enterprises.

Our clients demand more than security, they demand speed, trust, and board-level credibility. Cybertify delivers with rapid scoping, swift execution, and executive-ready outcomes that boards, regulators, insurers, and auditors respect.

Our Elite Cyber Squad, a hand-picked team of industry-leading red teaming, penetration testing, governance, and defensive experts, brings Big 4 calibre expertise with boutique agility, ensuring precision, independence, and uncompromising results.

About the Role

This is a senior delivery role for an experienced GRC consultant who is comfortable working hands-on across client environments. You will lead assessments, develop policies, produce reports, and deliver compliance outcomes end-to-end.

You will engage directly with CISOs, IT managers, legal teams, and boards in highly regulated industries. Clients expect consultants who are credible, fast, and practical, with the ability to deliver under pressure while maintaining accuracy and professionalism.

What You'll Do
Framework & Compliance Delivery

• Essential Eight (ACSC):

Deliver maturity assessments, roadmaps, and uplift projects. Build remediation plans and provide board-ready reporting for auditors, insurers, and regulators.
- ISO 27001:

Run certification readiness projects end-to-end. Build ISMS documentation, risk registers, SoAs, and policies. Conduct internal audits and prepare evidence for certification bodies.
- APRA CPS 234 (Financial Services):

Lead compliance programs for APRA-regulated organisations. Conduct gap assessments, uplift controls, and prepare board/regulator documentation. Support CPS 231 (outsourcing) and CPS 232 (business continuity).
- IRAP (Australian Government):

Guide clients through IRAP assessment readiness. Map ISM controls, develop remediation roadmaps, and prepare evidence packs for ASD-accredited assessors.
- Privacy Act (APPs):

Deliver privacy impact assessments, policy uplift, and compliance gap analysis. Ensure APPs are integrated into ISMS and security frameworks.
- PCI DSS:

Conduct PCI DSS gap assessments, remediation planning, and evidence preparation. Guide clients through audit readiness, ensuring alignment across cardholder data environments.
- Other Frameworks:

SOC 2, NIST CSF, CIS Controls, HIPAA, CPS 231/232, SMB1001:2025 (where relevant).

Risk & Assurance

• Conduct cyber health checks, risk profiling, and maturity evaluations.
• Draft board-level risk reports, SoAs, risk registers, and compliance plans.
• Develop and uplift governance documentation, including policies and registers.
• Support client audit responses, regulator queries, and customer security questionnaires.

Training & Awareness

• Deliver structured training sessions for executives, boards, IT teams, and end-users.
• Run workshops to build awareness of Essential Eight, ISO 27001, APRA, Privacy Act, and PCI DSS obligations.
• Develop training materials, quick-reference guides, and tailored content.
• Ensure clients can sustain compliance post-engagement through effective knowledge transfer.

Pre-Sales & Client Engagement

• Act as a trusted advisor during client meetings, workshops, and discovery sessions.
• Support pre-sales by scoping accurate engagements and shaping solution proposals.
• Deliver technical presentations and compliance walkthroughs to executives, boards, and regulators.
• Build client confidence by translating obligations into clear, actionable outcomes.
• Collaborate closely with Cybertify's sales team to secure new engagements and expand accounts.

Client Engagement & Delivery

• Lead workshops, interviews, and assessments with technical, legal, and executive stakeholders.
• Present findings and recommendations clearly to CISOs, boards, and auditors.
• Manage multiple concurrent projects with accuracy, professionalism, and accountability.
• Escalate risks and blockers promptly to maintain delivery momentum.

Internal Contribution

• Enhance Cybertify's frameworks, templates, and delivery playbooks.
• Provide subject matter expertise during pre-sales scoping and technical discussions.
• Contribute to the continuous improvement of methodologies and engagement quality.

Ideal Candidate

Essential Eight (ACSC) – Expert Level (Non-Negotiable):

• Proven hands-on delivery of Essential Eight uplift programs across all eight strategies.
• Experience conducting maturity assessments, mapping current vs. target states, and developing remediation roadmaps.
• Skilled in implementing controls across patching, application whitelisting, privileged access management, macros, backups, MFA, operating system patching, and application hardening.
• Able to produce board-ready Essential Eight reporting for insurers, auditors, and regulators.
• Demonstrated ability to train IT teams, CISOs, and executives on Essential Eight expectations, maturity targets, and regulator scrutiny.

ISO 27001 – Certification & ISMS Authority:

• Strong track record in ISO 27001 certification readiness projects, including gap analysis and remediation.
• Skilled in building and uplifting Information Security Management Systems (ISMS), policies, and Statements of Applicability.
• Experience conducting internal audits, preparing evidence packs, and managing certification body engagement.
• Capable of integrating ISO 27001 with broader compliance programs (Essential Eight, Privacy Act, APRA).

APRA CPS 234 (Financial Services) – Regulator-Facing Delivery:

• Practical experience delivering CPS 234 compliance programs for APRA-regulated institutions.
• Proven ability to map obligations, perform gap assessments, uplift security controls, and prepare board/regulator submissions.
• Familiarity with CPS 231 (Outsourcing) and CPS 232 (Business Continuity) advisory.
• Skilled at drafting regulator-facing reports and supporting executive/board attestation requirements.

IRAP (Australian Government) – Assessment Readiness Expertise:

• Experience preparing clients for IRAP assessments, including mapping ASD/ISM controls to existing environments.
• Delivery of remediation roadmaps, control uplift, and evidence collection.
• Skilled at coordinating assessment packs for ASD-accredited IRAP assessors.
• Ability to translate IRAP requirements into clear, actionable tasks for IT/security teams.

Privacy Act (APPs) – Privacy & Data Protection Delivery:

• Hands-on delivery of Privacy Impact Assessments (PIAs), gap analysis, and compliance uplift projects.
• Proven ability to design and implement policies, processes, and governance aligned to APP obligations.
• Experience integrating Privacy Act compliance into ISMS, Essential Eight, and APRA frameworks.
• Capable of delivering board and executive training on privacy obligations and risk exposure.

PCI DSS – Cardholder Data Security Authority:

• Practical experience conducting PCI DSS gap assessments and designing remediation roadmaps.
• Skilled at preparing clients for PCI DSS audits, including evidence collection and control validation.
• Familiarity with cardholder data environment scoping, segmentation, and ongoing compliance maintenance.
• Ability to present PCI DSS obligations and remediation requirements to boards, CISOs, and IT/security leaders.

Consulting & Client Engagement:

• Strong client-facing presence, credible with CISOs, boards, legal teams, auditors, and regulators.
• Proven ability to run workshops, training sessions, and executive briefings.
• Comfortable supporting pre-sales scoping, proposal shaping, and technical presentations.
• Skilled at balancing hands-on delivery with executive-level communication.

Required Certifications

Must-Have

• ISO 27001 Lead Implementer and Lead Auditor Certs
• CISSP, CISM, or CISA
• PCI-QSA or equivalent compliance certification

Nice to Have

• Microsoft SC series (SC-100 / SC-400 / SC-900)
• AWS Security Specialty
• IRAP assessor experience

Why Join Cybertify?

• Elite Cyber Squad Advantage: Work directly with Australia's most experienced cybersecurity professionals.
• Agile Disruption: Be part of a lean, fast-moving firm that delivers high-value results without the red tape and politics of bloated consultancies.
• Impactful Work: Solve complex, high-stakes cybersecurity and compliance challenges for boards, regulators, and executives across Australia's most critical sectors.
• Compliance-First DNA: Operate at the unique intersection of security and governance where GRC integration is not an add-on, but the foundation of every engagement.
• Professional Growth: Gain exposure to cutting-edge tools, advanced methodologies, and enterprise-grade frameworks (ISO 27001, SOC 2, Essential 8, CPS 234, NIST, and more).
• Independent & Trusted: Provide objective advice, free from vendor influence or offshore conflicts. Cybertify's independence ensures client trust is never compromised.
• Australian Sovereign Cyber: Support a firm that is 100% Australian owned and operated, designed to protect Australian businesses with Australian expertise.

What We Offer

• A high-trust workplace with genuine autonomy, influence, and zero micromanagement.
• Direct client impact—your work is seen at board and executive levels, not buried in handovers.
• Premium salary packages aligned with market-leading consulting firms, reflecting the calibre of talent we hire.
• Professional development pathways, including funded certifications, training, and industry memberships.
• Exposure to elite projects spanning offensive security, GRC, Zero Trust, regulatory alignment, and incident response.
• State-of-the-art Sydney CBD office with premium client and collaboration spaces.
• Cutting-edge tools and platforms across project delivery, client engagement, and cybersecurity operations.
• A supportive, collaborative team culture that balances intensity with respect, and professionalism with ambition.
• The opportunity to be part of a nationally recognised, fast-growing, sovereign cybersecurity force that is redefining the cyber consulting market.

Ready to Join Australia's Cyber Elite?

Click Apply and submit your CV with a short cover letter.

Apply now and discover why Australia's top cyber talent chooses Cybertify as their career destination.

Cybertify - Defending Australia's Digital Future, One Elite Professional at a Time

---