
Security Governance / GRC Lead
Alan operates at the intersection of health insurance, prevention, and regulated data, serving 1M+ members under DORA and HDS certification requirements and ACPR regulation. This Security Governance / GRC Lead owns the company's security governance and risk posture, working in close partnership with Legal, Internal Audit, and the broader Risk function. It is a Paris-based, hybrid, collaborative role, not a siloed one.
Stack
Responsibilities
- ▹Own and operate the ISO 27001 ISMS: scope definition, Statement of Applicability, internal audit programme, and management review
- ▹Bring technical and operational security substance to regulatory and privacy matters (DORA, HDS, RGPD, PGSSI-S), where Legal leads
- ▹Run security risk as a living programme using EBIOS RM, feeding into the company-wide risk framework
- ▹Define the controls framework and standards while distributing control ownership to the teams that build and run them
- ▹Run audit cycles in close partnership with Internal Audit and coordinate with certification bodies
- ▹Manage third-party risk: vendor security assessments and contractual security requirements (security annexes, DPAs)
- ▹Own incident governance and support DORA reporting, including BCP and DRP governance
- ▹Automate compliance work: script evidence collection, automate control testing, and connect GRC tooling to engineering pipelines
Requirements
- ▹Accountable ownership of an Information Security Management System, having led at least one full certification or recertification cycle
- ▹Ability to translate regulatory requirements into controls and flag implementation gaps
- ▹Experience leading security risk cartography with EBIOS RM and running risk workshops
- ▹Ability to configure and administer GRC tooling (e.g., CISO Assistant, ServiceNow GRC, or Archer), not just use it
- ▹Cloud governance fluency: shared responsibility in HDS-qualified environments, CSPM tools, and policy-as-code (OPA, SCP)
- ▹Ability to read architecture and identify control gaps in identity, network segmentation, encryption, and logging
- ▹Ability to interpret vulnerability data and drive remediation prioritisation by business risk
- ▹Python (or similar) scripting to reduce the manual lift of an audit cycle
- ▹Understanding of the health sector context: ANS framework, CERT Santé requirements, and handling sensitive health data operationally
Nice to have
- ▹Experience coordinating across multiple regulators and countries (ISO 27001, DORA, HDS, NIS2)
- ▹Experience with automated audit and evidence pipelines
Soft skills
What we offer
- ▹Board and executive exposure with real influence on company-wide risk decisions
- ▹Autonomy to shape Alan's security culture across 800+ people
- ▹Paris-based hybrid work with a value on in-person collaboration
About the company
Alan is building a new standard in prevention insurance, integrating insurance, prevention, and care into a single acclaimed user experience. It partners with 40K+ companies, serves more than 1M members, has reached over 800M euros in ARR, and employs 800+ people across France, Spain, Belgium, and Canada. It handles sensitive health data under DORA and HDS certification requirements and is regulated by the ACPR.