Full Time
$2000
40
May 1, 2026
Who We Are
Truvo Cyber is a Canadian cybersecurity consulting firm. We run active SOC 2 and ISO 27001 engagements across cloud (AWS, Azure, GCP) and on-premises environments. Our team is small, our work is rigorous, and we use AI-enabled workflows and GRC engineering to deliver better compliance outcomes — faster. We are not a big bureaucratic firm. We protect focus time, measure output, and expect people to own their work.
The Role
You will run SOC 2 and ISO 27001 readiness and implementation engagements end-to-end: scoping, control mapping, evidence collection, gap analysis, remediation planning, and audit preparation. You work directly with clients and our delivery team.
Senior consultants partner with you on your first few engagements. After that, you lead on your own. As the firm grows over the next 12–18 months, this role has a clear path to Team Lead — setting methodology, reviewing analyst work, and owning delivery quality across a small team.
Requirements
• 3+ years hands-on with both SOC 2 and ISO 27001 engagements (readiness, implementation, or audit support). Both frameworks required — not one or the other.
• Deep understanding of SOC 2 Trust Services Criteria and ISO 27001:2022 Annex A controls — including where they overlap and where they don't.
• Real security knowledge. You understand why controls exist, not just how to document them.
• Working knowledge of at least one cloud platform: AWS, Azure, or GCP.
• Comfortable leading client conversations: kickoffs, working sessions, evidence reviews, findings presentations.
• Experience with at least one GRC platform: Vanta, Drata, Secureframe, Oneleet, Sprinto, or similar.
• Strong written English. Your reports and client communications need to be clean.
• Willing to work US/Canada Eastern Time business hours (with reasonable flexibility).
• Must use your own laptop (MacBook preferred). You will install our MDM and endpoint protection agents.
• Must pass a background check before start.
• You are accountable for your work — AI is a tool we encourage you to use, not a crutch.
Nice to Have
• ISO 27001 Lead Auditor or Lead Implementer certification (IRCA, PECB, BSI, or equivalent)
• Security certifications: CISSP, CISA, CISM, or similar
• Privacy framework exposure: HIPAA, PIPEDA, Quebec Law 25, GDPR
• Big 4, Accenture, Workstreet, Eden Data, or similar consulting background
• Light scripting (Python, Bash, or AI-assisted) for automating evidence collection
• Familiarity with Git/GitHub or working in code-adjacent environments
• ISO 42001 (AI management systems) experience
How We Work
We don't need long hours. We need focused, high-quality output.
• Async-first communication. We write things down. No constant pings expecting immediate replies.
• Intentional meetings. We don't default to calls. When we meet, it matters.
• Version-controlled everything. Engagement notes, client context, and artifacts live in GitHub — not scattered in someone's inbox.
• No layers of management. No status meetings for the sake of status meetings.
• Tooling handles the busywork so you can focus on real work.
Engagement Details
• Full-time, ~40 hours/week
• Start date: within 3–4 weeks of offer
• Compensation is competitive and flexible for the right experience
• Clear path to Team Lead as the firm grows
How to Apply
Don't just send a CV. Walk us through how you'd run a combined SOC 2 + ISO 27001 readiness engagement for a SaaS company that wants both reports/certificates within 12 months.
Specifically, tell us:
• What you scope first
• Where the two frameworks share work
• Where they diverge
Include your relevant experience, certifications, country of residence, and salary expectations. Applications without a response to this question will not be reviewed.