5+ years of experience in GRC, compliance, or audit, with a meaningful portion spent as an auditor - public accounting, Big 4, boutique audit firm, or a rigorous internal audit function.
Deep hands-on experience with SOC 2 Type II; strong working knowledge of ISO 27001 and related standards (27017, 27018, 27701).
Demonstrated experience leading technical audit walkthroughs with external auditors and preparing control owners for those interactions - not just coordinating evidence collection.
Senior Security Engineer - GRC Controls and Audit at 1password
The ability to define what "good evidence" looks like for each control domain: where it lives in source systems (Drata, Kolide, Trelica/SaaS Manager, HRIS, endpoint tooling, cloud infrastructure), how it maps to trust service criteria, and how it must be formatted to satisfy auditor scrutiny.
Proven ability to design and execute control testing - writing test procedures, assessing operating effectiveness, documenting exceptions, and tracking remediation to closure.
Ability to work cross-functionally with Engineering, IT, Security, and People teams to understand system architectures, identify control owners, and build durable evidence collection workflows at the source.
Strong written and verbal communication skills - you've personally authored control narratives, audit-ready documentation, and compliance reports, and you can run a live auditor walkthrough without notes.
Experience with compliance automation platforms (Drata, Vanta, Secureframe, or equivalent) at a level where you can connect automated evidence to specific control requirements, not just use the dashboard.
A builder's instinct - you look at manual, repetitive GRC processes and ask whether they can be automated or AI-assisted, and you bring specific proposals, not just observations.
Bonus points for:
CPA, CIA, CISA, or CISSP certification.
Audit or compliance experience in a cloud-native SaaS product environment, including evidence collection from cloud infrastructure and MDM/endpoint tooling.
Experience building or improving continuous control monitoring capabilities.
Familiarity with EU AI Act, NIST AI RMF, or AI governance frameworks - increasingly relevant as 1Password governs access for AI agents alongside human users.
Experience with vendor risk assessments - reviewing SOC 2 reports, evaluating third-party compliance documentation, and advis
Benefits
Remote work optionsPerformance bonus
Additional Information
1Password is growing. We've surpassed $400M in ARR and we're continuing to accelerate, earning a spot on the Forbes Cloud 100 for four years in a row and teaming up with iconic partners like Oracle Red Bull Racing.
About 1Password
At 1Password, we're building the foundation for a safe, productive digital future. Our mission is to unleash employee productivity without compromising security by ensuring every identity is authentic, every application sign-in is secure, and every device is trusted. We innovated the market-leading enterprise password manager and pioneered Unified Access Management, a new cybersecurity category built for the way people and AI agents work today. As one of the most loved brands in cybersecurity, we take a human-centric approach in everything from product strategy to user experience. Over 180,000 businesses, from Fortune 100 leaders to the world's most innovative AI companies, trust 1Password to help their teams securely adopt the SaaS and AI tools they need to do their best work.
If you're excited about the opportunity to contribute to the digital safety of millions, to work alongside a team of curious, driven individuals, and to solve hard problems in a fast-paced, dynamic environment, then we want to hear from you. Come join us and help shape a safer, simpler digital future.
Good audits don't start when the auditors arrive - they start the moment a control is designed. 1Password is looking for a Senior Security Engineer - GRC Controls and Audit to serve as the technical and methodological anchor for our compliance audit programs.
You'll partner directly with the Senior Manager of GRC to lead our commercial audit programs - from evidence collection and control testing to deep technical walkthroughs with external auditors and internal SMEs. You'll own the question of what "good evidence" looks like across SOC 2 Type II, ISO 27001/27017/27018, and ISO 27701, and you'll know where to find it in the systems that generate it. Along the way, you'll help build the AI-assisted workflows and automation that make our audit programs more efficient and our compliance posture more continuous.
This is a controls expert role for someone with deep audit experience - ideally from the auditor's side of the table - who also brings a builder's instinct for making GRC more repeatable and scalable. You won't just coordinate evidence; you'll know exactly why each artifact satisfies a control requirement, and you'll be able to explain that to a skeptical Big 4 auditor and a first-time control owner in the same day.
This is a remote opportunity within Canada and the US.
1password · Remote