Manager, IT Governance, Risk and Compliance

Hybrid: Markham, Ontario

Job Description:

Job Overview

The Manager, IT Governance, Risk and Compliance is the IT owner for ICFR, PCI-DSS, NIST Cybersecurity Framework (CSF) 2.0, and Third-Party Risk Management (TPRM). This hands-on leadership role delivers IT controls, evidence, remediation, policy governance, the IT Security Risk Register, and the full TPRM lifecycle while partnering with Finance, Payments, Security, Procurement, and Legal.

Salary Range: $125,000-$135,000

Essential Duties             

• Act as the primary IT point of contact for internal and external audit partners on ICFR/ITGC, PCI-DSS, and NIST CSF 2.0 audits.
• Own the IT General Controls (ITGC) portion of the annual ICFR program: scoping, documentation, evidence, walkthroughs, testing support, and remediation.
• Manage the PCI-DSS IT compliance program (Requirements 1–12, A1–A3), including evidence, QSA support, and remediation.
• Lead IT-side implementation and maturity of NIST CSF 2.0 across all six functions.
• Develop, maintain, and govern all IT policies, standards, procedures, and process documentation aligned with ICFR, PCI, and NIST CSF.
• Own and maintain the IT Security Risk Register (identification, assessment, treatment plans, monitoring, and reporting).
• Lead the IT Third-Party Risk Management (TPRM) program: vendor risk assessments, due diligence, ongoing monitoring, contract reviews, scoring, and off-boarding for all technology and cloud vendors in scope for ICFR, PCI, or NIST.
• Coordinate and deliver evidence and responses during internal/external audits and regulatory reviews.
• Track and drive remediation of IT-related findings from audits and TPRM assessments.
• Maintain centralized IT controls library and automated evidence repository.
• Perform regular control self-assessments and continuous monitoring.
• Report compliance status, risk register, and TPRM metrics to IT leadership, Finance, Procurement, and the Audit Committee.
• Stay current on regulatory changes and translate them into actionable IT and vendor requirements.
• Other tasks as assigned.

Skills, Experience, Education, Certifications

• 8+ years of progressive IT governance, risk, compliance, or audit experience.
• Minimum 4 years in a leadership role.
• Direct, hands-on experience delivering IT evidence and remediation for ICFR/ITGC, PCI-DSS, NIST CSF, and Third-Party Risk Management programs.
• Proven ability to work successfully with internal/external audit partners and vendors.
• Professional certification required (one or more): CISA, CISM, CRISC, CISSP-ISSAP, PCIP, or equivalent.
• Strong policy, process documentation, and risk register management skills.
• Hands-on experience running a TPRM program and using vendor risk platforms

Competencies

• Mastery of ICFR/ITGC, PCI-DSS, NIST CSF 2.0, and TPRM
• Policy and process documentation excellence
• IT risk register and vendor risk lifecycle ownership
• Audit coordination and evidence delivery
• Cross-functional partnership (Finance, Security, Payments, Procurement, Legal)
• Calm execution under tight audit and vendor review timelines

This posting is for an existing vacancy.

As part of the application process, AI may be used to assist with screening, or assessing job applicants .