Docker, Inc
Senior GRC Analyst

How your CV stacks up
Upload your CV to see how well it fits this job role
?%
Docker: Senior GRC Analyst
Docker has been one of the most loved brands in developer tooling, trusted by more than 20 million monthly users and over 20 billion container image pulls. From solo founders to the world's largest companies, developers rely on Docker to build, share, and run their applications across our suite of products including Docker Desktop, Docker Hub, and Docker Scout.
We are a globally distributed, remote-first team building the tools that define how software gets built and delivered. As AI agents redefine software development, Docker is at the center of that shift, providing the sandboxed environments, verified images, and secure infrastructure that make autonomous workflows trustworthy by default.
As a Senior GRC Analyst, you will report to the Security Engineering Manager – GRC and own the buildout and operation of Docker's risk management program. You will design and implement enterprise risk management processes, including security risk assessments, third-party risk management, and the risk register. You will also lead Docker's AI governance initiative, developing the policies, assessments, and controls needed to ensure responsible AI use across the company. This role requires a builder's mindset: someone who can take ambiguous problem spaces, define what good looks like, and deliver operational programs that scale. You will collaborate cross-functionally with Engineering, Product, Legal, IT, and Security Engineering to embed risk awareness into Docker's decision-making processes.
Responsibilities
- Own and drive the compliance program roadmap, aligning framework requirements (SOC 2, ISO 27001, ISO 27701, ISO 42001) with business objectives and product strategy
- Lead cross-functional compliance initiatives with Engineering, Product, Legal, and IT, serving as the authoritative voice on governance and risk matters
- Design and maintain Docker’s unified control framework, including cross-mapping to NIST 800-53 and identifying control gaps across multiple standards
- Plan and execute internal audits end-to-end: scoping, evidence collection, control testing, findings management, and external auditor coordination
- Advise GRC Engineering on correct integrations to configure and controls that require automated monitoring
- Perform and lead risk assessments across systems, processes, third-party tools, and cloud configurations, translating findings into actionable risk treatment plans
- Own the vendor risk management program, evaluating third-party vendors against compliance and security standards and driving remediation of identified gaps
- Draft, review, and maintain corporate security policies and map them to relevant control standards, ensuring alignment across frameworks
- Establish and report on compliance metrics and KPIs, providing data-driven visibility into program maturity to leadership
- Stay current with evolving regulatory and industry standards (e.g., ISO 27xxx, SOC 2, GDPR, AI governance regulations) and proactively assess their impact on Docker’s compliance posture
Reasons to use Rodeo
I’m in my final year doing Economics and I don’t know whether to apply for grad schemes now or do a masters first. What do you think?
Honest answer — it depends on where you want to end up. A lot of top grad schemes (Big 4, civil service, banking) don’t need a masters. Let’s look at the ones you’d be competitive for now, and we can decide if a masters actually adds anything.
Also worth knowing: most autumn 2026 applications are open now. Timing matters more than you think.
Start with a chat, not a search bar
Grad scheme, placement, apprenticeship? Not sure what you want yet — that's fine. Your agent talks it through with you and turns "I have no idea" into a shortlist.
Graduate Consultant — 2026 Scheme
Why you're a good match
StrongYour economics background and your summer at a regional bank line up with what PwC looks for on the consulting scheme. Applications close in four weeks.
See breakdownIt searches the market for you
Every day your agent scans the market matching roles against what actually matters to you, not just keywords on a CV.
Why you're a good match
You’ve got the grades and the economics background, and your bank internship is exactly the experience this scheme looks for. Apply soon — deadlines close within the month.
Experience fit
Your summer at the bank plus your econometrics coursework map directly to the day-one responsibilities on this scheme — client modelling, market briefings, and deal support.
Only hits
No noise. No "maybe this fits." Just roles with a clear explanation of why they're right — and where to focus when applying.
Qualifications
- 4 to 6 years of experience in Information Security, Governance, Risk, and Compliance
- Demonstrated experience building or operating an enterprise risk management program, including risk assessments, risk registers, and risk treatment planning
- Experience with third-party risk management, including vendor security assessments and due diligence
- Working knowledge of security frameworks and standards including ISO 27001, SOC 2, NIST 800-53, and GDPR
- Familiarity with AI governance concepts and emerging frameworks (ISO 42001, NIST AI RMF) or a demonstrated ability to learn and apply new frameworks quickly
- Experience designing metrics and reporting for GRC programs, including dashboards and executive-level summaries
- Familiarity with cloud environments (AWS, GCP, Azure) and their risk and compliance implications
- Strong written and verbal communication skills with the ability to translate risk and compliance topics for both technical and non-technical audiences
- Track record of building and maturing GRC programs from the ground up, including defining processes, creating documentation, and operationalizing workflows
- Self-motivated with experience thriving in remote-first, fast-paced environments
Nice to Have:
- Relevant industry certifications such as CRISC, CISA, CISSP, or CCSK
- Experience with GRC platforms (Anecdotes, ServiceNow GRC, OneTrust, or similar)
- Experience with automation or scripting for risk management workflows
What to Expect
First 30 Days
- Learn Docker's risk landscape, key business processes, and existing risk documentation
- Meet with key stakeholders across Security, Legal, IT, Engineering, and Product
- Gain access to GRC platforms, risk management tools, and relevant documentation
- Review the current risk register, vendor inventory, and third-party assessment process
- Understand Docker's compliance frameworks (ISO 27001, ISO 27701, SOC 2) and how risk management integrates with assurance activities


Get help with your application
Your very own career expert that helps elevate your application to the next level.
First 90 Days
- Conduct a maturity assessment of the risk management program and identify priority gaps
- Begin operationalizing the risk register with consistent scoring, ownership assignment, and treatment tracking
- Take ownership of third-party risk management, including the vendor assessment queue
- Kick off the AI governance initiative: inventory existing AI use cases and draft an AI governance policy
- Design an initial GRC metrics framework and deliver the first iteration of risk reporting to leadership
- Support audit activities as needed, providing evidence and coordinating with control owners
First Year
- Own and mature Docker's enterprise risk management program with documented processes, regular risk reviews, and executive reporting
- Deliver a fully operational third-party risk management program with defined SLAs, assessment workflows, and remediation tracking
- Establish Docker's AI governance program, including policy, assessment process, and alignment toward ISO 42001 readiness
- Deliver recurring GRC metrics and dashboards that provide leadership visibility into risk posture and program health
- Contribute to audit readiness and evidence collection for SOC 2, ISO 27001, and ISO 27701 cycles
- Serve as a trusted advisor on risk matters across cross-functional teams
Docker does not offer visa sponsorship for this role.
Perks
- Freedom & flexibility; fit your work around your life
- Designated quarterly Whaleness Days plus end of year Whaleness break
- Home office setup; we want you comfortable while you work
- 16 weeks of paid Parental leave (after 6 months of employment)
- Technology stipend equivalent to $100 USD net/month
- PTO plan that encourages you to take time to do the things you enjoy
- Training stipend for conferences, courses and classes
- Equity; we are a growing start-up and want all employees to have a share in the success of the company
- Docker Swag
- Medical benefits, retirement and holidays vary by country
- Remote-first culture, with offices in Seattle and Paris
Docker embraces diversity and equal opportunity. We are committed to building a team that represents a variety of backgrounds, perspectives, and skills. The more inclusive we are, the better our company will be.
Compensation Range: €72K - €110K
“It took my CV and asked me questions relevant to understanding what kind of jobs to suggest for me. Suggestions were almost perfect. Jobs were exactly what I’ve been looking for.”
Jessica, London
Skills
Location