Sarbas V — GRC Analyst & ISO 27001 Lead Auditor

Immediately Available · Open to Relocation

Sarbas
V

Information Security professional specialising in Governance, Risk & Compliance. ISO/IEC 27001:2022 Lead Auditor certified by TÜV SÜD, with hands-on experience mapping technical security findings to ISO 27001, SOC 2, PCI DSS, NIST CSF, and GDPR control frameworks — producing audit-ready documentation that satisfies both security teams and compliance stakeholders.

ISO 27001:2022 Lead Auditor GRC Analyst Risk Management IT Audit SOC 2 · PCI DSS · GDPR NIST CSF

View GRC Work Let's Talk

// 01. about

Professional Profile

I'm a GRC Analyst and Information Security professional with ~2 years of compliance-aligned security assessment experience, now fully dedicated to building and supporting governance frameworks that are both technically sound and audit-ready.

My background in vulnerability assessment and penetration testing gives me a technical foundation that most compliance professionals lack. I don't just document controls — I understand what they protect against, how they can fail, and how to write findings that a board member and an auditor can both act on.

I recently completed the ISO/IEC 27001:2022 Lead Auditor programme at TÜV SÜD (March 2026), covering the full audit lifecycle from planning and fieldwork through nonconformity grading and corrective action follow-up. This complements my practical experience running compliance evidence collection and control gap analysis across client engagements at two security firms.

✦ GRC Depth — What I Bring

Framework coverage: ISO 27001:2022 (Clauses 4–10, all 93 Annex A controls), SOC 2 Trust Services Criteria, PCI DSS, NIST CSF, GDPR, and India's DPDP Act.

Risk practice: Asset classification, threat and vulnerability analysis, risk register development, residual risk scoring, and risk treatment planning aligned to ISO 27005.

Audit support: Internal audit readiness, evidence collection, finding documentation, corrective action tracking, and ISMS documentation from the ground up.

Third-party risk: Vendor risk assessment, security questionnaire evaluation, due diligence reporting, and remediation follow-up for high-risk supply chain relationships.

Training delivery: Delivered corporate GRC and cybersecurity training programmes for working professionals across SOC operations, security awareness, and compliance fundamentals.

ISO/IEC 27001:2022 Lead Auditor

TÜV SÜD · March 2026

✦ CERTIFIED

Certified SOC Analyst (C|SA) v1

EC-Council · August 2024
ID: ECC4192087635

✦ CERTIFIED

M.Sc. Information Security

IGNOU · 2025 – Present

⟳ IN PROGRESS

// 02. experience

Work History

Jul 2025 – Feb 2026

Cybersecurity Consultant

Ehackify Cybersecurity Research & Training

Calicut, Kerala · On-site

Delivered compliance-aligned security assessments for clients, with a strong focus on translating technical findings into structured, framework-mapped documentation suitable for audit review and executive reporting.

Evaluated client security controls against ISO 27001 Annex A, SOC 2 TSC, and NIST CSF; produced risk-rated gap analysis reports with prioritised remediation roadmaps.
Led a dedicated ISO 27001:2022 control mapping engagement — documented control implementation evidence and produced an ISMS evidence package aligned to certification audit requirements.
Maintained audit-ready compliance documentation across concurrent client engagements, ensuring all artefacts were accurately mapped to control objectives and remediation status was tracked.
Delivered corporate cybersecurity training programmes covering network security, web security, API security, SOC operations, and GRC fundamentals for working professionals.

ISO 27001SOC 2 NIST CSFGap Analysis ISMSTraining Delivery

Jun 2024 – Jul 2025

Security Analyst

Fetlla LLP

Calicut, Kerala · Hybrid

Conducted technical security assessments across web, mobile, API, and network environments, with all findings systematically mapped to compliance control frameworks and documented in audit-ready reports.

Executed VAPT engagements and mapped all findings directly to ISO 27001 Annex A, SOC 2 TSC, and PCI DSS control requirements — producing compliance-aligned reports with remediation guidance.
Performed access control reviews and security configuration assessments; documented overprivileged accounts and misconfigurations as formal control gaps with corrective action recommendations.
Produced severity-rated findings with detailed impact analysis, ensuring technical output was structured for both security teams and compliance stakeholders.
Maintained compliance documentation and audit records across multiple concurrent engagements, ensuring records remained current and suitable for formal review.

VAPTISO 27001 PCI DSSSOC 2 Access Control ReviewCompliance Reporting

// 03. grc lab projects

Hands-On GRC Work

Each project simulates a real-world GRC engagement — producing the same artefacts a professional would deliver in an actual compliance programme: risk registers, audit evidence, vendor assessments, policy documentation, and corrective action plans.

ISO 27001:2022 · NIST CSF

ISMS Risk Assessment — Cloud Migration

Simulated: B2B SaaS company migrating infrastructure to AWS

Conducted full asset identification and classification; performed structured risk assessment with likelihood, impact, and residual risk scoring.
Built a formal risk register with treatment decisions mapped to ISO 27001 Annex A controls and NIST CSF functions.
Produced a complete audit-ready ISMS documentation package: asset inventory, risk register, risk treatment plan, Statement of Applicability, and control implementation evidence.

ISO 27001Risk Register SoANIST CSFCloud

SOC 2 Type II · NIST CSF

SOC 2 Type II Audit Preparation

Simulated: Data analytics SaaS platform serving Fortune 500 clients

Documented 12 controls against SOC 2 Trust Services Criteria spanning Security, Availability, and Confidentiality categories.
Catalogued 4 in-scope systems; collected and organised compliance evidence against each applicable TSC control objective.
Conducted control gap testing; produced a prioritised corrective action plan aligned to SOC 2 observation period requirements, covering remediation timelines and ownership.

SOC 2 Type IITSC Audit ReadinessNIST CSF

PCI DSS · SOC 2

Third-Party Risk — Payment Processor

Simulated: Financial services vendor with cardholder data environment access

Conducted structured vendor risk assessment against PCI DSS and SOC 2 requirements; assessed 4 vendor risks and verified 6 controls against framework obligations.
Documented 3 critical risk findings with severity ratings, business impact, and evidence references.
Produced a vendor risk report with a prioritised remediation schedule and escalation criteria for the risk management programme.

PCI DSSSOC 2 TPRMVendor Due Diligence

GDPR · ISO 27001

GDPR Compliance Programme

Simulated: E-commerce company expanding operations across the EU

Mapped 5 data processing activities; assessed 6 privacy risks across customer data handling workflows covering 3M+ records.
Conducted Data Protection Impact Assessments (DPIAs) and established DSAR response procedures aligned to GDPR Article 17 obligations.
Implemented 10 GDPR-aligned controls; authored 3 policies covering consent management, data retention, and breach notification (Articles 13, 32, and 33).

GDPRISO 27001 DPIADSARData Privacy

// 04. education

Academic Background

M.Sc. Information Security

Indira Gandhi National Open University (IGNOU)

2025 – Present · Distance Learning

⟳ In Progress

Bachelor of Arts — General Studies

Indira Gandhi National Open University (IGNOU)

2020 – 2023 · Distance Learning

// 05. contact

Work Together

I'm actively seeking GRC Analyst, IT Auditor, and Risk & Compliance roles where I can contribute immediately. If you're building or scaling a compliance programme and need someone who understands both the technical and governance sides of information security — let's talk.

✉ Email Me LinkedIn Profile

Email Address

sarbasvellari@gmail.com

PHONE

Phone / WhatsApp

+91 8137051420

linkedin.com/in/sarbasibrahim

WEB

Portfolio Site