← Back to Jobs Tracker

Asia Tech & Gaming Jobs TrackerEcommerceAssociate Compliance Manager

Associate Compliance Manager

Meesho · India

Sector
Ecommerce
Function
Strategy & Operations
Level
Junior
Employment type
Full Time
Posted
2026-05-25
Source
lever

About the Team

Meesho's Security & Compliance team safeguards a platform that 5% of Indian households shop with - millions of orders, billions of data points, zero downtime as a baseline. We own the Information Security Management System, drive every external certification, and shape how Meesho earns trust with sellers, buyers, partners and regulators. We move fast, default to automation, and obsess over evidence.

About the Role This is a hands-on individual contributor role for someone who wants to drive - not just oversee - a multi-framework compliance program. You'll be the DRI for ISO 27001:2022 and SOC 2 Type II, run end-to-end ITGC and TPRM cycles, and help operationalise India's DPDP Rules 2025 across a product organisation that processes data at meaningful scale. You'll work directly with Engineering, IT, Legal, Product, and external auditors.

What you will do: Certifications & external audits

Own the certification and surveillance cycle for ISO 27001:2022 and SOC 2 Type II; act as the single point of contact for external auditors.

Plan and execute readiness assessments, gap closure, evidence collection, control walkthroughs, and management responses.

Maintain audit calendars, evidence repositories, and bridge letters between audit windows.

Drive PCI DSS v4.0.1 scope-reduction and assessment activities for in-scope environments.

ISMS, policies & frameworks

Maintain Meesho's ISMS aligned to ISO 27001:2022 - all 93 Annex A controls mapped across Organizational, People, Physical and Technological themes, with named owners and live evidence.

Author, review, version-control and socialise security policies, standards, and procedures.

Map controls across frameworks: ISO 27001:2022, SOC 2 TSC, PCI DSS v4.0.1, NIST CSF 2.0, CIS Controls v8, DPDP.

ITGC & internal audits

Design, test and continuously improve IT General Controls: access management, change management, IT operations, and SDLC.

Plan and execute internal audits; track findings to closure with engineering and IT.

Build and maintain the enterprise risk register; run RCSA, define KRIs, drive risk treatment plans and residual-risk acceptance with leadership.

Third-Party Risk Management (TPRM)

Run the full vendor lifecycle: intake → tiering → security due diligence (SIG / CAIQ / SOC 2 / ISO reviews) → contractual controls → continuous monitoring → offboarding.

Partner with Legal and Procurement to embed security clauses in MSAs, DPAs, and sub-processor agreements.

Conduct on-site / virtual vendor audits for tier-1 vendors and report to the security council.

Privacy & data protection

Operationalise the DPDP Act 2023 + DPDP Rules 2025 across the business: DPIAs, consent and notice flows, data-principal rights, 72-hour breach notification, and Records of Processing Activity.

Prepare Meesho for likely Significant Data Fiduciary (SDF) obligations: independent data-auditor coordination, DPO interfacing, algorithmic transparency, and children's-data safeguards.

Track IT Act, CERT-In directions, and sector-specific guidelines as relevant.

Business continuity

Maintain BCP and DR aligned to ISO 22301 - BIAs, RTO/RPO definitions, and annual DR / failover testing.

Awareness & culture

Run organisation-wide security and privacy awareness: onboarding, refreshers, phishing simulations, and role-based modules.

Partner & customer trust

Respond to seller, partner and enterprise security questionnaires; maintain the Trust Center and security collateral.

What you will need: 4–6 years in security compliance, IT audit, or GRC at a product company (SaaS, fintech, e-commerce, payments, consumer internet).

Hands-on experience driving ISO 27001:2022 end-to-end: gap → implementation → certification → surveillance.

Hands-on experience driving SOC 2 Type II end-to-end, including auditor management.

Strong ITGC experience: access, change, ops, and SDLC control design and testing.

Strong TPRM experience across the full vendor lifecycle.

Working knowledge of cloud (AWS and/or GCP) - shared-responsibility model, CIS benchmarks, native services for evidence (AWS Config, GCP SCC, CloudTrail, IAM Analyzer).

Demonstrated stakeholder management with Engineering, IT, Legal, Product, and external auditors.

Excellent written communication - you'll author policies, audit responses, and risk reports read by senior leadership.

Nice to have

DPDP Act 2023 / DPDP Rules 2025 implementation experience; familiarity with GDPR or ISO 27701.

Hands-on with a GRC platform: Sprinto, Vanta, Drata, OneTrust, AuditBoard, MetricStream, ServiceNow GRC, or Archer.

ISO 22301 BCMS experience.

Exposure to RBI / SEBI / IRDAI sectoral compliance.

PCI DSS v4.0.1 experience.

Certifications

ISO 27001:2022 Lead Auditor / Lead Implementer

CISA

CIPP/E or DCPP (privacy)

Apply on lever →
Full Time Employee Tech Bangalore, Karnataka Infrastructure ['Bangalore, Karnataka'] Ecommerce Strategy & Operations

Browse more roles: Ecommerce · all sectors

This listing is tracked by Digital in Asia. Apply directly on the company’s career site via the link above.