About Grace
You need your security and compliance program to work not just on paper, but in audits, in board meetings, and when a regulator comes knocking. That's where I come in.
I am a senior GRC advisor and fractional CISO with 9+ years of experience helping global technology and fintech companies build audit-ready, resilient security programs that protect the business and enable growth. I've worked across SAP SE, HelloFresh SE, and Bitso delivering enterprise-grade governance in cloud-native, DevOps, and hybrid environments.
What I help clients with:
ISO 27001, SOC 2, and PCI DSS implementation and audit preparation
GDPR and NIS2 compliance programs
AI Governance
Third-party and vendor risk management
Fractional CISO support — senior security leadership without the full-time cost
GRC platform implementation and compliance automation
Board and executive risk reporting
What makes me different:
I build governance frameworks that actually reduce risk and I translate complex security requirements into language your leadership, legal team, and auditors can all work with. My track record includes reducing organisational cyber risk exposure by 70%, improving compliance tracking accuracy by 80%, and training 6,000+ staff globally.
I hold CISSP, CRISC, ISO 27001 Lead Implementer & Auditor, ISO 22301, PCI DSS ISA, and FRM certifications and I bring cross-sector experience across SaaS, fintech, and financial services in Europe and East Africa
Based in Munich. Available for remote engagements across Europe.
English
Native or bilingual
Swahili
Native or bilingual
Remote only
Primarily works remotely
Experience
- |SAP SESenior Information Security Compliance SpecialistMay 2025 - Today (1 year and 1 month)Germany• ● Led annual end-to-end internal PCI-DSS assessments for 20+ environments, aligning controls to PCI DSS v4.0, resulting in successful annual validation with zero findings.• ● Executed detailed control testing across 100+ technical and administrative controls spanning all 12 PCI DSS domains, identifying and remediating compliance gaps that reduced audit findings by 70% year-over-year.• ● Defined and validated PCI scope across multi-region cloud and on-premise environments, reducing CDE footprint by 40% through segmentation validation and refined boundary identification.• ● Partnered with 15+ cross-functional stakeholders (ISOs, DevOps, infrastructure, application owners) to collect and validate 500+ pieces of audit evidence, ensuring timely submission ahead of assessment deadlines.• ● Developed and enhanced 25+ PCI-aligned policies, standards, and procedures, improving control clarity and reducing recurring documentation findings by 60%.• ● Managed remediation lifecycle for 50+ identified gaps, tracking corrective actions to closure and formalizing risk acceptance documentation and compensating control worksheets (CCWs) where applicable.• ● Supported preparation of AOC/ROC documentation packages, serving as primary liaison for QSA engagement.• ● Led PCI readiness initiatives across hybrid AWS and on-prem environments, including Kubernetes-based platforms, improving vulnerability remediation.• ● Designed and implemented centralized evidence repositories and standardized assessment workflows, shortening audit preparation cycles and improving cross-team visibility into compliance status.
- |HelloFresh SEGovernance Risk Compliance Analyst|March 2023 - Today (3 years and 3 months)Germany• ● Led PCI-DSS compliance program for high-volume (6M+ transactions) e-commerce environment ensuring continuous compliance with PCI DSS v4.0• ● Optimized Cardholder Data Environment (CDE) scope, decreasing in-scope systems by 20% through segmentation strategy redesign and tokenization enhancements.• ● Partnered with engineering and DevOps teams to embed PCI security controls into CI/CD pipelines, improving secure configuration compliance from 70%to 95%.• ● Implemented automated evidence collection processes (log retention, vulnerability scans, access reviews), reducing audit preparation time by 30%.• ● Oversaw quarterly ASV scans and internal vulnerability management processes across 200+ production assets, improving critical vulnerability remediation SLA compliance• ● Designed and implemented a risk triage framework to evaluate inherent and residual risks, aligning security priorities with business objectives.• ● Established and governed a third-party risk management program, conducting 300+ vendor security assessments annually to ensure continuous monitoring and compliance with security and data privacy requirements.• ● Implemented a GRC platform, improving compliance reporting accuracy by 80% and reducing compliance tracking time by 80%, significantly strengthening regulatory alignment and organisational resilience.• ● Managed internal and external audits (ISO 27001, SOC 2, PCI DSS), ensuring sustained regulatory compliance and continuous security posture improvement.• ● Strengthened incident response governance, coordinating cross-functional teams to investigate and manage cybersecurity incidents.• ● Enhanced organisational security awareness and risk culture through interactive training programmes covering phishing, malware, data protection, and social engineering.• ● Led NIS2 Directive alignment, identifying compliance gaps across IT and operational functions and fortifying the company's risk management strategy.
- Bitso Sapi de CVRisk AssociateFebruary 2022 - December 2022 (10 months)• ● Led compliance project achieving ISO 31000 certification, strengthening enterprise risk management framework.• ● Developed risk assessment reports using GRC software (OneTrust, Archer), improving risk monitoring and achieving 91% compliance with regulatory standards.• ● Optimized third-party risk management (TPRM) by implementing vendor security assessments and due diligence reviews for new partnerships.• ● Enhanced risk reporting for senior leadership, providing data-driven insights on operational risk exposure and control effectiveness.
Recommendations
Be the first to recommend Grace
Help this freelancer shine by sharing your experience working together.
These freelancer profiles also match your criteria
Agatha Frydrych
Backend Java Software Engineer
4.7
(3)
2
Baptiste Duhen
Fullstack developer
4.6
(4)
5
Amed Hamou
Senior Lead Developer
4
(2)
7
Audrey Champion
Web developer
4.3
(3)
4
Education
- Bachelor of ScienceDedan Kimathi University of Science & Technology2015Bachelor of Science
- Bunyore Girls: K.C.S.EVictoria Primary School2015Bunyore Girls: K.C.S.E