Compliance and Risk Manager - US Remote
Columbus, OH, US
Company Overview
Hexion is a global leader in specialty chemicals, delivering innovative solutions that improve performance, sustainability, and efficiency across industries. Our manufacturing operations span multiple continents, integrating complex Operational Technology (OT) environments with enterprise IT systems. As regulatory expectations and cyber risk continue to evolve, Hexion is investing in a mature Governance, Risk, and Compliance (GRC) function to protect our business, our customers, and the integrity of our operations. The Compliance and Risk Manager is a critical role in that function — translating regulatory requirements into operational controls and ensuring that risk is measured, managed, and communicated with rigor.
Position Overview
The Compliance and Risk Manager is a senior practitioner responsible for designing, implementing, and continuously improving Hexion's information security compliance and enterprise risk management programs. This role requires deep expertise across ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II, CIS Controls (Levels 1 and 2), and NIST 800-53, with a clear ability to map controls across frameworks and translate requirements into practical, auditable processes.
This role ensures:
- Hexion maintains certification and audit readiness across all applicable compliance frameworks
- Enterprise risk is identified, assessed, tracked, and reported with a consistent, repeatable methodology
- Controls are operationalized — not just documented — across IT and OT environments
- Compliance obligations in manufacturing and OT contexts are understood and addressed
- Security and risk posture is communicated clearly to executive leadership and the Board
This is a practitioner's role. The ideal candidate has spent years in the field — conducting audits, writing controls, managing risk registers, and preparing organizations for certification. They bring the authority of deep experience, the discipline of a compliance professional, and the judgment of a senior risk advisor.
Work Environment & Travel
- This is a remote-first position with periodic travel to Hexion manufacturing facilities, partner locations, and auditor or certification body engagements as required (~10–15%).
One-Line Summary
- Own Hexion's compliance and risk management programs across ISO 27001/17/18, SOC 2, CIS Controls, and NIST — ensuring that controls are real, risks are measured, and the organization is audit-ready every day of the year.
Job Responsibilities
1. Compliance Program Management (ISO 27001 / 27017 / 27018)
Own Hexion's ISO 27001 Information Security Management System (ISMS) and related cloud-specific extensions:
- Maintain ISO 27001 certification — manage the full audit lifecycle including internal audits, surveillance audits, and recertification, leveraging ISO 27002.
- Apply ISO 27017 controls cloud service security, governing Hexion's obligations as both a cloud service customer and, where applicable, a cloud service provider
- Implement ISO 27018 controls for protection of personally identifiable information (PII) in cloud environments
- Manage the Statement of Applicability (SoA), control selection rationale, and exceptions register
- Drive continuous improvement of the ISMS through management review cycles, nonconformity tracking, and corrective action management
- Coordinate with external certification bodies, manage audit evidence packages, and facilitate auditor access
2. SOC 2 Type II Program
Lead Hexion's SOC 2 compliance program across all applicable Trust Services Criteria:
- Define and maintain SOC 2 control mapping across Security, Availability, Confidentiality, Processing Integrity, and Privacy categories
- Manage common controls library — identify controls that satisfy multiple frameworks simultaneously to reduce compliance overhead
- Coordinate readiness assessments and work with external auditors throughout the Type II observation period
- Oversee evidence collection workflows, vendor attestation, and control testing documentation
- Track and resolve audit exceptions and management responses
- Communicate SOC 2 report status to customers and prospects in coordination with sales and legal
3. CIS Controls Implementation (Levels 1 and 2)
Operationalize the CIS Controls as the enterprise's security baseline framework:
- Maintain the CIS Controls implementation roadmap, tracking adoption across all 18 control families
- Prioritize and govern IG1 (basic cyber hygiene) and IG2 (foundational) controls across IT and OT environments
- Partner with security engineering to implement and validate technical controls mapped to CIS safeguards
- Measure and report CIS Controls maturity using CIS CSAT or equivalent tooling
- Use CIS Controls as a practical lens for remediation prioritization and risk reduction sequencing
Additional Job Responsibilities
4. NIST 800-53 & Enterprise Risk Framework
Maintain fluency in NIST 800-53 and apply it to enterprise risk governance:
- Map organizational controls to NIST 800-53 control families to support federal customer requirements, supply chain diligence, and internal governance
- Leverage NIST 800-53 as a reference framework for control gap analysis and risk treatment prioritization
- Apply NIST Risk Management Framework (RMF) concepts to information system authorization and risk acceptance decisions
- Maintain control crosswalks across ISO 27001, SOC 2, CIS Controls, NIST 800-53, and NIST CSF to reduce duplicated effort and provide unified risk visibility and leverage ISO 27005 risk framework.
5. Controls Design, Testing & Assurance
Own the internal controls assurance program:
- Design, document, and maintain the enterprise controls library — mapping each control to owning team, testing frequency, and framework coverage
- Execute and manage the internal control testing calendar, coordinating evidence collection with control owners across IT, OT, and business functions
- Identify control deficiencies, document findings, and drive remediation to closure with defined timelines
- Develop control self-assessment (CSA) programs to extend assurance coverage without reliance solely on external audits
- Implement GRC tooling to automate evidence collection, control monitoring, and reporting (e.g., ServiceNow GRC, OneTrust, Drata, Vanta)
6. Policy & Standards Governance
Maintain the policy architecture that underpins the compliance program:
- Own the information security policy library — drafting, reviewing, publishing, and retiring policies on a defined lifecycle cadence
- Ensure policies are mapped to applicable control frameworks and regulatory requirements
- Manage policy exception process — intake, risk assessment, approval, and time-bound tracking
- Coordinate policy acknowledgment and awareness campaigns with HR and business unit leadership
Competencies
- Framework fluency — you can navigate ISO 27001, SOC 2, CIS Controls, and NIST without needing to look up the basics
- Controls precision — you write controls that are specific, testable, and defensible under audit scrutiny
- Risk judgment — you distinguish material risk from noise and help leadership make informed decisions, not just consume reports
- Operational credibility — you understand how manufacturing and OT environments work and design compliance requirements that are implementable on the plant floor
- Stakeholder influence — you earn trust with engineering, legal, finance, and operations by being practical, clear, and consistent
- Audit readiness — you maintain an organization's readiness posture year-round, not in a scramble before the auditor arrives
Leadership Expectations
- Serve as the enterprise subject matter expert on information security compliance, risk management, and control frameworks
- Build a compliance culture that is embedded in business processes — not bolted on at audit time
- Influence cross-functional partners without direct authority — driving accountability for controls across teams that do not report to security
- Translate complex regulatory requirements into plain-language business guidance that operational leaders can act on
- Represent compliance and risk in vendor evaluations, M&A due diligence, and enterprise architecture discussions
- Maintain credibility that comes only from experience — auditors, regulators, and business leaders alike should view this role as the authority on Hexion's compliance posture
Minimum Qualifications
- Bachelor's degree in Information Security, Computer Science, Business Administration, or related field (Master's preferred)
- 7+ years of progressive experience in information security compliance, GRC, or risk management roles
- Demonstrated, hands-on experience managing ISO 27001 certification programs — including internal audits, SoA management, and external audit coordination
- Deep knowledge of ISO 27017 and ISO 27018 cloud security and privacy controls
- Practical SOC 2 Type II experience — control design, evidence collection, auditor management, and exception resolution
- Proficiency with CIS Controls (IG1 and IG2) including control mapping, gap assessment, and implementation road mapping
- Working knowledge of NIST 800-53 control families and the NIST Risk Management Framework
- Experience operating enterprise risk management programs — risk registers, treatment plans, risk reporting to leadership
- Ability to build and maintain control crosswalks across multiple frameworks (ISO, SOC 2, CIS, NIST)
- Strong written communication — able to produce policy documents, audit evidence packages, and executive risk reports
Preferred Qualifications
Experience with:
- OT/ICS environments — familiarity with IEC 62443, NIST SP 800-82, or industrial cybersecurity frameworks
- Manufacturing or chemical industry regulatory landscape (OSHA PSM, EPA RMP, REACH, or similar)
- Third-party risk management (TPRM) programs and vendor risk assessment methodologies
- GDPR, CCPA, or other data privacy regulatory frameworks
Certifications (any of the following valued):
- CISM (Certified Information Security Manager)
- CRISC (Certified in Risk and Information Systems Control)
- ISO 27001 Lead Auditor or Lead Implementer
- CISSP, CCSP, or CGEIT
- SOC 2 practitioner credentials (AICPA TSC or equivalent)
Other
We are an Equal Opportunity, Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to gender, pregnancy, race, national origin, religion, age, sexual orientation, gender identity, veteran or military status, status as a qualified individual with a disability or any other characteristic protected by law.
To be considered for this position candidates are required to submit an application for employment through our career site and, be at least 18 years of age. Any offer of employment will be conditioned upon successful completion of a drug test and background investigation, as well as authorization for the Company to conduct additional periodic background checks as required by the Chemical Facility Anti-Terrorism Standards (CFATS) or regulations adopted by the department of Homeland Security or other regulatory agencies. A prior criminal record is not an automatic bar to employment, and the Company will conduct an individualized assessment and reassessment, consistent with applicable law, prior to making any final employment decision.
Nearest Major Market: Columbus
Nearest Secondary Market: Dublin