Accreditation Standards, Auditing, Blog, Business Administration, Business Operations, Business Processes, CCSP - Cisco Certified Security Professional, CISM - Certified Information Security Manager, CISSP - Certified Information Systems Security Professional, Cadence, Calendar Management, Campaigns, Career Development, Cloud Computing, Communication Skills, Computer Science, Continuous Improvement, Cookies, Corrective Action, Cross-Functional, Customer Support/Service, Design Document, Document Management, Due Diligence, Embedded Systems, English Language, Enterprise Architecture, Enterprise Protection, Environmental Protection Agency (EPA), Establish Priorities, External Audit, Finance, Financial Operations, Gap Analysis, ISO (International Organization for Standardization), Information Technology & Information Systems, Information/Data Security (InfoSec), Internal Audit, International Electro-Technical Commission (IEC), Internet Security, Leadership, Legal, Legal Support Skills, Machine Tool, Maintain Compliance, Manufacturing, Manufacturing Operations, Mergers and Acquisitions, Network Operations Center, OSHA, Performance Management, Privacy Controls, Privacy Regulations, Process Improvement, Process Management, Program Control, Project/Program Management, Regulations, Regulatory Compliance, Regulatory Requirements, Requirements Management, Research & Development (R&D), Risk, Risk Analysis, Risk Management, Risk Management Framework (RMF), SAP, Sales, Search Engine Keywords, Security Compliance, Security Monitoring, Security Policy, Service-Oriented Architecture (fka Distributed Object Architecture), ServiceNow, Status Reports, Supply Chain, Surveillance, Sustainability, Test Design, Time Tracking, Treatment Plan, U.S. National Institute of Standards and Technology (NIST), Vendor/Supplier Evaluation, Web Browsers, Willing to Travel, Writing Skills
We use cookies to offer you the best possible website experience. Your cookie preferences will be stored in your browser's local storage. This includes cookies necessary for the website's operation. Additionally, you can freely decide and change any time whether you accept cookies or choose to opt out of cookies to improve website's performance, as well as cookies used to display content tailored to your interests. Your experience of the site and the services we are able to offer may be impacted if you do not accept all cookies.
Modify Cookie Preferences
Accept All Cookies
Skip to main content
Language
- English (United States)
- Français (Canada)
- Nederlands (Nederland)
- Português (Brasil)
Employee Login
Language
- English (United States)
- Français (Canada)
- Nederlands (Nederland)
- Português (Brasil)
Employee Login
About Us
Open Roles
All Careers
Internships
Operations
Career Development
Corporate
Research and Development
Join Talent Community
COVID-19 Update
Language
US English
CA French
NL Dutch
BR Portuguese
View Profile
Employee Login
Search by Keyword
Select how often (in days) to receive an alert:
Create Alert
×
Select how often (in days) to receive an alert:
Apply now "
Apply now
- Apply Now
- Start applying with LinkedIn
Start
Please wait...
Compliance and Risk Manager - US Remote
Date: Jul 14, 2026
Location:
Columbus, OH, US
Company Overview
Hexion is a global leader in specialty chemicals, delivering innovative solutions that improve performance, sustainability, and efficiency across industries. Our manufacturing operations span multiple continents, integrating complex Operational Technology (OT) environments with enterprise IT systems. As regulatory expectations and cyber risk continue to evolve, Hexion is investing in a mature Governance, Risk, and Compliance (GRC) function to protect our business, our customers, and the integrity of our operations. The Compliance and Risk Manager is a critical role in that function - translating regulatory requirements into operational controls and ensuring that risk is measured, managed, and communicated with rigor.
Position Overview
The Compliance and Risk Manager is a senior practitioner responsible for designing, implementing, and continuously improving Hexion's information security compliance and enterprise risk management programs. This role requires deep expertise across ISO 27001, ISO 27017, ISO 27018, SOC 2 Type II, CIS Controls (Levels 1 and 2), and NIST 800-53, with a clear ability to map controls across frameworks and translate requirements into practical, auditable processes.
This role ensures:
- Hexion maintains certification and audit readiness across all applicable compliance frameworks
- Enterprise risk is identified, assessed, tracked, and reported with a consistent, repeatable methodology
- Controls are operationalized - not just documented - across IT and OT environments
- Compliance obligations in manufacturing and OT contexts are understood and addressed
- Security and risk posture is communicated clearly to executive leadership and the Board
This is a practitioner's role. The ideal candidate has spent years in the field - conducting audits, writing controls, managing risk registers, and preparing organizations for certification. They bring the authority of deep experience, the discipline of a compliance professional, and the judgment of a senior risk advisor.
Work Environment & Travel
- This is a remote-first position with periodic travel to Hexion manufacturing facilities, partner locations, and auditor or certification body engagements as required (~10-15%).
One-Line Summary
- Own Hexion's compliance and risk management programs across ISO 27001/17/18, SOC 2, CIS Controls, and NIST - ensuring that controls are real, risks are measured, and the organization is audit-ready every day of the year.
Job Responsibilities
- Compliance Program Management (ISO 27001 / 27017 / 27018)
Own Hexion's ISO 27001 Information Security Management System (ISMS) and related cloud-specific extensions:
- Maintain ISO 27001 certification - manage the full audit lifecycle including internal audits, surveillance audits, and recertification, leveraging ISO 27002.
- Apply ISO 27017 controls cloud service security, governing Hexion's obligations as both a cloud service customer and, where applicable, a cloud service provider
- Implement ISO 27018 controls for protection of personally identifiable information (PII) in cloud environments
- Manage the Statement of Applicability (SoA), control selection rationale, and exceptions register
- Drive continuous improvement of the ISMS through management review cycles, nonconformity tracking, and corrective action management
- Coordinate with external certification bodies, manage audit evidence packages, and facilitate auditor access
- SOC 2 Type II Program
Lead Hexion's SOC 2 compliance program across all applicable Trust Services Criteria:
- Define and maintain SOC 2 control mapping across Security, Availability, Confidentiality, Processing Integrity, and Privacy categories
- Manage common controls library - identify controls that satisfy multiple frameworks simultaneously to reduce compliance overhead
- Coordinate readiness assessments and work with external auditors throughout the Type II observation period
- Oversee evidence collection workflows, vendor attestation, and control testing documentation
- Track and resolve audit exceptions and management responses
- Communicate SOC 2 report status to customers and prospects in coordination with sales and legal
- CIS Controls Implementation (Levels 1 and 2)
Operationalize the CIS Controls as the enterprise's security baseline framework:
- Maintain the CIS Controls implementation roadmap, tracking adoption across all 18 control families
- Prioritize and govern IG1 (basic cyber hygiene) and IG2 (foundational) controls across IT and OT environments
- Partner with security engineering to implement and validate technical controls mapped to CIS safeguards
- Measure and report CIS Controls maturity using CIS CSAT or equivalent tooling
- Use CIS Controls as a practical lens for remediation prioritization and risk reduction sequencing
Additional Job Responsibilities
- NIST 800-53 & Enterprise Risk Framework
Maintain fluency in NIST 800-53 and apply it to enterprise risk governance:
- Map organizational controls to NIST 800-53 control families to support federal customer requirements, supply chain diligence, and internal governance
- Leverage NIST 800-53 as a reference framework for control gap analysis and risk treatment prioritization
- Apply NIST Risk Management Framework (RMF) concepts to information system authorization and risk acceptance decisions
- Maintain control crosswalks across ISO 27001, SOC 2, CIS Controls, NIST 800-53, and NIST CSF to reduce duplicated effort and provide unified risk visibility and leverage ISO 27005 risk framework.
- Controls Design, Testing & Assurance
Own the internal controls assurance program:
- Design, document, and maintain the enterprise controls library - mapping each control to owning team, testing frequency, and framework coverage
- Execute and manage the internal control testing calendar, coordinating evidence collection with control owners across IT, OT, and business functions
- Identify control deficiencies, document findings, and drive remediation to closure with defined timelines
- Develop control self-assessment (CSA) programs to extend assurance coverage without reliance solely on external audits
- Implement GRC tooling to automate evidence collection, control monitoring, and reporting (e.g., ServiceNow GRC, OneTrust, Drata, Vanta)
- Policy & Standards Governance
Maintain the policy architecture that underpins the compliance program:
- Own the information security policy library - drafting, reviewing, publishing, and retiring policies on a defined lifecycle cadence
- Ensure policies are mapped to applicable control frameworks and regulatory requirements
- Manage policy exception process - intake, risk assessment, approval, and time-bound tracking
- Coordinate policy acknowledgment and awareness campaigns with HR and business unit leadership
Competencies
- Framework fluency - you can navigate ISO 27001, SOC 2, CIS Controls, and NIST without needing to look up the basics
- Controls precision - you write controls that are specific, testable, and defensible under audit scrutiny
- Risk judgment - you distinguish material risk from noise and help leadership make informed decisions, not just consume reports
- Operational credibility - you understand how manufacturing and OT environments work and design compliance requirements that are implementable on the plant floor
- Stakeholder influence - you earn trust with engineering, legal, finance, and operations by being practical, clear, and consistent
- Audit readiness - you maintain an organization's readiness posture year-round, not in a scramble before the auditor arrives
Leadership Expectations
- Serve as the enterprise subject matter expert on information security compliance, risk management, and control frameworks
- Build a compliance culture that is embedded in business processes - not bolted on at audit time
- Influence cross-functional partners without direct authority - driving accountability for controls across teams that do not report to security
- Translate complex regulatory requirements into plain-language business guidance that operational leaders can act on
- Represent compliance and risk in vendor evaluations, M&A due diligence, and enterprise architecture discussions
- Maintain credibility that comes only from experience - auditors, regulators, and business leaders alike should view this role as the authority on Hexion's compliance posture
Minimum Qualifications
- Bachelor's degree in Information Security, Computer Science, Business Administration, or related field (Master's preferred)
- 7+ years of progressive experience in information security compliance, GRC, or risk management roles
- Demonstrated, hands-on experience managing ISO 27001 certification programs - including internal audits, SoA management, and external audit coordination
- Deep knowledge of ISO 27017 and ISO 27018 cloud security and privacy controls
- Practical SOC 2 Type II experience - control design, evidence collection, auditor management, and exception resolution
- Proficiency with CIS Controls (IG1 and IG2) including control mapping, gap assessment, and implementation road mapping
- Working knowledge of NIST 800-53 control families and the NIST Risk Management Framework
- Experience operating enterprise risk management programs - risk registers, treatment plans, risk reporting to leadership
- Ability to build and maintain control crosswalks across multiple frameworks (ISO, SOC 2, CIS, NIST)
- Strong written communication - able to produce policy documents, audit evidence packages, and executive risk reports
Preferred Qualifications
Experience with:
- OT/ICS environments - familiarity with IEC 62443, NIST SP 800-82, or industrial cybersecurity frameworks
- Manufacturing or chemical industry regulatory landscape (OSHA PSM, EPA RMP, REACH, or similar)
- Third-party risk management (TPRM) programs and vendor risk assessment methodologies
- GDPR, CCPA, or other data privacy regulatory frameworks
Certifications (any of the following valued):
- CISM (Certified Information Security Manager)
- CRISC (Certified in Risk and Information Systems Control)
- ISO 27001 Lead Auditor or Lead Implementer
- CISSP, CCSP, or CGEIT
- SOC 2 practitioner credentials (AICPA TSC or equivalent)
Other
We are an Equal Opportunity, Affirmative Action employer. All qualified applicants will receive consideration for employment without regard to gender, pregnancy, race, national origin, religion, age, sexual orientation, gender identity, veteran or military status, status as a qualified individual with a disability or any other characteristic protected by law.
To be considered for this position candidates are required to submit an application for employment through our career site and, be at least 18 years of age. Any offer of employment will be conditioned upon successful completion of a drug test and background investigation, as well as authorization for the Company to conduct additional periodic background checks as required by the Chemical Facility Anti-Terrorism Standards (CFATS) or regulations adopted by the department of Homeland Security or other regulatory agencies. A prior criminal record is not an automatic bar to employment, and the Company will conduct an individualized assessment and reassessment, consistent with applicable law, prior to making any final employment decision.
Nearest Major Market: Columbus
Nearest Secondary Market: Dublin
Apply now "
Apply now
- Apply Now
- Start applying with LinkedIn
Start
Please wait...
Find similar jobs:
Management Admin, Information Technology, Finance, Corporate, All_Jobs
- Careers Home
- View All Jobs
- Top Jobs
- Privacy Policy
- Legal Notices
- Cookie Policy
- Site Cookie Manager
PRODUCTS
- Application
- Chemistry
- Industry
- Brand
COMPANY
- About
- Sustainability
- Blog
- Data Privacy for Applicants
2022 Hexion. All rights reserved.
×
Cookie Consent Manager
When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. Because we respect your right to privacy, you can choose not to allow some types of cookies. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.
Required Cookies
These cookies are required to use this website and can't be turned off.
Required Cookies
Show More Details
Required Cookies Provider Description Enabled SAP as service provider
We use the following session cookies, which are all required to enable the website to function:
- "route" is used for session stickiness
- "careerSiteCompanyId" is used to send the request to the correct data center
- "JSESSIONID" is placed on the visitor's device during the session so the server can identify the visitor
- "Load balancer cookie" (actual cookie name may vary) prevents a visitor from bouncing from one instance to another
Cookies from provider SAPasserviceprovider are required and cannot be turned off
Advertising Cookies
These cookies serve ads that are relevant to your interests. You may freely choose to accept or decline these cookies at any time. Note that certain functionality that these third parties make available may be impacted if you do not accept these cookies.
Consent to all Advertising Cookies
Show More Details
Advertising Cookies Provider Description Enabled LinkedIn
LinkedIn is an employment-oriented social networking service. We use the Apply with LinkedIn feature to allow you to apply for jobs using your LinkedIn profile. Opting out of LinkedIn cookies will disable your ability to use Apply with LinkedIn.
Cookie Policy
Cookie Table
Privacy Policy
Terms and Conditions
Consent to cookies from provider LinkedIn
Confirm My Choices
Accept All Cookies