Job Description

If you’re a compliance pro who thrives on building scalable, tech-enabled frameworks and wants to be at the forefront of AI-assisted testing and automation, we want to meet you. We are evolving our compliance program to move at the speed of our business, and we need a strategic lead to take the wheel.

Forget the traditional "box-checking" mentality. This role is for a compliance professional who thrives on building scalable, tech-enabled frameworks and wants to be at the forefront of AI-assisted testing and automation. Join the Governance, Risk, and Compliance (GRC) team as a Senior Analyst on the Compliance Assessment team. In this role, you will lead the transformation and maturation of our existing Continuous Compliance Framework (CCF)—tailoring controls to our organization, acting as the functional lead for the CCF module in our GRC tool, and collaborating across the business to define the parameters that keep us secure.

A critical aspect of this role is cross-functional collaboration with the Governance and Risk teams to ensure the CCF, risk management, and governance programs are integrated and mutually reinforcing. You will also support our audits and assessments such as PCI, contributing to the team’s broader compliance posture.

A Day in the Life…

Continuous Compliance Framework (CCF) Transformation

Lead the transformation and ongoing maturation of the CCF, including updating and tailoring controls to reflect the current organizational environment, risk profile, and regulatory landscape.
Configure and manage the CCF program module within Nordstrom’s GRC tool, ensuring accurate representation of controls, testing schedules, evidence requirements, and ownership assignments.
Collaborate with stakeholders across business and technology teams to define control language, testing frequency, and implementation guidance that is practical and aligned with operational realities.
Document RACI models for all controls within the CCF, establishing clear ownership and accountability across teams.
Design and implement KPIs and KRIs for the CCF and broader compliance program, enabling data-driven reporting on compliance health and risk exposure

GRC Program Integration

Work closely with the Governance and Risk teams to ensure the CCF, risk management program, and governance program are integrated, with aligned control sets, shared evidence, and coordinated reporting.
Identify opportunities to harmonize compliance controls with risk appetite and governance structures, reducing duplication and improving program efficiency.
Participate in cross-GRC planning sessions to align timelines, control mappings, and stakeholder engagement strategies across all three programs.
Support the development and communication of a unified GRC narrative for leadership, translating program health across risk, governance, and compliance into cohesive insights.

Compliance Assessment & Methodology

Partner with Security Engineers to design AI-driven testing and automated evidence collection features within the GRC tool; the Senior Analyst provides functional requirements while Engineers lead technical builds.
Serve as a subject matter partner to the PCI program owner to ensure CCF controls satisfy PCI DSS requirements and support the annual PCI assessment process.
Design and implement enterprise compliance assessment methodologies that integrate multiple regulatory domains (e.g., NIST, CIS, SOX, HIPAA, CCPA).
Develop operational standards and quality criteria for compliance processes, ensuring consistency and effectiveness across the organization.
Serve as a subject matter resource for control testing approaches, evidence collection, and documentation quality

Stakeholder Engagement

Engage cross-functional stakeholders to gather input on control design, testing feasibility, and ownership, building lasting partnerships that embed compliance into the technology ecosystem.
Lead workshops and working sessions with stakeholders to define control requirements, discuss testing approaches, and align on program direction.
Serve as a liaison with internal and external auditors as needed, representing the organization’s compliance posture and program maturity.

Strategic Alignment & Program Leadership

Align CCF activities with strategic business and security objectives by participating in medium-term planning (6–18 months) and ensuring compliance initiatives support organizational goals.
Contribute to the strategic vision and roadmap for the Compliance Assessment team, developing reusable, scalable solutions that enhance program efficiency and support organizational growth.
Coordinate cross-functional compliance initiatives to ensure comprehensive regulatory coverage and consistent execution.

You Own This If You Have…

Required Qualifications

Experience:

4–6 years of regulatory compliance experience with demonstrated ownership of cross-functional compliance initiatives.
Direct experience building and managing Continuous Compliance Framework (CCF) or Common Control Framework programs.
Hands-on experience configuring compliance programs within GRC tools and platforms.
Experience working with stakeholders to define control language, RACI, and testing cadence.
Demonstrated experience developing KPIs and KRIs for compliance programs.
Familiarity with PCI DSS sufficient to support assessments and control testing activities.
Experience partnering with engineering or security teams to implement automated or AI-assisted control testing.
Proven ability to align compliance operations with strategic business objectives.

Education:

Bachelor’s or Master’s degree in Information Technology, Computer Science, Cybersecurity, or related field, or equivalent work experience.

Technical Knowledge:

Deep knowledge about multiple regulatory frameworks (CIS, NIST, SOX, HIPAA, CCPA, PCI DSS v4.x) and their control implications.
Experience testing technical controls and documenting evidence to support audits.
Understanding of enterprise compliance architecture and integrated control frameworks.
Familiarity with GRC tool configuration and workflow design.
Knowledge of AI/automation tools applicable to compliance testing and evidence collection.

Skills:

Strong control framework design and documentation capabilities.
Excellent stakeholder engagement and facilitation skills; able to drive consensus across technical and non-technical audiences.
Ability to develop and communicate KPIs/KRIs and compliance metrics to leadership.
Strong written and verbal communication skills, including experience presenting to senior leadership.
Self-directed and results-oriented; able to operate with autonomy, manage competing priorities, and drive programs to completion.
Collaborative mindset with the ability to work effectively across the GRC triad (risk, governance, compliance).

Preferred Qualifications

Certifications:

Professional certifications preferred: CISA, CRISC, CIPP, CIPM, or equivalent.
PCI ISA, QSA, or other PCI-related certifications a plus.

Additional Experience:

Experience with GRC platform implementation and administration.
Background in regulatory consulting or internal/external audit.
Experience leading enterprise-wide compliance transformation initiatives.
Proficiency in compliance automation, scripting, or security tooling.
Familiarity with AI/ML-assisted compliance or security monitoring tools.

Pay Range Details

The pay range(s) below has been provided in compliance with state specific laws. Pay ranges may be different for other locations. Pay offers are dependent on the location, as well as job-related knowledge, skills, and experience.

$142,000.00 - $220,500.00 Annual

We’ve got you covered…

Our employees are our most important asset and that’s reflected in our benefits. Nordstrom is proud to offer a variety of benefits to support employees and their families, including:

Medical/Vision, Dental, Retirement and Paid Time Away
Life Insurance and Disability
Merchandise Discount and EAP Resources

This position may be eligible for performance-based incentives/bonuses. Benefits include 401k, medical/vision/dental/life/disability insurance options, PTO accruals, Holidays, and more. Eligibility requirements may apply based on location, job level, classification, and length of employment. Learn more in the Nordstrom Benefits Overview by copying and pasting the following URL into your browser: https://careers.nordstrom.com/pdfs/Ben_Overview_17-19.pdf

A few more important points...

The job posting highlights the most critical responsibilities and requirements of the job. It’s not all-inclusive. There may be additional duties, responsibilities and qualifications for this job.

For Los Angeles or San Francisco applicants: Nordstrom is required to inform you that we conduct background checks after conditional offer and consider qualified applicants with criminal histories in a manner consistent with legal requirements per Los Angeles, Cal. Muni. Code 189.04 and the San Francisco Fair Chance Ordinance. For additional state and location specific notices, please refer to the Legal Notices document within the FAQ section of the Nordstrom Careers site.

Applicants with disabilities who require assistance or accommodation should contact the nearest Nordstrom location, which can be identified at www.nordstrom.com.

Please be mindful that there may be legal notices and requirements related to this job posting that are specific to your state. Review the Career Site FAQ’s for relevant information and guidelines.

Current Nordstrom employees: To apply, log into Workday, click the Careers button and then click Find Jobs.

Nordstrom keeps job postings open for at least one day after the posting date.

Job Description

A Day in the Life…

Continuous Compliance Framework (CCF) Transformation

Lead the transformation and ongoing maturation of the CCF, including updating and tailoring controls to reflect the current organizational environment, risk profile, and regulatory landscape.
Configure and manage the CCF program module within Nordstrom’s GRC tool, ensuring accurate representation of controls, testing schedules, evidence requirements, and ownership assignments.
Collaborate with stakeholders across business and technology teams to define control language, testing frequency, and implementation guidance that is practical and aligned with operational realities.
Document RACI models for all controls within the CCF, establishing clear ownership and accountability across teams.
Design and implement KPIs and KRIs for the CCF and broader compliance program, enabling data-driven reporting on compliance health and risk exposure

GRC Program Integration

Work closely with the Governance and Risk teams to ensure the CCF, risk management program, and governance program are integrated, with aligned control sets, shared evidence, and coordinated reporting.
Identify opportunities to harmonize compliance controls with risk appetite and governance structures, reducing duplication and improving program efficiency.
Participate in cross-GRC planning sessions to align timelines, control mappings, and stakeholder engagement strategies across all three programs.
Support the development and communication of a unified GRC narrative for leadership, translating program health across risk, governance, and compliance into cohesive insights.

Compliance Assessment & Methodology

Partner with Security Engineers to design AI-driven testing and automated evidence collection features within the GRC tool; the Senior Analyst provides functional requirements while Engineers lead technical builds.
Serve as a subject matter partner to the PCI program owner to ensure CCF controls satisfy PCI DSS requirements and support the annual PCI assessment process.
Design and implement enterprise compliance assessment methodologies that integrate multiple regulatory domains (e.g., NIST, CIS, SOX, HIPAA, CCPA).
Develop operational standards and quality criteria for compliance processes, ensuring consistency and effectiveness across the organization.
Serve as a subject matter resource for control testing approaches, evidence collection, and documentation quality

Stakeholder Engagement

Engage cross-functional stakeholders to gather input on control design, testing feasibility, and ownership, building lasting partnerships that embed compliance into the technology ecosystem.
Lead workshops and working sessions with stakeholders to define control requirements, discuss testing approaches, and align on program direction.
Serve as a liaison with internal and external auditors as needed, representing the organization’s compliance posture and program maturity.

Strategic Alignment & Program Leadership

Align CCF activities with strategic business and security objectives by participating in medium-term planning (6–18 months) and ensuring compliance initiatives support organizational goals.
Contribute to the strategic vision and roadmap for the Compliance Assessment team, developing reusable, scalable solutions that enhance program efficiency and support organizational growth.
Coordinate cross-functional compliance initiatives to ensure comprehensive regulatory coverage and consistent execution.

You Own This If You Have…

Required Qualifications

Experience:

4–6 years of regulatory compliance experience with demonstrated ownership of cross-functional compliance initiatives.
Direct experience building and managing Continuous Compliance Framework (CCF) or Common Control Framework programs.
Hands-on experience configuring compliance programs within GRC tools and platforms.
Experience working with stakeholders to define control language, RACI, and testing cadence.
Demonstrated experience developing KPIs and KRIs for compliance programs.
Familiarity with PCI DSS sufficient to support assessments and control testing activities.
Experience partnering with engineering or security teams to implement automated or AI-assisted control testing.
Proven ability to align compliance operations with strategic business objectives.

Education:

Bachelor’s or Master’s degree in Information Technology, Computer Science, Cybersecurity, or related field, or equivalent work experience.

Technical Knowledge:

Deep knowledge about multiple regulatory frameworks (CIS, NIST, SOX, HIPAA, CCPA, PCI DSS v4.x) and their control implications.
Experience testing technical controls and documenting evidence to support audits.
Understanding of enterprise compliance architecture and integrated control frameworks.
Familiarity with GRC tool configuration and workflow design.
Knowledge of AI/automation tools applicable to compliance testing and evidence collection.

Skills:

Strong control framework design and documentation capabilities.
Excellent stakeholder engagement and facilitation skills; able to drive consensus across technical and non-technical audiences.
Ability to develop and communicate KPIs/KRIs and compliance metrics to leadership.
Strong written and verbal communication skills, including experience presenting to senior leadership.
Self-directed and results-oriented; able to operate with autonomy, manage competing priorities, and drive programs to completion.
Collaborative mindset with the ability to work effectively across the GRC triad (risk, governance, compliance).

Preferred Qualifications

Certifications:

Professional certifications preferred: CISA, CRISC, CIPP, CIPM, or equivalent.
PCI ISA, QSA, or other PCI-related certifications a plus.

Additional Experience:

Experience with GRC platform implementation and administration.
Background in regulatory consulting or internal/external audit.
Experience leading enterprise-wide compliance transformation initiatives.
Proficiency in compliance automation, scripting, or security tooling.
Familiarity with AI/ML-assisted compliance or security monitoring tools.

Pay Range Details

$142,000.00 - $220,500.00 Annual

We’ve got you covered…

Our employees are our most important asset and that’s reflected in our benefits. Nordstrom is proud to offer a variety of benefits to support employees and their families, including:

Medical/Vision, Dental, Retirement and Paid Time Away
Life Insurance and Disability
Merchandise Discount and EAP Resources

A few more important points...

The job posting highlights the most critical responsibilities and requirements of the job. It’s not all-inclusive. There may be additional duties, responsibilities and qualifications for this job.

Applicants with disabilities who require assistance or accommodation should contact the nearest Nordstrom location, which can be identified at www.nordstrom.com.

Please be mindful that there may be legal notices and requirements related to this job posting that are specific to your state. Review the Career Site FAQ’s for relevant information and guidelines.

Current Nordstrom employees: To apply, log into Workday, click the Careers button and then click Find Jobs.

Nordstrom keeps job postings open for at least one day after the posting date.

Senior Compliance Analyst – Continuous Compliance Framework (hybrid - Seattle)

What you'd actually do

Skills

Required

What the JD emphasized

Job Description

A Day in the Life…

Continuous Compliance Framework (CCF) Transformation

GRC Program Integration

Compliance Assessment & Methodology

Stakeholder Engagement

Strategic Alignment & Program Leadership

You Own This If You Have…

Required Qualifications

Preferred Qualifications

Job Description

A Day in the Life…

Continuous Compliance Framework (CCF) Transformation

GRC Program Integration

Compliance Assessment & Methodology

Stakeholder Engagement

Strategic Alignment & Program Leadership

You Own This If You Have…

Required Qualifications

Preferred Qualifications