Senior Information Security Manager (f/m/d)

We are seeking an Information Security GRC Lead (f/m/d) to own our security governance, risk, and compliance program, ensuring compliance with BaFin-regulated EMI obligations while enabling rapid business growth.

You will report directly to the Director of Information Security. This is a senior individual contributor role with ownership and autonomy; currently no direct reports but potential to grow the function over time.

What You’ll Own

• Unified control framework – Build and maintain a single, unified control framework mapped to DORA, ISO 27001, SOC 2 Type 2, and GDPR. Each control is defined once with clear ownership, technical implementation details, and evidence sources, mapped across all relevant standards.
• ICT risk management – Own the ICT risk management framework and register (based on ISO 27005 or equivalent). Identify, assess, track, and report ICT risks and collaborate with the Risk team to integrate ICT risks into the group‑wide enterprise risk framework.
• GRC automation – Automate evidence collection, control testing, reporting, and policy acknowledgements wherever possible.
• DORA compliance – Own the DORA compliance program: gap analysis, remediation tracking, and ICT risk management framework.
• Security incident management – Own security incident classification and regulatory reporting to BaFin (with CISO sign‑off).
• Business continuity – Own the BCM program, including BCP maintenance, testing and BIA updates.
• Audit readiness – Coordinate ISO 27001 and SOC 2 Type 2 audits end‑to‑end. Manage evidence collection, auditor relationships and remediation tracking – continuous audit‑readiness, not fire drills.
• Asset and data classification – Own the classification schema and ensure assets and data are classified and maintained.
• Security vendor assessments – Perform security due diligence on vendors and third‑party applications.
• Policy management – Own the security policy lifecycle: drafting, reviews, version control and stakeholder sign‑off.
• Security awareness – Own and run the security awareness program.

About You

• You have built or run GRC programs in a fast‑paced, regulated environment – ideally a financial institution or fintech.
• You have hands‑on experience with ISO 27001, SOC 2 Type 2, and GDPR. Experience with DORA or strong familiarity with its requirements is a plus.
• You have built or managed unified control frameworks mapped across multiple standards – one source of truth with cross‑mappings.
• You understand controls at the technical implementation level – how they are implemented, in which systems, and how evidence is collected.
• You have designed or significantly evolved a risk management framework – based on ISO 27005, NIST or a custom methodology. You understand how ICT risk integrates into enterprise risk management.
• You have hands‑on experience with GRC platforms (e.g. Vanta, Drata, ServiceNow GRC or similar) – either implementing them or running mature processes on them.
• You understand BaFin regulatory expectations or similar financial regulators.
• You have owned or significantly contributed to BCM/BCP programs, including BIA development and testing.
• You have driven compliance audits end‑to‑end, including SOC 2 Type 2 audit cycles.
• You understand the 1st, 2nd and 3rd line model and how to work effectively across functions.
• You have automated GRC processes before – through GRC platforms, scripting or no‑code tools. You view manual compliance work as a problem to be solved.
• Fluent written and spoken English. German is a strong plus.

What We’re Looking For Beyond Experience

• Automation‑first – Your instinct is “how do I automate this?” before accepting manual work.
• Ownership without ego – You own your domain but collaborate cleanly with Legal, Risk and Engineering.
• Pragmatic, not dogmatic – You know when to follow the framework and when to adapt it to reality.
• Clear communicator – You can explain a control gap to an auditor, a board member and an engineer differently.
• Calm under audit pressure – You have been through audits and know how to stay organised when everything is due yesterday.

Our offer

• An attractive compensation package, including our company stock option plan.
• An annual learning budget of 600 €.
• Access to our mental health and wellbeing offering, including 1‑on‑1 coaching sessions.
• An Urban Sports Club membership.
• 20 days of work from abroad.

Benefits apply to full‑time positions; interns and working students receive tailored packages.

#J-18808-Ljbffr…