Senior InfoSec Risk Analyst

Senior Information Security Risk Analyst

As part of Trainline's Information Security (InfoSec) team, reporting to the GRC Manager, the Senior Information Security Risk Analyst will mature and maintain our risk management practices across the entire organization, including the growing landscape of AI risk. The role sits at the intersection of technology, business operations, and assurance, ensuring that security risks from traditional cyber threats and AI‑specific risks are understood, effectively managed, and aligned with our business risk appetite.

Responsibilities

• Lead the identification, documentation, and tracking of security and cyber risks across all functions and departments.
• Maintain the Information Security Risk Framework and Register in line with enterprise risk methodology, supporting delivery of centralized risk reporting via the CISO/GRC Dashboard.
• Facilitate risk workshops, control self‑assessments (CSAs), and policy reviews with business units.
• Track risk remediation efforts and elevate critical project, operational and supplier risks to appropriate forums.
• Collaborate with engineering, legal, privacy and product teams to assess and document risk impacts.
• Support the development and implementation of the AI Readiness and Governance framework, including conducting AI risk assessments for new and existing AI use cases, applying the risk classification model, and maintaining the AI use case register. This includes evaluating risks around data quality, model bias, transparency, third‑party AI dependencies, and regulatory compliance.
• Conduct structured AI risk assessments across the business, working with product, data science, and engineering teams to evaluate AI use cases against the risk classification model, assess control adequacy, and ensure high‑risk use cases have approved controls before production release.
• Support the implementation and ongoing maintenance of the unified internal control framework, mapping controls across ISO 27001, ISO 22301, Cyber Essentials, and PCI DSS.
• Leverage AI tools and techniques to streamline repetitive GRC tasks such as policy gap analysis, control mapping, vendor questionnaire processing, and risk reporting.
• Provide risk advisory for new product launches, technology and AI adoptions, and vendor integrations ensuring Security by Design and informed risk decision making.
• Support internal education and awareness around security risk and governance.

Qualifications

• Proven experience in Information Security or Cyber Risk, with direct experience in a cloud‑first, tech‑driven environment.
• Experience conducting AI risk assessments, including evaluating risks related to data privacy, model bias, hallucination, third‑party AI tooling, and regulatory compliance.
• Familiarity with AI governance frameworks such as ISO 42001, the EU AI Act risk classification approach, or NIST AI RMF.
• Experience with common infosec standards/frameworks particularly ISO 27001, ISO 22301, and PCI DSS.
• Experience with Cyber Essentials and NIS 2 is a strong advantage.
• Clear communicator able to translate technical risks for non‑technical audiences.
• Hands‑on experience with GRC platforms and tooling (e.g. ServiceNow GRC, Archer, LogicGate, Vanta, or similar) including configuration, workflow design, and reporting.
• Experience working with internal audit, privacy, legal and other cross‑functional business stakeholders.
• Strong verbal and written communication skills, with the ability to influence at all levels.
• Comfortable navigating ambiguity, competing priorities, and organizational scale‑up challenges.

Nice to Have

• Experience assessing large language model (LLM) deployments, AI‑as‑a‑service integrations, or machine learning pipelines from a security and governance perspective.
• Experience building automated compliance evidence pipelines or continuous control monitoring.
• Demonstrable experience automating GRC processes whether through scripting, no‑code/low‑code platforms, API integrations, or GRC‑specific tooling.
• Active and proficient use of AI tools (e.g. LLMs, AI assistants, AI‑powered search) to accelerate day‑to‑day work.
• Background in security engineering, DevSecOps, or technical GRC implementation alongside traditional risk management.
• Experience with data analytics or BI tools (e.g. Power BI, Tableau) for risk and compliance reporting.
• Contributions to GRC community knowledge (blog posts, conference talks, open‑source tools).

Benefits

Private healthcare and dental insurance, a generous work‑from‑abroad policy, 2‑for‑1 share purchase plans, an EV scheme to further reduce carbon emissions, extra festive time off, and excellent family‑friendly benefits.

Career growth with clear career paths, transparent pay bands, personal learning budgets, and regular learning days.

Hybrid work model: office minimum 60% of time over a 12‑week period, 28‑day work‑from‑abroad policy.

Diversity and Inclusion

We know that having a diverse team makes us better and helps us succeed. And we mean all forms of diversity – gender, ethnicity, sexuality, disability, nationality and diversity of thought. That’s why we’re committed to creating inclusive places to work, where everyone belongs and differences are valued and celebrated.

#J-18808-Ljbffr