Information Security Analyst II – GRC
As an Information Security Analyst II within the GRC team, you will take ownership of Checkout.com’s governance, risk and compliance programmes. This role will drive workstreams, lead compliance activities, and act as a trusted point of contact for internal teams and external assessors.
Responsibilities
- Own and manage defined workstreams within Checkout’s GRC programme, including PCI DSS v4.0.1, ISO 27001, SOC 2, and relevant regulatory obligations across our global licensed entities.
- Coordinate control evidence collection activities across internal teams to ensure continuous audit readiness.
- Maintain and improve GRC documentation – policies, standards, procedures, and control matrices – keeping them current and proportionate to Checkout’s evolving risk profile.
- Perform gap analyses against new or evolving requirements such as DORA and the EU AI Act, and translate findings into prioritised remediation plans.
- Support monitoring of the risk register, track remediation activity against agreed timelines, and escalates issues where commitments are at risk.
- Conduct third‑party risk assessments, evaluating supplier security controls and compliance posture in line with Checkout’s TPRM framework.
- Act as a key liaison between internal teams and external auditors, QSAs, and assessors across PCI DSS, ISO 27001, IT General Controls (ITGCs) and SOC 2 certification cycles.
- Prepare and deliver evidence packages, coordinate walkthroughs, and manage audit findings through to closure.
- Support end‑to‑end response for merchant assurance questionnaires and due diligence inquiries, ensuring all technical and regulatory queries are addressed with accuracy and within agreed SLAs.
- Support quarterly and annual compliance activities including vulnerability scanning, penetration testing coordination, access reviews, and firewall configuration reviews.
- Apply working knowledge of PCI DSS v4.0.1, ISO 27001/27002, SOC 2, DORA, NIST CSF, and other applicable frameworks to day‑to‑day GRC work.
- Support meeting regulatory change across Checkout’s operating markets, including FCA/PRA requirements and payment scheme obligations, flagging gaps and supporting impact assessments.
- Proactively identify inefficiencies in GRC processes and propose practical improvements, including automation where viable.
- Contribute to the development and refinement of GRC tooling, dashboards, and reporting to improve visibility of risk and compliance posture across the business.
- Work closely with Engineering, Product, Legal, Procurement, and Finance to embed security and compliance requirements into processes, systems, and projects.
- Respond to PCI DSS, ISO 27001, and broader security‑related due diligence requests from merchants, partners, and regulators.
- Provide guidance and day‑to‑day support to junior analysts (L1 and L2), contributing to their development through knowledge sharing and review.
- Promote a security‑first culture across Checkout through proactive engagement, awareness sessions, and accessible guidance for non‑security teams.
What We’re Looking For
Experience
- 2 to 4 years of experience in GRC, information security compliance, IT audit, or a closely related function, ideally within payments, financial services, or fintech.
- Practical working knowledge of PCI DSS (v4.0.1 preferred), ISO 27001, and SOC 2. Familiarity with DORA, NIST CSF, or the EU AI Act is a plus.
- Experience supporting or directly managing external audits and assessments, including evidence collation and assessor liaison.
- Demonstrated ability to own a programme workstream independently, from planning through to delivery.
- Well‑versed in risk management processes, including risk identification, third‑party risk management, and merchant due diligence.
Skills and Approach
- Clear written and verbal communication. Able to translate a compliance requirement or risk finding for technical teams and business stakeholders with equal clarity.
- Analytical and process‑oriented mindset, looking for root causes rather than point‑in‑time fixes.
- Comfortable operating with ambiguity, prioritising and structuring work without every requirement being fully defined upfront.
- Methodical and well‑organised, with strong attention to detail and a consistent track record of delivering on commitments.
- Collaborative and pragmatic, understanding that security and compliance must work with the business, not against it.
Preferred
- CISA, CISM, PCIP, ISO 27001 Lead Implementer or Auditor, or equivalent certification.
- Familiarity with cloud environments (AWS, Azure, GCP) in a GRC or compliance context.
- Experience with GRC tooling, risk platforms, or compliance automation.
- Exposure to AI governance frameworks such as ISO 42001, EU AI Act, or NIST AI RMF.
Hybrid Working Model
All of our offices globally are onsite three times per week (Tuesday, Wednesday, and Thursday). During your days at the office, you will work collaboratively in the same space while also having the flexibility to partner with colleagues worldwide.
#J-18808-Ljbffr…
