Maintain a year-round evidence calendar, run continuous control monitoring, and coordinate with external auditors
Own inbound security questionnaires, vendor assessments, and RFP responses. Maintain a response library so we can turn these around quickly and consistently, keeping deals and procurement moving
Coordinate risk assessments, partner on security awareness and training programs, and govern vulnerability management processes. With obligations spanning PCI DSS, DORA, NIS2, and the EU AI Act, you'll help us stay ahead of evolving requirements
Maintain policies, manage exceptions, monitor for violations, and drive remediation follow-through. You'll be the single point of accountability for keeping our policy framework current and enforceable
Drive future certification efforts, including ISO 27001, and support the operationalisation of new regulatory frameworks as they come into scope

3–5 years in a GRC, compliance, or information security governance role
Hands-on experience coordinating external audits (SOC 2, PCI DSS, ISO 27001, or similar)
Familiarity with EU regulatory frameworks such as GDPR, DORA, NIS2, and the EU AI Act
Experience managing vendor risk assessments and third-party due diligence
Track record of maintaining evidence and controls on a continuous (not just annual) basis
Strong organisational skills
Clear, concise communicator who can work across engineering, legal, and leadership teams
Comfortable working with compliance tooling and GRC platforms (e.g., Vanta, Drata, OneTrust, or similar)
Detail-oriented with a bias for proactive, systematic work over reactive cleanup
Able to operate independently while knowing when to pull in subject-matter experts
Familiarity with IAM processes and access review cycles (Nice to Have)
Relevant certifications (CISA, CRISC, ISO 27001 Lead Implementer, or similar)

GRC Analyst

Key skills