Compliance & Information Security Analyst in Manchester

Join beqom - where tech meets impact. beqom is a high-growth B2B SaaS company that provides industry-leading tools for pay equity and transparency, compensation, and performance management. Trusted by some of the world’s most respected companies, beqom enables HR and business leaders to navigate global compliance and make smarter pay decisions that attract, retain, and motivate top talent. Founded in Switzerland and serving clients worldwide, our powerful, enterprise‑ready products are fueled by beqom pay intelligence.

We are seeking an experienced Compliance & Information Security Analyst to own and manage our compliance and third‑party risk management (TPRM) function. This is a hands‑on role that sits at the intersection of information security, legal/contractual review, and vendor risk management. Truly critical to client trust, support sales cycles, and ensure the company meets its obligations as a responsible data processor and technology provider, the candidate will be the primary point of contact for inbound client governance, risk & compliance (GRC) requests, manage our own vendor and sub‑contractor due diligence programme, and review information security obligations embedded in client and prospect contracts.

What you’ll be doing:

• Client GRC Questionnaires & Third‑Party Risk Management (TPRM): Receive, triage, and complete inbound GRC / security questionnaires submitted by existing and prospective clients as part of their vendor assessment and TPRM processes. Develop and maintain a master response library to accelerate questionnaire completion, covering areas such as data security, access controls, business continuity, incident response, and privacy. Coordinate with internal stakeholders (Engineering, Product, Operations, Legal) to gather accurate, up‑to‑date technical evidence and supporting documentation. Track questionnaire status, deadlines, and outcomes; maintain a central log and escape blockers in a timely manner. Build relationships with client procurement, risk, and security contacts to manage ongoing TPRM obligations efficiently.
• Evidence‑Based GRC Questionnaires: Manage questionnaires that require formal documentary evidence — such as policies, audit reports (e.g. SOC 2, ISO 27001), penetration test summaries, data processing agreements, and certifications. Maintain a structured evidence repository, ensuring documents are current, version‑controlled, and accessible for rapid submission. Identify gaps between client evidence requirements and the company’s current documentation; work with the Head of Information Security and Compliance or relevant leads to close those gaps.
• Information Security Review of MSAs & Client Contracts: Review information security, data protection, and compliance clauses within Master Service Agreements (MSAs) and other commercial contracts from clients and prospects. Identify obligations and requirements (e.g. audit rights, subprocessor notifications, breach notification timescales, data residency, encryption standards) and assess the company’s ability to comply. Liaise with Legal counsel and the Head of Information Security and Compliance to flag materially onerous or non‑standard terms; assist in drafting redlines and proposed alternative language where appropriate. Maintain a tracker of contractual information security obligations to ensure ongoing compliance post‑signature.
• Vendor & Sub‑Contractor TPRM: Design and operate a structured TPRM programme for the company’s own vendors and sub‑contractors who process client data or have access to company systems. Conduct initial and periodic risk assessments of vendors, including completion of security questionnaires, review of their compliance certifications, and assessment of contractual controls. Categorise vendors by risk tier and ensure appropriate due diligence applied proportionate to the nature and sensitivity of the relationship. Maintain a vendor risk register, tracking assessment outcomes, remediation actions, and review schedules. Report on vendor risk posture to relevant internal stakeholders on a regular cadence.

Skills & Experience:

• Proven experience in a compliance, information security, GRC, or vendor risk management role, ideally within a SaaS, technology, or regulated industry context.
• Demonstrable experience completing complex security and GRC questionnaires (e.g. SIG, CAIQ, bespoke client questionnaires) and compiling supporting evidence packs.
• Familiarity with common information security frameworks and standards: ISO/IEC 27001, SOC 2, NIST CSF, CIS Controls, GDPR / data protection legislation.
• Experience reviewing and interpreting information security provisions in commercial contracts (MSAs, DPAs, SaaS agreements).
• Strong organisational skills — able to manage multiple concurrent questionnaires and workstreams, prioritise effectively, and meet deadlines.
• Excellent written and verbal communication skills, with the ability to translate technical security concepts for non‑technical audiences (legal, sales, procurement).
• Proficiency in maintaining documentation, trackers, and evidence repositories; high attention to detail and accuracy.

Bonus points if you have:

• Relevant certification such as CISA, CRISC, CISSP, ISO 27001 Lead Implementer/Auditor, CIPP/E, or equivalent.
• Experience working with or within enterprise clients in regulated sectors such as financial services, healthcare, or energy.
• Familiarity with data residency requirements and cross‑border data transfer mechanisms (SCCs, BCRs).
• Experience using GRC platforms or questionnaire automation tools (e.g. OneTrust, Vanta, SecurityScorecard).
• Understanding of SaaS product architectures and cloud environments (AWS, Azure) from a security and compliance perspective.
• Experience managing sub‑processor registers and responding to data subject rights requests.

Why join us?

• Your career, your design. Unleash your ambition in our dynamic, autonomous environment.
• Drive meaningful change. Build a fairer future for every employee by joining a market leader that is improving the world of work.
• Belong to something bigger. Collaborate with a passionate, diverse and talented team around the globe.