Information Security Analyst II

The Role

As an Information Security Analyst II at Checkout.com, you will work across the full breadth of the information security function, spanning Governance, Risk and Compliance (GRC), AI Governance, Application Security (AppSec), Technology Risk, and Data Governance. This is a role for someone who has built solid foundational expertise and is ready to take independent ownership of security initiatives across multiple domains. Security at Checkout operates at scale and at pace. We are a global payments business, regulated across multiple jurisdictions, building infrastructure that processes billions of transactions. Our security function needs analysts who can think across domains, communicate with engineers and executives alike, and contribute to a security programme that is genuinely embedded in how the business operates.

At L3 you will manage security programmes, lead assessments, drive policy improvements, and mentor junior colleagues. Your primary focus is independent execution with growing influence. You know your domains well enough to spot gaps, propose solutions, and take them through to completion.

Governance, Risk and Compliance

• Support workstreams within Checkout's GRC programme, including ISO 27001, SOC 2, and relevant regulatory obligations across our global licensed entities.
• Coordinate control evidence collection activities across internal teams, ensuring continuous audit readiness rather than point‑in‑time preparation.
• Maintain and improve GRC documentation including policies, standards, procedures, and control matrices, ensuring they stay current and proportionate to Checkout's evolving risk profile.
• Monitor the risk register, track remediation activity against agreed timelines, and elevate issues where commitments are at risk.
• Conduct third‑party risk assessments, evaluating supplier security controls and compliance posture in line with Checkout's TPRM framework.
• Track regulatory change across Checkout's operating markets including DORA, FCA/PRA requirements, and payment scheme obligations, flagging gaps and supporting impact assessments.

AI Governance

• Support the development and operationalisation of Checkout's AI governance framework, aligned to ISO 42001, the EU AI Act, and NIST AI RMF.
• Conduct AI risk assessments for internal AI and ML systems and third‑party AI tools, evaluating bias, transparency, data lineage, and control adequacy.
• Maintain an inventory of AI use cases and associated risk classifications, working with product and engineering teams to embed governance requirements at the point‑of‑design.
• Monitor the evolving regulatory landscape for AI in financial services and contribute to policy and control development that keeps Checkout ahead of emerging obligations.
• Support Checkout's AI Security programme including threat modelling for agentic and LLM‑based systems, and controls mapping against the OWASP LLM Top 10 and related frameworks.

Technology Risk

• Conduct technology risk assessments across infrastructure, cloud environments, and third‑party systems, producing clear outputs with actionable treatment recommendations.
• Support third‑party risk management activities, evaluating supplier security controls and compliance posture in line with Checkout's vendor risk framework.
• Contribute to control assurance activities including vulnerability scanning coordination, firewall and configuration reviews, and access control assessments.
• Monitor Checkout's technology risk landscape, identifying emerging threats and translating them into actionable risk items for the register and leadership reporting.
• Support DORA‑related ICT risk management obligations, contributing to resilience testing coordination and critical third‑party risk assessments.

Data Governance

• Support Checkout's data governance programme, including data classification, data flow mapping, and enforcement of data handling standards across the business.
• Contribute to data loss prevention (DLP) controls and tooling, working with engineering and product teams to ensure sensitive data is protected throughout its lifecycle.
• Assist in maintaining records of processing activities (RoPA) and supporting data protection impact assessments (DPIAs) for new systems and processing activities.
• Work with the privacy and legal functions to ensure data governance controls meet GDPR, UK GDPR, and applicable regional data protection requirements.
• Promote data governance awareness and good data handling practices across the business, contributing to training and guidance materials for non‑technical teams.

Cross‑domain Collaboration and Mentoring

• Work closely with Engineering, Product, Legal, Procurement, Finance, and Compliance teams to embed security requirements into processes, systems, and projects across all five domains.
• Respond to security due diligence requests from merchants, partners, and regulators, drawing on multi‑domain expertise to provide accurate and comprehensive responses.
• Provide guidance and day‑to‑day support to junior analysts (L1 and L2), contributing to their development through knowledge sharing and review.
• Contribute to the continuous improvement of Checkout's security processes, identifying inefficiencies and proposing practical solutions including automation where viable.

What We're Looking For

Experience

• 2 to 4 years of experience in information security, IT audit, or a closely related function, ideally within payments, financial services, or fintech.
• Demonstrated working knowledge across more than one of the following domains: GRC, AI governance, AppSec, technology risk, or data governance.
• Depth in one or two with credible breadth across the others is the target profile.
• Practical experience with one or more major compliance frameworks: PCI DSS (v4.0.1 preferred), ISO 27001, SOC 2, DORA, NIST CSF, or equivalent.
• Experience supporting or managing external audits, assessments, or regulatory engagements including evidence collation and assessor liaison.
• Demonstrated ability to own a workstream independently, from scoping through to delivery, without requiring constant direction.

Skills and Approach

• Strong analytical and process‑oriented mindset. You look for root causes and systemic fixes, not just point‑in‑time remediation.
• Clear written and verbal communication. You can translate security concepts for technical teams and business stakeholders with equal clarity.
• Comfortable operating with ambiguity across a complex domain landscape. You can prioritise without perfect information.
• Collaborative and pragmatic. You understand that security must work with the business and that influence matters as much as expertise.
• Methodical and well‑organised, with a track record of delivering on commitments across concurrent workstreams.

Preferred

• Relevant certification in one or more domains: CISA, CISM, CISSP, PCIP, ISO 27001 Lead Implementer or Auditor, Certified AppSec Practitioner (CAP), or equivalent.
• Familiarity with cloud environments (AWS, Azure, GCP) from a security or compliance perspective.
• Exposure to AI and ML systems from a risk, governance, or security perspective.
• Experience with security or GRC tooling such as Wiz, Qualys, Microsoft Sentinel, ServiceNow GRC, or similar.
• Understanding of agentic AI and LLM security risks including OWASP LLM Top 10, prompt injection, and data exfiltration vectors.

Hybrid Working Model

All of our offices globally are onsite three times per week (Tuesday, Wednesday, and Thursday). We work collaboratively in the same space while also being able to partner with colleagues globally. During your days at the office, we offer great snacks, breakfast, and lunch options in all of our locations. We understand that work is just one part of your life. Our hybrid working model offers flexibility, with three days per week in the office to support collaboration and connection.