Information Security Analyst II – Governance, Risk & Compliance (GRC)
As an Information Security Analyst II within the GRC team, you will take meaningful ownership of Checkout.com's governance, risk and compliance programmes. This is a role for someone who has moved beyond task execution and is ready to drive workstreams, lead compliance activities, and act as a trusted point of contact for internal teams and external assessors.
How You'll Make An Impact
Governance, Risk and Compliance Programme Management
- Own and manage defined workstreams within Checkout's GRC programme, including PCI DSS v4.0.1, ISO 27001, SOC 2, and relevant regulatory obligations across our global licensed entities.
- Coordinate control evidence collection activities across internal teams, ensuring continuous audit readiness rather than point‑in‑time preparation.
- Maintain and improve GRC documentation including policies, standards, procedures, and control matrices, ensuring they stay current and proportionate to Checkout's evolving risk profile.
- Perform gap analyses against new or evolving requirements including DORA and the EU AI Act, translating findings into prioritised remediation plans.
- Support monitoring of the risk register, track remediation activity against agreed timelines, and elevate issues where commitments are at risk.
- Conduct third‑party risk assessments, evaluating supplier security controls and compliance posture in line with Checkout's TPRM framework.
Audit and Assessment Support
- Act as a key liaison between internal teams and external auditors, QSAs, and assessors across PCI DSS, ISO 27001, IT General Controls (ITGCs) and SOC 2 certification cycles.
- Prepare and deliver evidence packages, coordinate walkthroughs, and manage audit findings through to closure.
- Support end‑to‑end response process for merchant assurance questionnaires and due diligence inquiries, ensuring all technical and regulatory queries are addressed with accuracy and within agreed SLAs.
- Support quarterly and annual compliance activities including vulnerability scanning, penetration testing coordination, access reviews, and firewall configuration reviews.
Policy, Controls and Regulatory Coverage
- Apply working knowledge of PCI DSS v4.0.1, ISO 27001/27002, SOC 2, DORA, NIST CSF, and other applicable frameworks to day‑to‑day GRC work.
- Support meeting regulatory change across Checkout's operating markets including FCA/PRA requirements and payment scheme obligations, flagging gaps and supporting impact assessments.
- Proactively identify inefficiencies in GRC processes and propose practical improvements, including automation where viable.
- Contribute to the development and refinement of GRC tooling, dashboards, and reporting to improve visibility of risk and compliance posture across the business.
Stakeholder Engagement and Mentoring
- Work closely with Engineering, Product, Legal, Procurement, and Finance to embed security and compliance requirements into processes, systems, and projects.
- Respond to PCI DSS, ISO 27001, and broader security‑related due diligence requests from merchants, partners, and regulators.
- Provide guidance and day‑to‑day support to junior analysts (L1 and L2), contributing to their development through knowledge sharing and review.
- Promote a security‑first culture across Checkout through proactive engagement, awareness sessions, and accessible guidance for non‑security teams.
Experience
What We're Looking For
- 2 to 4 years of experience in GRC, information security compliance, IT audit, or a closely related function, ideally within payments, financial services, or fintech.
- Practical working knowledge of PCI DSS (v4.0.1 preferred), ISO 27001, and SOC 2. Familiarity with DORA, NIST CSF, or the EU AI Act is a plus.
- Experience supporting or directly managing external audits and assessments, including evidence collation and assessor liaison.
- Demonstrated ability to own a programme workstream independently, from planning through to delivery.
- Well‑versed in risk management processes including risk identification, third‑party risk management and merchant due diligence.
Skills And Approach
- Clear written and verbal communication. You can translate a compliance requirement or risk finding for a technical team and a business stakeholder with equal clarity.
- Analytical and process‑oriented mindset. You look for root causes, not just point‑in‑time fixes.
- Comfortable operating with ambiguity. You can prioritise and structure your work without every requirement being fully defined upfront.
- Methodical and well‑organised, with strong attention to detail and a consistent track record of delivering on commitments.
- Collaborative and pragmatic. You understand that security and compliance must work with the business, not against it.
Preferred
- CISA, CISM, PCIP, ISO 27001 Lead Implementer or Auditor, or equivalent certification.
- Familiarity with cloud environments (AWS, Azure, GCP) in a GRC or compliance context.
- Experience with GRC tooling, risk platforms, or compliance automation.
- Exposure to AI governance frameworks such as ISO 42001, EU AI Act, or NIST AI RMF.
Hybrid Working Model
All of our offices globally are onsite three times per week (Tuesday, Wednesday, and Thursday). We offer snack, breakfast, and lunch options in all of our locations during those days.
