At a Glance
- Tasks: Lead Checkout's governance, risk, and compliance programme with autonomy and strategic impact.
- Company: Join a leading fintech company shaping the future of secure payments.
- Benefits: Competitive salary, flexible working options, and opportunities for professional growth.
- Other info: Dynamic team environment focused on innovation and continuous improvement.
- Why this job: Make a real difference in security compliance while mentoring the next generation of analysts.
- Qualifications: 5+ years in GRC or information security, with deep knowledge of PCI DSS and ISO 27001.
The predicted salary is between 70000 - 90000 £ per year.
The Role
As a Senior Information Security Analyst within the GRC team, you will lead the strategic and technical execution of Checkout.com's governance, risk and compliance programme. This is a role for a seasoned GRC professional who brings deep expertise across regulatory compliance, enterprise risk management, and security governance – and who can operate with full autonomy while shaping how the function evolves. You will take ownership of Checkout's most complex and high-stakes compliance programmes – PCI DSS v4.0.1, ISO 27001, SOC 2, DORA, and emerging obligations across our global licensed entities – while providing expert guidance to engineering, product, legal, and compliance teams on the security requirements that underpin our ability to operate and grow in regulated markets worldwide.
At L4, you are a trusted advisor. You do not just manage compliance – you set the direction for it. You define how risk is identified, assessed, and treated. You advise on product and infrastructure decisions from a risk perspective. You mentor and develop junior and mid-level analysts. And you work closely with security leadership to ensure the GRC programme is aligned to the business's strategic objectives and risk appetite. Your influence extends well beyond the GRC team. You help shape the security culture at Checkout, driving a risk-aware mindset across the business through clear communication, pragmatic guidance, and expert leadership.
How You'll Make An Impact
- GRC Programme Leadership
- Lead defined sub-areas of Checkout's GRC programme end-to-end, including PCI DSS v4.0.1, ISO 27001, SOC 2, and regulatory obligations across Europe, MENA, APAC, and the Americas.
- Define how control evidence is collected and maintained, moving the function toward continuous audit readiness and away from point-in-time preparation.
- Own and drive improvements to GRC documentation including policies, standards, procedures, and control matrices – ensuring they reflect Checkout's evolving risk profile and regulatory obligations.
- Lead gap analyses against new and evolving requirements, including DORA ICT risk obligations and the EU AI Act, producing prioritised remediation roadmaps with clear business impact framing.
- Own the risk register for your sub-area, managing risk treatment through to closure and escalating to leadership where risk appetite may be exceeded.
- Define and refine Checkout's third-party risk management approach for high-risk and critical vendors, setting assessment standards and overseeing their consistent application.
- Drive continual improvement of the GRC programme itself – regularly assessing programme maturity, identifying process inefficiencies, and implementing improvements to how risk is identified, assessed, treated, and reported across the business.
- Audit and Assessment Leadership
- Serve as the primary point of contact for external auditors, QSAs, and regulatory assessors across PCI DSS, ISO 27001, SOC 2, and ITGC audit cycles.
- Demonstrated experience implementing ISO management system standards end-to-end, covering initial scoping and gap assessment through control design, policy development, internal audit programme, and certification – ideally across more than one standard.
- Lead end-to-end audit delivery – scoping, evidence preparation, walkthrough facilitation, finding management, and formal closure.
- Own the end-to-end response process for complex merchant assurance and regulatory due diligence requests, ensuring Checkout's compliance posture is presented accurately and persuasively.
- Lead quarterly and annual compliance activities including vulnerability scanning coordination, penetration testing programmes, access reviews, and firewall configuration assurance.
- Policy, Controls and Regulatory Strategy
- Apply expert knowledge of PCI DSS v4.0.1, ISO 27001/27002, SOC 2, DORA, NIST CSF, and related frameworks to drive control design, policy development, and compliance strategy.
- Advise product and engineering teams on compliance requirements at the point of design, embedding regulatory obligations into architecture decisions and development workflows.
- Lead Checkout's regulatory change management activities – monitoring the evolving landscape across financial services, data protection, and AI regulation, assessing business impact, and driving remediation programmes.
- Identify and drive systemic improvements to GRC processes, including automation opportunities that improve programme efficiency and evidence quality.
- Contribute to the design and development of GRC tooling, dashboards, and risk reporting to improve leadership visibility of Checkout's compliance and risk posture.
- Stakeholder Influence and Team Development
- Act as a senior trusted advisor to Engineering, Product, Legal, Finance, Procurement, and Compliance on all GRC matters, communicating risk in business terms that drive informed decisions.
- Represent the GRC function in cross-functional forums, governance committees, and regulatory discussions, influencing decisions that affect Checkout's risk posture.
- Mentor and develop junior and mid-level GRC analysts (L1-L3), raising the capability of the team through structured knowledge sharing, review, and coaching.
- Promote a security-first culture across Checkout through proactive engagement, executive-level reporting, and accessible guidance that empowers non-security teams to make good risk decisions.
What We're Looking For
- Experience
- 5 or more years of experience in GRC, information security compliance, IT audit, or a closely related function, ideally within payments, financial services, or fintech.
- Deep working knowledge of PCI DSS (v4.0.1 required), ISO 27001, and SOC 2.
- Practical experience with DORA, NIST CSF, the EU AI Act, or FCA/PRA obligations is strongly preferred.
- Demonstrated track record of leading external audits and regulatory assessments end-to-end, including managing assessor relationships and driving findings to closure.
- Proven ability to own and deliver complex GRC programme workstreams independently, including gap analyses, risk treatment programmes, and regulatory change initiatives.
- Experience advising engineering and product teams on compliance requirements, with the ability to translate regulatory obligations into practical, proportionate controls.
- Track record of developing and mentoring less experienced colleagues.
- Skills and Approach
- Expert written and verbal communication. You can frame complex regulatory and risk issues for a technical audience, a business stakeholder, and executive leadership – and adapt your style to drive the right outcome in each context.
- Strategic and analytical thinker. You see beyond individual findings and controls to understand systemic risk patterns, root causes, and the broader implications for the business.
- Decisive under ambiguity. You can set direction and make sound judgement calls on prioritisation and risk treatment without waiting for perfect information.
- Highly collaborative and influential. You understand that compliance must be embedded across the business, and you build the relationships and credibility needed to make that happen.
- Pragmatic and outcome-focused. You design controls and processes that are proportionate to risk and workable in practice, not just theoretically sound.
- Preferred
- CISA, CISM, CISSP, PCIP, ISO 27001 Lead Implementer or Lead Auditor, or equivalent advanced certification.
- Familiarity with cloud environments (AWS, Azure, GCP) at an architecture or control level.
- Experience with AI governance frameworks such as ISO 42001, the EU AI Act, or NIST AI RMF.
- Experience designing or implementing GRC tooling, risk platforms, or compliance automation solutions.
- Background in a Big Four advisory, payments scheme, or regulatory environment is advantageous.