Fractional Chief Information Security Officer in London

We are seeking an experienced Fractional CISO to provide hands-on security leadership as we evolve our security function to support continued growth and European expansion. This is a permanent fractional engagement reporting directly to the CTO. You will own our information security strategy, maintain our ISO 27001 certification, build our security roadmap, and prepare the organisation for SOC 2 readiness in 2026-2027. This role requires someone who can operate both strategically and tactically — developing policy one day and reviewing cloud configurations the next.

Key Responsibilities

• Strategy & Governance
  • Develop and own the Information Security strategy aligned with ApprovalMax's business objectives and European expansion plans.
  • Maintain and continuously improve the Information Security Management System (ISMS).
  • Create, review, and maintain core security policies, standards, and procedures.
  • Establish and chair a cross-functional Security Working Group (Engineering, Architecture, IT, HR).
  • Build and present a multi-year security roadmap with clear milestones, resource requirements, and priorities.
  • Serve as the central authority on risk assessment, risk treatment, and risk acceptance decisions.
  • Assess and provide guidance on secure AI adoption across the organisation, including AI-powered product features and internal AI tooling.
• Compliance & Certification
  • Maintain ISO 27001 certification and prepare for the 2027 recertification audit.
  • Lead SOC 2 Type II readiness programme (target: 2026-2027), including gap analysis and control mapping.
  • Ensure compliance with GDPR and data protection requirements across EU/UK/US/AU/NZ/CA/ZA jurisdictions.
  • Collaborate with external DPO support provider on privacy-related matters and customer security questionnaires as needed.
• Cloud & Technical Security
  • Provide security oversight across Azure, AWS, and Google Workspace environments.
  • Conduct access reviews and advise on identity and access management best practices.
  • Evaluate and guide implementation of security tooling (SIEM, vulnerability management, endpoint protection).
  • Oversee VMware Workspace ONE MDM deployment and device security policies.
  • Advise engineering teams on secure SDLC practices, DevSecOps integration, and application security principles.
• Operational Security
  • Develop and maintain incident response plans and procedures.
  • Lead incident response tabletop exercises and post-incident reviews.
  • Provide guidance on business continuity and disaster recovery planning.
  • Advise on vendor security assessments and third-party risk management.
• Awareness & Culture
  • Design and deliver company-wide security awareness training programmes.
  • Mentor and upskill internal staff on security best practices.
  • Foster a security-first culture across all departments.
  • Act as a trusted advisor to leadership on emerging threats and security trends.
• Stakeholder Engagement
  • Report regularly to the CTO on security posture, risks, and programme progress.
  • Prepare board-level security presentations as required (infrequent).
  • Support commercial teams by contributing to customer security discussions when escalated.

Qualifications

• 8+ years of progressive experience in information security, with at least 3 years in a CISO, Head of Security, or senior security leadership role.
• Demonstrated experience in B2B SaaS environments, ideally in fintech, finance software, or similarly regulated industries.
• Proven track record of achieving and maintaining ISO 27001 certification.
• Experience preparing organisations for SOC 2 Type II certification.
• Hands-on experience securing cloud environments (Azure and/or AWS required; GCP a plus).
• Experience with Google Workspace security configuration and administration.
• Background working with distributed, remote-first engineering teams.

Technical Knowledge

• Strong understanding of cloud security architecture, identity management, and zero-trust principles.
• Familiarity with secure software development lifecycle (SDLC) and DevSecOps practices.
• Knowledge of MDM solutions (VMware Workspace ONE experience preferred).
• Understanding of API security and integration risk management.
• Practical experience with security tooling: SIEM, vulnerability scanners, endpoint protection, etc.
• Awareness of AI/ML security risks, including secure AI adoption practices and emerging AI governance frameworks (desirable).

Compliance & Regulatory

• Deep knowledge of ISO 27001:2022 requirements and audit processes.
• Familiarity with SOC 2 Trust Service Criteria (Security, Availability, Confidentiality, Privacy).
• Understanding of GDPR, UK Data Protection Act, and international data transfer mechanisms.
• Awareness of regional requirements across EU, UK, US, Australia, New Zealand, Canada, and South Africa.

Additional Information

• Growing international business with 10,000+ subscribers.
• Regular performance-based compensation reviews.
• 26 days paid time off.
• 1 additional day off for your Birthday.
• Remote office assistance.
• Service years recognition financial reward.