Principal Analyst, Control Testing, Certification and Assurance in Harrogate

Our Purpose Mastercard powers economies and empowers people in 200+ countries and territories worldwide. Together with our customers, we’re helping build a sustainable economy where everyone can prosper. We support a wide range of digital payments choices, making transactions secure, simple, smart and accessible. Our technology and innovation, partnerships and networks combine to deliver a unique set of products and services that help people, businesses and governments realize their greatest potential.

The newly created 1st Line Control Office function within Vocalink Limited (VLL) is seeking a Principal Analyst (Director-level equivalent) to join the Control Testing, Certification and Assurance team. This senior technical role is for an experienced technical subject matter expert who will be responsible for leading and managing Certifications, Certification Audits, and other Assurance activities including conducting control testing to drive the retention of VLL’s certifications across multiple frameworks and the delivery of assurance obligations to its customers and Regulators. This position requires a deep and broad understanding of security and technology control frameworks, with hands-on experience across standards such as ISO 27001, ISO 22301, PCI DSS, PCI PIN, SWIFT CSP, ISAE 3000, etc. The successful candidate must have proven expertise in analysing and assessing control design, implementation and operating effectiveness against these standards, ensuring compliance and identifying gaps. The role also involves end-to-end management of external audits, requiring strong coordination skills and experience in audit readiness and stakeholder engagement.

The role has a significant emphasis on PCI DSS, so the successful candidate must have extensive experience in understanding and testing against PCI DSS requirements, and managing all aspects of the PCI DSS external audit process.

• Lead and manage external audits for technical standards, e.g. PCI DSS and PCI PIN.
• Support the Vice President and Director of Certification and Assurance in the development and maintenance of the annual Control Testing, Certification and Assurance plan.
• Support and deputise for the Director of Certification and Assurance in the discharge of their responsibilities, as required.
• Provide strategic input into the evolution and continuous improvement of Certification and Assurance team processes and procedures.
• Maintain certification related documentation.
• Prepare and lead the organisation for annual certification audits.
• Lead the assessment and validation of controls and processes against a variety of security standards and obligations.
• Lead the team on the management of certifications (e.g., ISO27001, PCI DSS) and assurance activities (e.g., ISAE3000).
• Conduct periodic testing of key and non-key controls in line with the Control Testing Methodology.
• Evaluate compliance with internal policies, standards, regulatory requirements, and customer obligations.
• Prepare and review control testing documentation, including test procedures, results, and identified gaps.
• Ensure timely escalation of control deficiencies and support remediation tracking.
• Create and quality assure reports and team outputs.

• Supervise and mentor junior team members (Senior Analysts and Managers), providing guidance on certification requirements, assurance requirements, testing execution and quality assurance.
• Support the team Director in delivering the Certification and Assurance plan.
• Maintain close working relationships with Control and Process Owners and Operators to operate certificate maintenance and assurance activities efficiently and effectively.
• Contribute to reporting for governance forums, including dashboards, thematic reviews, and trend analysis.

• Support the development and refinement of certification management, Assurance activities and control testing processes, standards, tools, and methodologies.
• Contribute to the maturity of the 3 Lines of Defence model and promote a culture of proactive risk management.
• Stay informed on emerging risks, regulatory changes, certification changes and industry best practices with a focus on cybersecurity risks.

Strong understanding and experience of working with control frameworks and standards (e.g. ISO27001, NIST, CRI, or PCI DSS). Strong understanding and experience of conducting security related audits/reviews and managing/coordinating external audits including certification audits. Experience of resolving varied and complex certification and assurance issues. Knowledge and experience of all areas of security and IT general controls across a variety of platforms and environments. Proven experience in control testing or assurance within security in a regulated environment. Strong investigative and analytical experience (e.g. enquiry, scanning, analysis, interviewing, testing), problem-solving, and decision-making skills. Experience collaborating cross-functionally to identify and implement good practice security audit management and assurance processes. Ability to assess control design and operating effectiveness in complex environments and to identify control gaps and improvement opportunities. Excellent communication and stakeholder engagement skills. Experience of managing and coaching junior team members. Strong organisational skills with the ability to prioritise and manage multiple tasks.

Certifications such as ISO27001, CISA, CISM, CISSP, PCI SSC ISA, CRISC, or equivalent is desirable.

Bachelor’s degree in Computer Science, Cyber Security, Information Technology, or a related field. Experience engaging with senior leadership at the Executive level and above. Proficiency in data analytics and Microsoft Office Suite (MS Word, MS Excel, MS Access and MS PowerPoint). Self-starter with a continuous improvement mindset and a collaborative approach. Experience creating presentations for business discussions and reporting. Experience of Risk Management / GRC related technologies and toolsets. Experience working in cross-functional large projects with dispersed teams.

All activities involving access to Mastercard assets, information, and networks comes with an inherent risk to the organization and, therefore, it is expected that every person working for, or on behalf of, Mastercard is responsible for information security and must: Abide by Mastercard’s security policies and practices; Ensure the confidentiality and integrity of the information being accessed; Report any suspected information security violation or breach, and Complete all periodic mandatory security trainings in accordance with Mastercard’s guidelines.