InfoSec Analyst II; GRC Information security

The Role

As an Information Security Analyst II within the GRC team, you will take meaningful ownership of 's governance, risk, and compliance programmes. This is a role for someone who has moved beyond task execution and is ready to drive work streams, lead compliance activities, and act as a trusted point of contact for internal teams and external assessors.

You will work across Checkout's core compliance frameworks including PCI DSS v4.0.1, ISO 27001, SOC 2, and emerging regulatory obligations such as DORA and the EU AI Act, supporting our global footprint across Europe, MENA, APAC, and the Americas. You will coordinate audit evidence activities, conduct risk assessments, improve GRC processes, and support the development of junior colleagues.

This role sits at the heart of how Checkout manages risk. We don't just audit and report. We own the risk narrative, drive the control environment, and ensure the business can grow with confidence in regulated markets worldwide.

• Own and manage defined work streams within Checkout's GRC programme, including PCI DSS v4.0.1, ISO 27001, SOC 2, and relevant regulatory obligations across our global licensed entities.
• Coordinate control evidence collection activities across internal teams, ensuring continuous audit readiness rather than point‑in‑time preparation.
• Maintain and improve GRC documentation including policies, standards, procedures, and control matrices, ensuring they stay current and proportionate to Checkout's evolving risk profile.
• Perform gap analyses against new or evolving requirements including DORA and the EU AI Act, translating findings into prioritised remediation plans.
• Support monitoring of the risk register, track remediation activity against agreed timelines, and elevate issues where commitments are at risk.
• Conduct third‑party risk assessments, evaluating supplier security controls and compliance posture in line with Checkout's TPRM framework.

• Act as a key liaison between internal teams and external auditors, QSAs, and assessors across PCI DSS, ISO 27001, IT General Controls (ITGCs) and SOC 2 certification cycles.
• Prepare and deliver evidence packages, coordinate walkthroughs, and manage audit findings through to closure.
• Support end‑to‑end response process for merchant assurance questionnaires and due diligence inquiries, ensuring all technical and regulatory queries are addressed with accuracy and within agreed SLAs.
• Support quarterly and annual compliance activities including vulnerability scanning, penetration testing coordination, access reviews, and firewall configuration reviews.

• Apply working knowledge of PCI DSS v4.0.1, ISO 27001/27002, SOC 2, DORA, NIST CSF, and other applicable frameworks to day‑to‑day GRC work.
• Support meeting regulatory change across Checkout's operating markets including FCA/PRA requirements and payment scheme obligations, flagging gaps and supporting impact assessments.
• Proactively identify inefficiencies in GRC processes and propose practical improvements, including automation where viable.
• Contribute to the development and refinement of GRC tooling, dashboards, and reporting to improve visibility of risk and compliance posture across the business.

• Work closely with Engineering, Product, Legal, Procurement, and Finance to embed security and compliance requirements into processes, systems, and projects.
• Respond to PCI DSS, ISO 27001, and broader security‑related due diligence requests from merchants, partners, and regulators.
• Provide guidance and day‑to‑day support to junior analysts (L1 and L2), contributing to their development through knowledge sharing and review.
• Promote a security‑first culture across Checkout through proactive engagement, awareness sessions, and accessible guidance for non‑security teams.

• 2 to 4 years of experience in GRC, information security compliance, IT audit, or a closely related function, ideally within payments, financial services, or fintech.
• Practical working knowledge of PCI DSS (v4.0.1 preferred), ISO…