[Hiring] Compliance & Information Security Analyst @beqom

Role Description

We are seeking an experienced Compliance & Information Security Analyst to own and manage our compliance and third-party risk management (TPRM) function. This is a hands-on role that sits at the intersection of information security, legal/contractual review, and vendor risk management.

The successful candidate will be the primary point of contact for inbound client governance, risk & compliance (GRC) requests, will manage our own vendor and sub-contractor due diligence programme, and will review information security obligations embedded in client and prospect contracts. This role is critical in maintaining client trust, supporting sales cycles, and ensuring the company meets its obligations as a responsible data processor and technology provider.

What you'll be doing

• Client GRC Questionnaires & Third-Party Risk Management (TPRM)
  • Receive, triage, and complete inbound GRC / security questionnaires submitted by existing and prospective clients as part of their vendor assessment and TPRM processes.
  • Develop and maintain a master response library to accelerate questionnaire completion, covering areas such as data security, access controls, business continuity, incident response, and privacy.
  • Coordinate with internal stakeholders (Engineering, Product, Operations, Legal) to gather accurate, up-to-date technical evidence and supporting documentation.
  • Track questionnaire status, deadlines, and outcomes; maintain a central log and escalate blockers in a timely manner.
  • Build relationships with client procurement, risk, and security contacts to manage ongoing TPRM obligations efficiently.
• Evidence-Based GRC Questionnaires
  • Manage questionnaires that require formal documentary evidence — such as policies, audit reports (e.g. SOC 2, ISO 27001), penetration test summaries, data processing agreements, and certifications.
  • Maintain a structured evidence repository, ensuring documents are current, version-controlled, and accessible for rapid submission.
  • Identify gaps between client evidence requirements and the company's current documentation; work with the Head of Information Security and Compliance or relevant leads to close those gaps.
• Information Security Review of MSAs & Client Contracts
  • Review information security, data protection, and compliance clauses within Master Service Agreements (MSAs) and other commercial contracts from clients and prospects.
  • Identify obligations and requirements (e.g. audit rights, subprocessor notifications, breach notification timescales, data residency, encryption standards) and assess the company's ability to comply.
  • Liaise with Legal counsel and the Head of Information Security and Compliance to flag materially onerous or non-standard terms; assist in drafting redlines and proposed alternative language where appropriate.
  • Maintain a tracker of contractual information security obligations to ensure ongoing compliance post-signature.
• Vendor & Sub-Contractor TPRM
  • Design and operate a structured TPRM programme for the company's own vendors and sub-contractors who process client data or have access to company systems.
  • Conduct initial and periodic risk assessments of vendors, including completion of security questionnaires, review of their compliance certifications, and assessment of contractual controls.
  • Categorise vendors by risk tier and ensure appropriate due diligence is applied proportionate to the nature and sensitivity of the relationship.
  • Maintain a vendor risk register, tracking assessment outcomes, remediation actions, and review schedules.
  • Report on vendor risk posture to relevant internal stakeholders on a regular cadence.

Qualifications

• Proven experience in a compliance, information security, GRC, or vendor risk management role, ideally within a SaaS, technology, or regulated industry context.
• Demonstrable experience completing complex security and GRC questionnaires (e.g. SIG, CAIQ, bespoke client questionnaires) and compiling supporting evidence packs.
• Familiarity with common information security frameworks and standards: ISO/IEC 27001, SOC 2, NIST CSF, CIS Controls, GDPR / data protection legislation.
• Experience reviewing and interpreting information security provisions in commercial contracts (MSAs, DPAs, SaaS agreements).
• Strong organisational skills — able to manage multiple concurrent questionnaires and workstreams, prioritise effectively, and meet deadlines.
• Excellent written and verbal communication skills, with the ability to translate technical security concepts for non-technical audiences (legal, sales, procurement).
• Proficiency in maintaining documentation, trackers, and evidence repositories; high attention to detail and accuracy.

Bonus points if you have:

• Relevant certification such as CISA, CRISC, CISSP, ISO 27001 Lead Implementer/Auditor, CIPP/E, or equivalent.
• Experience working with or within enterprise clients in regulated sectors such as financial services, healthcare, or energy.
• Familiarity with data residency requirements and cross-border data transfer mechanisms (SCCs, BCRs).
• Experience using GRC platforms or questionnaire automation tools (e.g. OneTrust, Vanta, SecurityScorecard).
• Understanding of SaaS product architectures and cloud environments (AWS, Azure) from a security and compliance perspective.
• Experience managing sub-processor registers and responding to data subject rights requests.

Benefits

• Your career, your design.
• Unleash your ambition in our dynamic, autonomous environment.
• Drive meaningful change.
• Build a fairer future for every employee by joining a market leader that is improving the world of work.
• Belong to something bigger.
• Collaborate with a passionate, diverse and talented team around the globe.

Location

Manchester, Greater Manchester (Remote)

Department

InfoSec

Employment Type

Full-Time

Minimum Experience

Mid-level