Information Security Analyst
Role details
Job location
Tech stack
Job description
As an Information Security Analyst at Checkout.com, you will work across the full breadth of the information security function, spanning Governance, Risk and Compliance (GRC), AI Governance, Application Security (AppSec), Technology Risk, and Data Governance. This is a role for someone who has built a solid foundation in information security and is ready to move from guided execution to genuine ownership of tasks and smaller workstreams.
Security at Checkout operates at scale and at pace. We are a global payments business, regulated across multiple jurisdictions, building infrastructure that processes billions of transactions. Our security function needs analysts who understand how different domains fit together, communicate clearly with technical and non-technical colleagues, and take accountability for the quality of their work.
At L2 you will implement security controls, respond to security incidents, identify risks, and support compliance activities across multiple domains. You work independently for extended periods and are developing the cross-domain knowledge and stakeholder skills that will prepare you for programme ownership at L3 and beyond.
How You'll Make Impact
Governance, Risk and Compliance
- Support workstreams within Checkout's GRC programme, including ISO 27001, SOC 2, PCI DSS, and applicable regulatory obligations across our global licensed entities.
- Assist with control evidence collection activities, coordinating with internal teams to gather accurate and timely evidence in support of audit readiness.
- Maintain GRC documentation including policies, standards, procedures, and control matrices under the guidance of senior colleagues.
- Support monitoring of the risk register, tracking remediation activity against agreed timelines and escalating where commitments are at risk.
- Assist in conducting third-party risk assessments, evaluating supplier security controls in line with Checkout's TPRM framework.
- Develop working knowledge of regulatory obligations across Checkout's operating markets, including FCA/PRA requirements, payment scheme rules, and DORA.
AI Governance
- Support the operationalisation of Checkout's AI governance framework, aligned to ISO 42001, the EU AI Act, and NIST AI RMF.
- Assist in conducting AI risk assessments for internal AI and ML systems and third-party AI tools, under the guidance of more senior analysts.
- Help maintain an inventory of AI use cases and associated risk classifications, working with product and engineering teams as directed.
- Develop awareness of the evolving regulatory landscape for AI in financial services and contribute to policy and control documentation.
- Contribute to the development and communication of responsible AI usage guidance for staff, helping teams across the business understand acceptable use boundaries, data handling expectations, and the risks associated with AI tools in a regulated environment.
Application Security
- Contribute to Checkout's application security programme, including support for secure code review processes, SDLC integration, and developer security guidance.
- Support threat modelling activities for new and existing products, identifying security requirements under the guidance of senior colleagues.
- Assist in managing vulnerability findings from penetration tests, bug bounty programmes, and automated tooling, tracking remediation and validating fixes.
- Apply knowledge of the OWASP Top 10 and secure development frameworks to practical security reviews and guidance activities.
Technology Risk
- Support technology risk assessments across infrastructure, cloud environments, and third-party systems, contributing to outputs with actionable treatment recommendations.
- Assist with control assurance activities including vulnerability scanning coordination, access control assessments, and firewall and configuration reviews.
- Develop an understanding of Checkout's technology risk landscape, identifying emerging threats and contributing inputs to the risk register.
- Support DORA-related ICT risk management activities under the direction of senior analysts.
Data Governance
- Support Checkout's data governance programme, including data classification activities, data flow mapping, and enforcement of data handling standards.
- Assist with data loss prevention (DLP) controls and tooling, contributing to activities that ensure sensitive data is protected throughout its lifecycle.
- Help maintain records of processing activities (RoPA) and support data protection impact assessments (DPIAs) for new systems.
- Develop working knowledge of GDPR, UK GDPR, and applicable regional data protection requirements as they affect Checkout's operations.
Cross-domain Collaboration
- Work with Engineering, Product, Legal, Procurement, Finance, and Compliance teams to support the embedding of security requirements into processes, systems, and projects.
- Respond to security due diligence requests from merchants, partners, and regulators with accuracy and within agreed SLAs, escalating complex queries appropriately.
- Communicate clearly with internal stakeholders on security requirements, keeping teams updated on changes and project progress.
- Contribute to security awareness initiatives, promoting a security-conscious culture across Checkout.
Requirements
- 1 to 2 years of experience in information security, IT audit, or a closely related function, ideally within payments, financial services, or fintech.
- Working knowledge of at least one of the following domains: GRC, AppSec, technology risk, or data governance.
- Practical familiarity with at least one compliance framework: PCI DSS, ISO 27001, SOC 2, NIST CSF, or equivalent.
- Some exposure to external audits, risk assessments, or security assurance activities.
- Ability to manage tasks independently and deliver on commitments reliably.
Skills and Approach
- Clear written and verbal communication. You can translate security concepts for technical and non-technical audiences.
- Detail-oriented and methodical. You approach your work carefully and follow through consistently.
- Curious and proactive. You ask questions, flag issues early, and look for root causes rather than surface fixes.
- Collaborative and adaptable. You work effectively across teams and adjust your approach as priorities shift.
- Receptive to feedback and committed to developing your information security skills across multiple domains.
Preferred
- Pursuing or holding a relevant certification: CompTIA Security+, CISA (in progress), ISO 27001 Foundation, or equivalent.
- Familiarity with cloud environments (AWS, Azure, GCP) from a security or compliance perspective.
- Exposure to security or GRC tooling such as Wiz, Qualys, Microsoft Sentinel, ServiceNow GRC, or similar.
- Awareness of AI governance frameworks or the OWASP LLM Top 10.
- Some scripting or automation experience (Python, etc.) is a plus.