Senior InfoSec Risk Analyst (AI)

TL;DR

Senior InfoSec Risk Analyst (AI/GRC): Maturing and maintaining risk management practices across the organization with an accent on AI-specific risks, cloud-first security, and regulatory compliance. Focus on conducting AI risk assessments, implementing a unified security framework, and leveraging AI tools to automate GRC tasks.

Location: Hybrid (London) — minimum 60% office attendance required over a 12-week period

Company

Europe’s number 1 downloaded rail app, enabling millions of travellers to book tickets across 40+ countries.

What you will do

• Lead the identification, documentation, and tracking of security and cyber risks across all corporate functions and departments.
• Maintain the InfoSec Risk Framework and Register, supporting centralized risk reporting via CISO/GRC dashboards.
• Conduct structured AI risk assessments, evaluating data quality, model bias, transparency, and third-party AI dependencies.
• Implement and maintain a unified internal control framework mapping ISO 27001, ISO 22301, Cyber Essentials, and PCI DSS.
• Provide risk advisory for new product launches, technology adoptions, and vendor integrations to ensure Security by Design.
• Leverage AI tools to streamline repetitive GRC tasks such as policy gap analysis, control mapping, and risk reporting.

Requirements

• Proven experience in Information Security or Cyber Risk within a cloud-first, tech-driven environment.
• Experience conducting AI risk assessments and familiarity with AI governance frameworks (ISO 42001, EU AI Act, or NIST AI RMF).
• Strong knowledge of infosec standards including ISO 27001, ISO 22301, and PCI DSS.
• Hands-on experience with GRC platforms (e.g., ServiceNow GRC, Archer, LogicGate, Vanta).
• Ability to translate technical risks for non-technical audiences and influence stakeholders at all levels.

Nice to have

• Experience assessing LLM deployments, AI-as-a-service integrations, or machine learning pipelines.
• Ability to automate GRC processes via scripting, no-code/low-code platforms, or API integrations.
• Background in security engineering, DevSecOps, or technical GRC implementation.
• Experience with data analytics or BI tools like Power BI and Tableau for compliance reporting.

Culture & Benefits

• Hybrid work model with a 28-day Work from Abroad policy.
• Private healthcare and dental insurance.
• Professional growth through transparent pay bands, personal learning budgets, and regular learning days.
• Financial perks including 2-for-1 share purchase plans and an EV Scheme.
• Family-friendly benefits and extra festive time off.