Job description

As a GRC Analyst (Governance, Risk & Compliance), you will be at the center of our compliance operations, reporting directly to the Head of IT. You'll be responsible for managing evidence collection, audit coordination, and the policy lifecycle across four concurrent frameworks (ISO 27001, TISAX, SOC 2 Type II, and Cyber Essentials Plus). This role is ideal for a proactive, tech-savvy professional with 2–4 years of experience who is passionate about acting as a bridge between compliance mandates and technical teams to enable secure, international growth.

What you can expect

• Compliance Control Management: Own the day-to-day administration and continuous improvement of our ISMS (ISO 27001/27017/27018), TISAX assessments, SOC 2 Type II controls, and Cyber Essentials Plus recertification.
• Evidence & Audit Ownership: Coordinate internal and external audits end-to-end. You will collect, package, and present the evidence trail, managing auditor walkthroughs and finding remediations.
• Liaison & Collaboration: Act as the crucial link between security and control owners in Engineering and HR. Translate complex compliance requirements into actionable tasks that embed seamlessly into team workflows.
• Risk Management Execution: Maintain the risk register, coordinate quarterly reviews, and ensure treatment plans are actively managed and documented.
• Policy Lifecycle & Privacy: Draft and version-control 90+ policies while assisting with data privacy operations, including RoPA, DPAs, and support for Data Subject Requests (DSRs) under GDPR.
• Security Awareness & Trust: Plan and deliver security training and phishing simulations, while maintaining our Trust Centre content to transform internal security info into client-facing documents.

What you bring to the table

We’re seeking a detail-oriented, pragmatic professional who can balance robust security requirements with the pace of a fast-growing start-up.

Must Haves:

• Proven Experience: 2–4 years of experience in a GRC or Information Security role.
• Framework Expertise: Strong, hands-on experience with ISO 27001 and at least one other framework (TISAX, SOC 2, or Cyber Essentials Plus).
• Policy & Risk Management: Experience managing a significant policy lifecycle (50+ policies) and maintaining risk registers/treatment plans.
• Technical Fluency: A solid understanding of how SaaS companies operate, with the ability to translate compliance needs for engineering and product teams.
• Language Skills: Excellent communication skills in both English & German (business fluent).

Nice to Haves:

• Background in B2B SaaS or tech start-up environments (~100–300 employees).
• Familiarity with GRC tooling, audit management platforms, or compliance automation tools.
• Experience working directly alongside engineering teams.