Senior InfoSec Risk Analyst

Senior Information Security Risk Analyst

As part of Trainline's Information Security (InfoSec) team, reporting to the GRC Manager, the Senior Information Security Risk Analyst will mature and maintain our risk management practices across the entire organization, including the growing landscape of AI risk. The role sits at the intersection of technology, business operations, and assurance, ensuring that security risks from traditional cyber threats and AI specific risks are understood, effectively managed, and aligned with our business risk appetite.

Responsibilities

• Lead the identification, documentation, and tracking of security and cyber risks across all functions and departments.
• Maintain the Information Security Risk Framework and Register in line with enterprise risk methodology, supporting delivery of centralized risk reporting via the CISO/GRC Dashboard.
• Facilitate risk workshops, control self assessments (CSAs), and policy reviews with business units.
• Track risk remediation efforts and elevate critical project, operational and supplier risks to appropriate forums.
• Collaborate with engineering, legal, privacy and product teams to assess and document risk impacts.
• Support the development and implementation of the AI Readiness and Governance framework, including conducting AI risk assessments for new and existing AI use cases, applying the risk classification model, and maintaining the AI use case register. This includes evaluating risks around data quality, model bias, transparency, third party AI dependencies, and regulatory compliance.
• Conduct structured AI risk assessments across the business, working with product, data science, and engineering teams to evaluate AI use cases against the risk classification model, assess control adequacy, and ensure high risk use cases have approved controls before production release.
• Support the implementation and ongoing maintenance of the unified internal control framework, mapping controls across ISO 27001, ISO 22301, Cyber Essentials, and PCI DSS.
• Leverage AI tools and techniques to streamline repetitive GRC tasks such as policy gap analysis, control mapping, vendor questionnaire processing, and risk reporting.
• Provide risk advisory for new product launches, technology and AI adoptions, and vendor integrations ensuring Security by Design and informed risk decision making.
• Support internal education and awareness around security risk and governance.

Qualifications

• Proven experience in Information Security or Cyber Risk, with direct experience in a cloud first, tech driven environment.
• Experience conducting AI risk assessments, including evaluating risks related to data privacy, model bias, hallucination, third party AI tooling, and regulatory compliance.
• Familiarity with AI governance frameworks such as ISO 42001, the EU AI Act risk classification approach, or NIST AI RMF.
• Experience with common infosec standards/frameworks particularly ISO 27001, ISO 22301, and PCI DSS.
• Experience with Cyber Essentials and NIS 2 is a strong advantage.
• Clear communicator able to translate technical risks for non technical audiences.
• Hands on experience with GRC platforms and tooling (e.g. ServiceNow GRC, Archer, LogicGate, Vanta, or similar) including configuration, workflow design, and reporting.
• Experience working with internal audit, privacy, legal and other cross functional business stakeholders.
• Strong verbal and written communication skills, with the ability to influence at all levels.
• Comfortable navigating ambiguity, competing priorities, and organizational scale up challenges.

Nice to Have

• Experience assessing large language model (LLM) deployments, AI as a service integrations, or machine learning pipelines from a security and governance perspective.
• Experience building automated compliance evidence pipelines or continuous control monitoring.
• Demonstrable experience automating GRC processes whether through scripting, no code/low code platforms, API integrations, or GRC specific tooling.
• Active and proficient use of AI tools (e.g. LLMs, AI assistants, AI powered search) to accelerate day to day work.
• Background in security engineering, DevSecOps, or technical GRC implementation alongside traditional risk management.
• Experience with data analytics or BI tools (e.g. Power BI, Tableau) for risk and compliance reporting.
• Contributions to GRC community knowledge (blog posts, conference talks, open source tools).

Benefits

Private healthcare and dental insurance, a generous work from abroad policy, 2 for 1 share purchase plans, an EV scheme to further reduce carbon emissions, extra festive time off, and excellent family friendly benefits.

Career growth with clear career paths, transparent pay bands, personal learning budgets, and regular learning days.

Hybrid work model: office minimum 60% of time over a 12 week period, 28 day work from abroad policy.

Diversity and Inclusion

We know that having a diverse team makes us better and helps us succeed. And we mean all forms of diversity - gender, ethnicity, sexuality, disability, nationality and diversity of thought. That's why we're committed to creating inclusive places to work, where everyone belongs and differences are valued and celebrated.