Senior Information Security Manager (f/m/d)

Senior Information Security Manager (f/m/d) At Moss, we give finance professionals the power to automate their day-to-day and make forward-thinking decisions. Our team and culture make us unique — we’re driven by impact and growth, where every one of us strives to learn and excel. Recognised by Sifted’s Rising 100 https://sifted.eu/rankings/b2b-saas-rising-100-2024 and LinkedIn's Top Startups https://www.linkedin.com/pulse/linkedin-top-startups-2024-20-aufstrebende-unternehmen-bjd0c/, we’re here to help propel your career and together, make Moss a lasting success. Our Information Security team is seeking an Information Security GRC Lead (f/m/d). This role owns our security governance, risk, and compliance program - ensuring Moss meets its regulatory obligations as a BaFin-regulated EMI while enabling the business to move fast. You'll report directly to the Director of Information Security. This is a senior individual contributor role with ownership and autonomy - no direct reports currently, but potential to grow the function over time. We're looking for someone who treats GRC as an engineering problem, not a paperwork exercise. You'll drive automation, continuous control monitoring, and AI-assisted workflows to make compliance scalable and efficient. What you'll own - Unified control framework - Build and maintain a single, unified control framework mapped to DORA, ISO 27001, SOC 2 Type 2, and GDPR. Each control should be defined once - with clear ownership, technical implementation details, and evidence sources - and mapped across all relevant standards. - ICT risk management - Own the ICT risk management framework and register (based on ISO 27005 or equivalent). Identify, assess, track, and report ICT risks. Collaborate with the Risk team to integrate ICT risks into the group-wide enterprise risk framework. - GRC automation - Automate everything you can: evidence collection, control testing, reporting, policy acknowledgements. - DORA compliance - Own the DORA compliance program: gap analysis, remediation tracking, ICT risk management framework. - Security incident management - Own security incident classification and regulatory reporting to BaFin (with CISO sign-off). - Business continuity - Own the BCM program, including BCP maintenance, testing, and BIA updates. - Audit readiness - Coordinate ISO 27001 and SOC 2 Type 2 audits end-to-end. Manage evidence collection, auditor relationships, and remediation tracking. Goal: continuous audit-readiness, not fire drills. - Asset and data classification - Own the classification schema and ensure assets and data are classified and maintained. - Security vendor assessments - Perform security due diligence on vendors and third-party applications. - Policy management - Own the security policy lifecycle: drafting, reviews, version control, stakeholder sign-off. - Security awareness - Own and run the security awareness program. About you - You have built or run GRC programs in a fast-paced, regulated environment - ideally a financial institution or fintech. - You have hands-on experience with ISO 27001, SOC 2 Type 2, and GDPR. Experience with DORA or strong familiarity with its requirements is a plus. - You have built or managed unified control frameworks mapped across multiple standards - not separate control sets per audit, but one source of truth with cross-mappings. - You understand controls at the technical implementation level - not just "we have an access review policy" but how it's implemented, in which systems, and how evidence is collected. - You have designed or significantly evolved a risk management framework - whether based on ISO 27005, NIST, or a custom methodology. You understand how ICT risk integrates into enterprise risk management. - You have hands-on experience with GRC platforms (e.g. Vanta, Drata, ServiceNow GRC, or similar) - either implementing them or running mature processes on them. - You understand BaFin regulatory expectations or s ... (truncated, view full listing at source)