beqom

Compliance and Information Security Analyst

beqom

full-time

Posted on:

Location Type: Hybrid

Location: KrakowPoland

Visit company website

Explore more

AI Apply
Apply

Job Level

Junior

Tech Stack

AWSAzureCloud

About the role

  • Receive, triage, and complete inbound GRC / security questionnaires submitted by existing and prospective clients as part of their vendor assessment and TPRM processes.
  • Develop and maintain a master response library to accelerate questionnaire completion, covering areas such as data security, access controls, business continuity, incident response, and privacy.
  • Coordinate with internal stakeholders (Engineering, Product, Operations, Legal) to gather accurate, up-to-date technical evidence and supporting documentation.
  • Track questionnaire status, deadlines, and outcomes; maintain a central log and escalate blockers in a timely manner.
  • Build relationships with client procurement, risk, and security contacts to manage ongoing TPRM obligations efficiently.
  • Manage questionnaires that require formal documentary evidence — such as policies, audit reports (e.g. SOC 2, ISO 27001), penetration test summaries, data processing agreements, and certifications.
  • Maintain a structured evidence repository, ensuring documents are current, version-controlled, and accessible for rapid submission.
  • Identify gaps between client evidence requirements and the company's current documentation; work with the Head of Information Security and Compliance or relevant leads to close those gaps.
  • Review information security, data protection, and compliance clauses within Master Service Agreements (MSAs) and other commercial contracts from clients and prospects.
  • Identify obligations and requirements (e.g. audit rights, subprocessor notifications, breach notification timescales, data residency, encryption standards) and assess the company's ability to comply.
  • Liaise with Legal counsel and the Head of Information Security and Compliance to flag materially onerous or non-standard terms; assist in drafting redlines and proposed alternative language where appropriate.
  • Maintain a tracker of contractual information security obligations to ensure ongoing compliance post-signature.
  • Design and operate a structured TPRM programme for the company's own vendors and sub-contractors who process client data or have access to company systems.
  • Conduct initial and periodic risk assessments of vendors, including completion of security questionnaires, review of their compliance certifications, and assessment of contractual controls.
  • Categorise vendors by risk tier and ensure appropriate due diligence is applied proportionate to the nature and sensitivity of the relationship.
  • Maintain a vendor risk register, tracking assessment outcomes, remediation actions, and review schedules.
  • Report on vendor risk posture to relevant internal stakeholders on a regular cadence.

Requirements

  • Proven experience in a compliance, information security, GRC, or vendor risk management role, ideally within a SaaS, technology, or regulated industry context.
  • Demonstrable experience completing complex security and GRC questionnaires (e.g. SIG, CAIQ, bespoke client questionnaires) and compiling supporting evidence packs.
  • Familiarity with common information security frameworks and standards: ISO/IEC 27001, SOC 2, NIST CSF, CIS Controls, GDPR / data protection legislation.
  • Experience reviewing and interpreting information security provisions in commercial contracts (MSAs, DPAs, SaaS agreements).
  • Strong organisational skills — able to manage multiple concurrent questionnaires and workstreams, prioritise effectively, and meet deadlines.
  • Excellent written and verbal communication skills, with the ability to translate technical security concepts for non-technical audiences (legal, sales, procurement).
  • Proficiency in maintaining documentation, trackers, and evidence repositories; high attention to detail and accuracy.
  • Relevant certification such as CISA, CRISC, CISSP, ISO 27001 Lead Implementer/Auditor, CIPP/E, or equivalent. (Bonus points)
  • Experience working with or within enterprise clients in regulated sectors such as financial services, healthcare, or energy. (Bonus points)
  • Familiarity with data residency requirements and cross-border data transfer mechanisms (SCCs, BCRs). (Bonus points)
  • Experience using GRC platforms or questionnaire automation tools (e.g. OneTrust, Vanta, SecurityScorecard). (Bonus points)
  • Understanding of SaaS product architectures and cloud environments (AWS, Azure) from a security and compliance perspective. (Bonus points)
  • Experience managing sub-processor registers and responding to data subject rights requests. (Bonus points)
Benefits
  • Competitive salary
  • Flexible working hours
Applicant Tracking System Keywords

Tip: use these terms in your resume and cover letter to boost ATS matches.

Hard Skills & Tools
GRCvendor risk managementinformation securitysecurity questionnairesISO/IEC 27001SOC 2NIST CSFGDPRdata protection legislationcontract review
Soft Skills
organizational skillscommunication skillsattention to detailprioritizationrelationship buildingproblem-solvingtime managementcollaborationanalytical skillsadaptability
Certifications
CISACRISCCISSPISO 27001 Lead ImplementerISO 27001 AuditorCIPP/E