Senior GRC Analyst

pleo · United Kingdom

ExclusiveRemoteFull-timeSeniorposted 5h ago

Apply directly on pleo’s careers site — no account needed.

Get the next jobs like this one by email

One free alert to apply before the crowd — jobs land straight from company career pages. One-click unsubscribe.

About the role

About Pleo

Messy spend management is tricky business. And tedious processes are a lose-lose situation for all involved, not just finance. At Pleo, we're changing that. We build spend solutions that make managing money seamless, empowering, and surprisingly effective for finance teams and employees alike - with a vision to help all businesses ‘go beyond’.

The word ‘Pleo’ actually means ‘more than you’d expect’, and living by that mantra has been the secret to our success over the last 10 years.

Now, we’re at a pivotal moment in our journey; every move we make has a direct impact on our 40,000+ customers, our business, and our collective success. We need people who take pride in uncovering customer needs, who turn complex problems into simple solutions, challenge the way things are done (respectfully), and always aim high. With great ambitions driving us forward, we can’t say we’ve got this whole thing figured out. And frankly, that’s half the fun! What we can say is that we’re a driven, progressive, and, importantly, a kind bunch of 850+ people from over 100 nationalities, all committed to delivering the future of business spending, together.

About the role

We're looking for a Senior GRC Analyst / GRC Engineer to join our Information Security team at Pleo. In this role, you'll help and be part of our governance operating model as we scale compliance. If you're excited about building compliance and are passionate about fast-paced scale ups, then this is the opportunity for you!

Who you’ll be working with and reporting to

You’ll report to our VP of Fraud & Security and work closely with teams in Risk and Compliance, Procurement, Legal, Finance, and Engineers. Our team is highly collaborative and dedicated to ensure compliance and security of the business. You’ll also have the chance to partner with teams across the organization to ensure success.

What you’ll be doing

As a Senior GRC Analyst, you will:

  • Automate our legacy systems relating to governance, risk, and compliance frameworks, including ISO 27001, PCI-DSS, DORA, UK Cyber Essentials and relevant financial services regulations.

  • Integrate GRC workflows with internal systems (e.g., ticketing, asset management, identity, cloud platforms) to support compliance by design.

  • Design and build scalable GRC architectures and automation for evidence collection, control testing, and compliance reporting.

  • Draft, review, and maintain Pleo's security policies, mapping them to relevant control standards and ensuring alignment across frameworks as the business evolves.

  • Handle incoming security requests from customers and prospects, including questionnaires, one-off questions, review calls, and documentation ensuring responses are accurate, thorough, and reflect our actual security posture.

  • Conduct third-party vendor assessments, evaluating suppliers against Pleo's compliance and security standards and ensuring identified gaps are tracked and resolved.

  • Track and report on compliance metrics and KPIs, giving leadership the data-driven visibility they need to understand where the programme stands and where it needs to go.

  • Translate compliance requirements into technical specifications that engineering teams can implement, and make the same topics accessible to non-technical stakeholders.

  • Coordinate complex, multi-team workstreams, keeping dependencies visible, priorities clear, and delivery on track even when things shift.

  • Contribute to the broader Cybersecurity team, staying connected with ongoing initiatives and supporting shared goals across the function.

What you bring


You’ll thrive in this role if you have:

  • Significant experience in Security GRC, understanding of auditing processes, with direct experience in both internal and external audit cycles.

  • Demonstrated experience collaborating directly with engineering, risk and compliance, procurement, legal, and finance teams to get controls built, implemented, and operating in practice.

  • A strong understanding of cloud architectures (AWS or equivalent) and how infrastructure decisions map to security controls and audit evidence.

  • Experience leveraging AI-enabled compliance and workflow automation tools.

  • Experience designing metrics and reporting for GRC programs, including dashboards and executive-level summaries.

  • Fintech, payments industry or IT audit background, with familiarity with regulatory expectations and payment platform architectures.

  • Certifications such as ISO 27001 Lead Implementer or Lead Auditor, CISSP, CISA, or PCI-related credentials. A degree in Cybersecurity, Engineering, Computer Science, Mathematics, or equivalent experience is a plus.

Why is this role a good fit for you

This role is a good fit for you if:

  • You're equally excited about getting into the details of regulations requirements as you are about writing code.

  • You demonstrate high-agency and like to take initiative in developing solutions that will save the team time.

This role is not a good fit for you if:

  • You are not able to work closely with colleagues who do not have an engineering background.

  • You require a well groomed backlog and task assignment in order to perform at your best.

How you’ll develop in this role

In your first 6 months at Pleo, you’ll:

  • Get hands-on with Pleo's security landscape, learning how our GRC programme operates across frameworks like ISO 27001, PCI-DSS, and DORA.

  • Build automation for evidence collection, control testing, and policy as code within our existing compliance frameworks, and help shape the long-term security initiatives that support Pleo's growth, working closely with Engineering, Risk & Compliance, and other key stakeholders.

  • Integrate into the Cybersecurity team, connecting with ongoing initiatives, understanding shared goals, and starting to contribute to the workflows and tooling that keep Pleo secure and compliant.

We’re committed to helping you develop your career, whether that means taking on bigger projects, stepping into leadership, or acquiring new skills.

The location

Please note: We can hire on a remote, hybrid or in-person set-up in any of the locations listed on the advert but you will need to be physically based in the country of your choice with a valid right to work. We are unable to offer visa sponsorship for this role in any of the listed locations.

Show me the benefits!

  • Your own Pleo card (no more out-of-pocket spending!)

  • Lunch is on us for your work days - enjoy catered meals or receive a lunch allowance based on your local office

  • Comprehensive private healthcare - depending on your location, coverage options include Vitality, Alan or Médis

  • We offer 25-28 days of holiday (depending on your location) + public holidays

  • For our Team, we offer both hybrid and fully remote working options

  • Option to purchase 5 additional days of holiday through a salary sacrifice

  • We use MyndUp to give our employees access to free mental health and well-being support with great success so far

  • Paid parental leave - we want to make sure that we're supportive of families and help you feel that you don't have to compromise your family due to work


The interview process

We want to ensure you are set-up for success and understand what will be expected of you. If your application is successful, our interview process is as follows:

  1. Intro call: A 30-minute chat with our Talent Partner to discuss the role and your background.

  2. Hiring Manager interview: a 60-minute conversation deep diving into your previous experience.

  3. Pleo Challenge: a ~75-minute practical interview testing your skills on a real-life scenario.

Transparency is important to us so we also wanted to share some insights about what we’re looking for in applications to ensure you can set yourself up for success!

Last time we hired a GRC Analyst, we received a total of 350 applications but only 18 were selected for an intro call. Some of the key reasons why previous candidates didn’t make it past the application screening stage include:

  • CV writing and content: we receive a lot of CVs, and many of them are AI-generated. We love seeing people leverage AI—it’s a big focus for us internally too—but without human intervention, these CVs can sometimes become generic and fail to show a candidate in the best light. What we're really looking for is the specific details of real impact that only you know from your previous experience. A top tip from us is to use the “Achieved X, as measured by Y, by doing Z” formula (credit: Laszlo Bock, ~2014) to give a really clear picture of what you’ve worked on. A final note: including links to your previous companies' websites is a huge help and allows us to truly understand your background!

  • Application care: every single application we receive is reviewed by a human (yes, hundreds of them) because we believe that candidates' efforts should be matched by an equal level of human care. This means that we expect a similar level of attention put into your application. Read and answer the application questions carefully, they make a huge difference in our decision-making process.

  • Profile to role fit: this role sits at the intersection of GRC Analysis and Engineering. It is non-negotiable for the right person to bring a deep understanding of compliance frameworks in the fintech space but to also be able to automate tasks and workflows.

About your application

  • English first. Since it's our company language, please submit your application in English. You’ll be using it a lot if you join us.

  • A fair look for everyone. Our talent team reads every single application to ensure the process is fair. To keep things running smoothly, we only accept applications through our system—our support team can’t pass on calls or emails.

  • Diversity drives us. We can only reach our goals if our team reflects the world around us. That starts with you hitting apply, even if you don't tick every single box. We encourage people from all backgrounds and experiences to join us.

  • Interview at your best. We want you to feel comfortable throughout the process. If you have any accessibility requirements or need a specific format, email belonging@pleo.io. We’ll design a process that works for you.

  • Your data is safe. When you apply, we process your personal data as a data processor. For more information on how Pleo processes personal data, read our Privacy Policy here .

  • Applying for multiple roles? Nothing is stopping you, and we assess every role independently. However, we do look for alignment, so make sure you can explain why your interest and experience are right for each specific role.

  • Reapplying. If you’re applying for the same role again, please wait six months from your last decision before hitting submit.

Skills

  • ISO 27001

Get the next jobs like this one by email

One free alert to apply before the crowd — jobs land straight from company career pages. One-click unsubscribe.

Similar jobs

Senior GRC Analyst — pleo · Real Job Offers