Senior Information Security Manager (f/m/d) at Moss

At Moss, we give finance professionals the power to automate their day-to-day and make forward-thinking decisions. Our team and culture make us unique — we’re driven by impact and growth, where every one of us strives to learn and excel. Recognised by Sifted’s Rising 100 [Upgrade to PRO to see link] and LinkedIn's Top Startups [Upgrade to PRO to see link] we’re here to help propel your career and together, make Moss a lasting success. Our Information Security team is seeking an Information Security GRC Lead (f/m/d). This role owns our security governance, risk, and compliance program - ensuring Moss meets its regulatory obligations as a BaFin-regulated EMI while enabling the business to move fast. You'll report directly to the Director of Information Security. This is a senior individual contributor role with ownership and autonomy - no direct reports currently, but potential to grow the function over time. We're looking for someone who treats GRC as an engineering problem, not a paperwork exercise. You'll drive automation, continuous control monitoring, and AI-assisted workflows to make compliance scalable and efficient. What you'll own - Unified control framework - Build and maintain a single, unified control framework mapped to DORA, ISO 27001, SOC 2 Type 2, and GDPR. Each control should be defined once - with clear ownership, technical implementation details, and evidence sources - and mapped across all relevant standards. - ICT risk management - Own the ICT risk management framework and register (based on ISO 27005 or equivalent). Identify, assess, track, and report ICT risks. Collaborate with the Risk team to integrate ICT risks into the group-wide enterprise risk framework. - GRC automation - Automate everything you can: evidence collection, control testing, reporting, policy acknowledgements. - DORA compliance - Own the DORA compliance program: gap analysis, remediation tracking, ICT risk management framework. - Security incident management - Own security incident classification and regulatory reporting to BaFin (with CISO sign-off). - Business continuity - Own the BCM program, including BCP maintenance, testing, and BIA updates. - Audit readiness - Coordinate ISO 27001 and SOC 2 Type 2 audits end-to-end. Manage evidence collection, auditor relationships, and remediation tracking. Goal: continuous audit-readiness, not fire drills. - Asset and data classification - Own the classification schema and ensure assets and data are classified and maintained. - Security vendor assessments - Perform security due diligence on vendors and third-party applications. - Policy management - Own the security policy lifecycle: drafting, reviews, version control, stakeholder sign-off. - Security awareness - Own and run the security awareness program. About you - You have built or run GRC programs in a fast-paced, regulated environment - ideally a financial institution or fintech. - You have hands-on experience with ISO 27001, SOC 2 Type 2, and GDPR. Experience with DORA or strong familiarity with its requirements is a plus. - You have built or managed unified control frameworks mapped across multiple standards - not separate control sets per audit, but one source of truth with cross-mappings. - You understand controls at the technical implementation level - not just "we have an access review policy" but how it's implemented, in which systems, and how evidence is collected. - You have designed or significantly evolved a risk management framework - whether based on ISO 27005, NIST, or a custom methodology. You understand how ICT risk integrates into enterprise risk management. - You have hands-on experience with GRC platforms (e.g. Vanta, Drata, ServiceNow GRC, or similar) - either implementing them or running mature processes on them. - You understand BaFin regulatory expectations or similar financial regulators. - You have owned or significantly contributed to BCM/BCP programs, including BIA development and testing. - You have driven compliance audits end-to-end, including SOC 2 Type 2 audit cycles. - You understand the 1st, 2nd, and 3rd line model and how to work effectively across functions. - You have automated GRC processes before - whether through GRC platforms, scripting, or no-code tools. You see manual compliance work as a problem to be solved. - Fluent written and spoken English. German is a strong plus given our regulatory environment. What we're looking for beyond experience - Automation-first - Your instinct is "how do I automate this?" before accepting manual work. - Ownership without ego - You own your domain but collaborate cleanly with Legal, Risk, and Engineering. - Pragmatic, not dogmatic - You know when to follow the framework and when to adapt it to reality. - Clear communicator - You can explain a control gap to an auditor, a board member, and an engineer - differently. - Calm under audit pressure - You've been through audits and know how to stay organized when everything is due yesterday. Our offer - An attractive compensation package, including our company stock option plan - An annual learning budget of 600 euros - Access to our mental health and wellbeing offering, including 1-on-1 coaching sessions - An Urban Sports Club membership - 20 days of work from abroad About Moss Moss is a SaaS scale-up founded in Berlin, with a team of 300+ people from 50+ nationalities in 5 offices across Europe.  Our ambition is bold: to power every SMB’s spend across Europe - fully digital, AI-driven, and seamlessly integrated for complete control. To date, over 5000 businesses in Germany, Netherlands and the UK use Moss’ leading spend management product, with modules such as corporate cards [Upgrade to PRO to see link] accounts payables [Upgrade to PRO to see link] employee cash reimbursements [Upgrade to PRO to see link] and procurement [Upgrade to PRO to see link] Moss has raised a total of €180 million in funding and is backed by the most renowned tech investors including Valar Ventures, Tiger Global, Global Founders Capital, Cherry Ventures and A-Star. Be part of a culture that thrives on impact and speed, where you can take bold moves, learn fast and accomplish more. We’re a place where you can fast track your career - here's what else to expect: - Top-of-market compensation package, including equity.  - Our vibrant offices are at the heart of our culture, where in-person time fuels collaboration and connection over weekly breakfasts and Friday demos. - Additional benefits include: 20 days “work from abroad”, 600EUR/GBP Learning & Development Budget, and other local benefits. Unless stated otherwise, benefits apply to full-time positions (interns and working students receive a tailored package). By applying for the above position, you will confirm that you have reviewed and agreed to our Data Privacy Policy [Upgrade to PRO to see link]