The Security Compliance Analyst plays a key role in maintaining and evidencing information security compliance across Zellis Group, which comprises Zellis, Moorepay, Benifex and Hastee. Working across all of the Group’s brands and business units, the role ensures that security controls, processes and documentation consistently meet internal policies, contractual and regulatory obligations, and external standards such as ISO 27001:2022, SOC 2, UK GDPR, NIS2 and Cyber Essentials Plus.
Reporting to the Group Head of Security Compliance, this is a hands-on, delivery-focused role centred on continuous assurance: maintaining audit readiness, evidencing control effectiveness, and tracking remediation through to closure to sustain a consistent compliance posture across the Group. Because the Group’s certifications and attestations are regularly relied upon by customers, the role also provides valuable support to commercial, tender and due-diligence activity.
The role also takes a strong “AI first” approach, making use of approved AI tooling (such as Microsoft Copilot and Claude) to automate evidence collection, accelerate reporting, and help shift the function from point-in-time checks towards always-on, continuous compliance.
Key responsibilities
Compliance Management
- Maintain compliance evidence repositories and support audit readiness across frameworks such as ISO 27001 and SOC 2.
- Monitor adherence to information security policies, standards, and procedures.
- Support individual business units in interpreting and applying compliance controls.
- Map and harmonise overlapping controls across multiple frameworks (ISO 27001, SOC 2, Cyber Essentials Plus and NIST CSF) to create a single set of evidence, reduce duplication and minimise audit fatigue.
- Help shift the programme from point-in-time checks towards continuous control monitoring, surfacing compliance drift before it becomes an audit finding.
Certification & Audit Management
- Assist in coordinating internal and external audit activities for ISO 27001, SOC 2 and other frameworks adopted across the Group.
- Maintain certification schedules and ensure corrective actions are tracked to closure.
- Support ISO 27001:2022 surveillance and recertification audits, SOC 2 examinations, and Cyber Essentials Plus assessments across the Group.
- Support the introduction of new certifications or attestations required by customers or to enter new markets, working with commercial teams to meet agreed timelines.
Internal Security Audits
- Conduct internal control reviews to test compliance effectiveness.
- Document findings, non-conformities, and improvement opportunities.
- Track issue remediation and provide status reporting to management.
Risk Assessment & Reporting
- Support identification and assessment of compliance-related risks.
- Assist in preparing risk and compliance dashboards, metrics, and SLA tracking.
- Contribute data to Group risk registers and compliance scorecards.
- Help monitor and improve external security ratings (e.g. BitSight, SecurityScorecard) and framework benchmarking (e.g. NIST CSF), feeding results into management reporting.
Third-Party & Supply Chain Assurance
- Support third-party and supply chain risk management, including reviewing supplier security questionnaires, certifications and evidence.
- Track contractual security requirements and remediation actions for key suppliers, and contribute to vendor breach impact assessments.
- Help maintain continuous visibility of critical third parties, rather than relying on point-in-time onboarding checks alone.
Policy & Process Support
- Maintain localised policy registers and manage documented exceptions.
- Contribute to drafting and reviewing information security procedures.
- Monitor staff acknowledgement and review of current policy versions.
Stakeholder Collaboration
- Act as the compliance point of contact for business-unit security leads and commercial teams.
- Work with external auditors, certification bodies and assessors throughout audit and certification activities.
- Collaborate with IT, Engineering, Legal, HR, Operations and other teams to embed compliance into day-to-day processes.
Customer Assurance & Commercial Enablement
- Respond to customer and prospect security questionnaires, tenders and due diligence requests with accurate, consistent compliance information and evidence extracts.
- Maintain a reusable library of approved security responses and evidence to speed up sales, renewal and contract-assurance cycles.
- Help maintain customer-facing trust and assurance materials, so the Group can evidence its security posture consistently.
AI, Automation & Continuous Compliance
- Apply an “AI first” approach, using approved AI tools (such as Microsoft Copilot and Claude) to automate evidence gathering, draft and review documentation, and analyse control data.
- Help build and maintain automated compliance dashboards and real-time reporting, giving leadership continuous visibility of the Group’s posture.
- Support the Group’s responsible use of AI, contributing to AI governance and assurance activities aligned to emerging standards (e.g. NIST AI RMF, ISO/IEC 42001) and the EU AI Act.
Continuous Improvement & Integration
- Support compliance integration activities during mergers and acquisitions.
- Participate in access reviews, control testing, and assurance checks.
- Recommend improvements to enhance consistency, efficiency, and auditability.