The Information Security & Compliance Lead will report to the CTO and own the Information Security Management System (ISMS).
This role involves driving ISO 27001 certification and ensuring compliance with the EU AI act, DE Digital service act, GDPR, HIPAA, PIPEDA, Swiss Data Protection, and UK IT Governance act (UKGDPR).
The position requires leading risk management and supplier security, acting as the single point of contact for auditors, customers, and regulators.
It is a hands-on, standalone senior role with influence over Engineering, IT Ops, HR, and Procurement.
Key responsibilities include leading ISO 27001 implementation and certification, finalizing scope and risk methodology, chairing the ISMS Steering Committee, and presenting quarterly KPIs to leadership.
The role also involves maintaining ongoing security and privacy compliance, serving as the designated Data Protection Officer (DPO) and Data Security Officer (DSO), and managing risk assessments and treatment plans.
The candidate will be responsible for planning and hosting internal audits, producing security white-papers, and managing supplier onboarding and security governance.
Collaboration with DevOps to enhance cloud infrastructure security and embedding Secure-SDLC practices are also essential tasks.
The role includes delivering training and publishing security metrics to the wider team.
Requirements:
Candidates should have 5โ8 years of experience in information security or governance, risk, and compliance (GRC), including end-to-end ISO 27001 or SOC 2 implementation experience in a cloud-native environment.
A proven track record as an ISMS owner or Lead Auditor, managing audits and corrective actions is required.
Familiarity with GDPR, HIPAA, and vendor-risk management for SaaS or medical-device software is essential.
A Bachelorโs or Masterโs degree in Information Security, Computer Science, or a similar field is necessary.
Certifications such as ISO 27001 Lead Implementer/Auditor, CISM, or CISSP are strong pluses.
Excellent written and spoken English skills are required, along with strong stakeholder influence, training ability, and concise reporting skills to executive and board levels.
The candidate must be a self-starter comfortable in a high-autonomy startup environment, able to prioritize and execute with limited resources.
Eligibility to work remotely within Europe and the ability to travel to Switzerland approximately three times a year is necessary.
Benefits:
The position offers a competitive salary and bonus, along with participation in the Employee Stock Option Plan.
There is a remote-first culture with flexible hours, promoting a true work-life balance.
A budget is provided for certifications, conferences, and equipment of the candidate's choice.
The opportunity to build a green-field ISMS that directly impacts patient outcomes is available.
The company fosters an inclusive, collaborative team environment that values ownership and rapid iteration.
