Job Description

About RavenPack

RavenPack is a leading data analytics provider for the financial industry, operating theBigdata.com platform — a real-time AI-powered research assistant serving institutional investors, banks, and asset managers globally. We process vast amounts of unstructured data through cutting-edge AI and NLP technologies, making information security and regulatory compliance central to our operations and client trust.

The Opportunity

We are looking for a Compliance Specialist to join our IT Risk & Compliance team and take accountability for the compliance function within our Information Security Management System (ISMS). You will work alongside the CISO and a small, dedicated team to ensure RavenPack meets and exceeds its obligations under ISO 27001, SOC 2, GDPR, the EU AI Act, and all applicable regulatory frameworks.

This role is referenced across our governance model — from audit oversight and access review exercises to vendor screening and Steering Committee reporting — and represents a critical step in maturing our compliance posture as we scale.

What You'll Do

Compliance Monitoring & Reporting

• Continuously monitor compliance with ISMS requirements and relevant standards (ISO 27001:2022, SOC 2 Type II).

• Track and report on key security metrics, KPIs, and the performance of the ISMS to the organisation security governing structure.

• Prepare compliance materials for management review sessions and committee presentations.

Audit Oversight

• Oversee the planning, coordination, and execution of internal and external ISMS audits.

• Manage timely remediation of non-conformities and audit findings.

• Lead gap assessments for ISO 27001 and SOC 2 frameworks, leveraging the GRC platform.

• Support the SOC 2 Type II audit cycle and ISO 27001 certification continuity (including the upcoming ISMS 2027 assessment).

Risk Management

• Collaborate on the information security risk management plan, including risk identification, assessment, and treatment using the TOE Calculator and Magerit methodology aligned with ISO/IEC 27005.

• Monitor the organisation's risk posture and inform of material changes.

• Maintain the risk register in the GRC platform and manage risk acceptance workflows.

Vendor & Third-Party Risk Management

• Conduct security due diligence for new vendors following RavenPack's vendor screening procedure.

• Manage ongoing security monitoring and annual re-screening of existing vendors.

• Assess EU AI Act applicability for vendor AI services and coordinate with Legal for T&C and privacy policy assessments.

Policy & Documentation Management

• Manage the ISMS policy lifecycle — drafting, review, approval, and publication of information security policies, standards, and procedures.

• Ensure documentation accuracy, version control, and availability across the Confluence-based ISMS documentation framework.

Service Operations Support

• Respond to client Due Diligence Questionnaires (DDQs) within established SLAs.

• Triage and manage compliance-related service requests via internal ticketing system.

• Produce the bi-annual DDQ analysis report identifying themes, trends, and improvement areas.

Security Awareness

• Collaborate on the development and delivery of security awareness training programmes for all staff.

• Support relationships with external training providers and monitor delivery quality.

What We're Looking For

Required

• 5+ years of experience in IT compliance, information security governance, or GRC roles.

• Deep working knowledge of ISO 27001:2022 and SOC 2 frameworks — hands-on experience with certification and audit cycles, not just theoretical understanding.

• Experience with GRC platforms (Vanta experience is a strong plus).

• Solid understanding of risk management methodologies (ISO 27005, Magerit, or equivalent).

• Familiarity with GDPR and the EU AI Act in the context of data-driven products and AI services.

• Experience managing vendor security due diligence and third-party risk assessments.

• Strong documentation and policy-writing skills — you're comfortable owning an entire ISMS documentation set.

• Excellent English communication skills (written and spoken); Spanish is a plus.

Preferred

• Professional certifications such as CISA, CISM, ISO 27001 Lead Auditor/Implementer, or CRISC.

• Experience in financial services, fintech, or data analytics environments where client DDQs and regulatory scrutiny are routine.

• Familiarity with security tooling such as CrowdStrike, Okta, and vulnerability management workflows.

• Experience with Jira/Confluence for compliance workflow management and documentation.

• Python scripting skills for automation of compliance operations (e.g., vulnerability acknowledgement, scope synchronisation).

• Understanding of the NIST Cybersecurity Framework 2.0.

Who You'll Work With

• Director of IT Operations / CISO — Reporting line, strategic direction, budget

• Steering Committee — CTO, COO, Legal Counsel (governance approvals, strategic alignment)

• Monitoring Committee — Operational security oversight, risk posture reporting

• Legal, Finance, Cybersecurity, and IT Support teams — Cross-functional collaboration on vendor management, incident response, and access reviews

What We Offer

• A high-impact role in a growing compliance function with direct visibility to executive leadership.

• The opportunity to shape and mature the ISMS of a globally recognised AI and data analytics company.

• Collaboration with a small, focused team that values quality over throughput and structured operating principles.

• An environment where compliance is recognised as a strategic business enabler — 56% of clients request ISO/SOC 2 adherence, with compliance having a direct impact in the business goals.

• Marbella, Spain location with a collaborative, international team.