OverviewFractional Chief Information Security Officer (CISO)London, UK – Employees can work remotely. Contract position as a permanent fractional engagement reporting to the CTO.CompanyApprovalMax is redefining how finance teams manage the Money Out cycle — from purchase orders and supplier bills to employee expense management. Trusted by 18,000+ businesses worldwide, our platform automates financial controls, enables compliance, and supports scalable growth. At the end of 2024, ApprovalMax secured a £10 million growth investment from Yttrium, a leading European technology investor.Job DescriptionWe are seeking an experienced Fractional CISO to provide hands-on security leadership as we evolve our security function to support continued growth and European expansion. This role is a permanent fractional engagement reporting to the CTO. You will own our information security strategy, maintain ISO 27001 certification, build our security roadmap, and prepare the organization for SOC 2 readiness in 2026-2027. The role requires strategic and tactical operating ability—from policy development to reviewing cloud configurations.Key ResponsibilitiesStrategy & GovernanceDevelop and own the Information Security strategy aligned with ApprovalMax's business objectives and European expansion plansMaintain and continuously improve the Information Security Management System (ISMS)Create, review, and maintain core security policies, standards, and proceduresEstablish and chair a cross-functional Security Working Group (Engineering, Architecture, IT, HR)Build and present a multi-year security roadmap with milestones, resource requirements, and prioritiesServe as the central authority on risk assessment, risk treatment, and risk acceptance decisionsAssess and provide guidance on secure AI adoption across the organization, including AI-powered product features and internal AI toolingCompliance & CertificationMaintain ISO 27001 certification and prepare for the 2027 recertification auditLead SOC 2 Type II readiness programme (target: 2026-2027), including gap analysis and control mappingEnsure GDPR and data protection compliance across EU/UK/US/AU/NZ/CA/ZACollaborate with external DPO support provider on privacy matters and customer security questionnaires as neededCloud & Technical SecurityProvide security oversight across Azure, AWS, and Google WorkspaceConduct access reviews and advise on identity and access management best practicesEvaluate and guide security tooling (SIEM, vulnerability management, endpoint protection)Oversee VMware Workspace ONE MDM deployment and device security policiesAdvise engineering teams on secure SDLC, DevSecOps, and application securityOperational SecurityDevelop and maintain incident response plans and proceduresLead incident response tabletop exercises and post-incident reviewsProvide guidance on business continuity and disaster recovery planningAdvise on vendor security assessments and third-party risk managementAwareness & CultureDesign and deliver company-wide security awareness trainingMentor and upskill internal staff on security best practicesFoster a security-first culture across departmentsAct as a trusted advisor to leadership on emerging threats and security trendsStakeholder EngagementReport to the CTO on security posture, risks, and programme progressPrepare board-level security presentations as required (infrequent)Support commercial teams by contributing to customer security discussions when escalatedQualificationsExperience8+ years in information security, including at least 3 years in a CISO, Head of Security, or senior leadership roleExperience in B2B SaaS, fintech, finance software, or similarly regulated industriesProven track record of achieving and maintaining ISO 27001 certificationExperience preparing organizations for SOC 2 Type IIHands-on cloud security experience (Azure and/or AWS required; GCP a plus)Experience with Google Workspace security configuration and administrationBackground working with distributed, remote-first engineering teamsTechnical KnowledgeCloud security architecture, identity management, and zero-trust principlesSecure SDLC and DevSecOps practicesMDM solutions (VMware Workspace ONE preferred)API security and integration risk managementSecurity tooling: SIEM, vulnerability scanners, endpoint protectionAwareness of AI/ML security risks and governance frameworks (desirable)Compliance & RegulatoryISO 27001:2022 requirements and audit processesSOC 2 Trust Service Criteria (Security, Availability, Confidentiality, Privacy)GDPR, UK Data Protection Act, and international data transfersRegional requirements across EU, UK, US, Australia, New Zealand, Canada, and South AfricaAdditional informationGrowing international business with 10,000+ subscribersRegular performance-based compensation reviews26 days paid time off1 additional day off for your BirthdayRemote office assistanceService years recognition financial reward #J-18808-Ljbffr