ABOUT THE TEAM
The Security team is Trustly's first line of defence. We do the hands-on security work - running risk assessments, reviewing vendors, maintaining policies and procedures, driving business continuity and disaster recovery, and making sure security is embedded in how Trustly builds and operates its products. We work closely with engineering, legal, finance, risk & compliance, HR and senior leadership, and partner with the second line for governance and oversight.
ABOUT THE ROLE
We are looking for an experienced Information Security Officer to join the Information Security team, reporting to the Director of Security in Stockholm. The role sits in the first line of defence, meaning you will be directly responsible for executing and operating security activities - not just governing or overseeing them.
You will work across the full breadth of the role — owning and driving security governance, risk management, third-party oversight, business continuity, compliance and awareness. You will be expected to work independently, influence decisions across teams, and improve how we operate. At the more senior end, you will help shape security strategy and act as stand-in for the Director of Security when needed.
Develop, maintain and communicate Trustly's information security framework (ISMS), including instructions and routines aligned with regulatory requirements and industry standards
Lead information security risk assessments, define and track risk treatment plans, and keep the risk register current
Assess the security posture of third-party vendors and partners during onboarding and through ongoing oversight, define contractual security requirements, and drive remediation of gaps
Ensure business continuity, disaster recovery and crisis management capabilities meet regulatory requirements and are regularly tested
Define and maintain security controls across areas such as access management, internal fraud prevention, monitoring and segregation of duties
Ensure compliance with applicable regulatory requirements, contractual obligations and industry standards; coordinate and support internal and external audits and certifications
Respond to customer due diligence requests, security questionnaires and supplier assessments
Promote security awareness across the organisation through training, communication and guidance
Manage the security incident process and the exception and risk acceptance process, ensuring deviations are documented and approved at the right level
Act as stand-in for the Director of Security when required
5+ years of experience in information security, with a focus on governance, risk management or compliance - ideally in regulated financial services or payments
Experience leading and building a team(s) and/or larger projects
Strong working knowledge of ISO/IEC 27001
Familiarity with frameworks such as NIST CSF will be considered as beneficial
Practical experience translating regulatory requirements (e.g. any regulations and standards such as DORA, NIS 2, PSD2, EBA guidelines) into policy and process
Proven experience with third-party risk management across the vendor lifecycle
Excellent written and verbal communication - you can write a clear policy, present to an all-hands audience, and advise senior leadership with equal ease
Comfortable driving cross-functional initiatives and influencing stakeholders at all levels
If you hold one or more relevant certifications (active or expired) such as CISM, ISO 27001 Lead Implementer, CISA, CISSP or similar, this is considered beneficial
Fluent in English, written and spoken. Swedish is a bonus but not a requirement
