Senior InfoSec Risk Analyst

About us

We are champions of rail, inspired to build a greener, more sustainable future of travel. Trainline enables millions of travellers to find and book the best value tickets across carriers, fares, and journey options through our highly rated mobile app, website, and B2B partner channels. 

Great journeys start with Trainline 🚄 

Now Europe’s number 1 downloaded rail app, with over 135 million monthly visits and £6.3 billion in annual ticket sales, we collaborate with 270+ rail and coach companies in over 40 countries. We want to create a world where travel is as simple, seamless, eco-friendly and affordable as it should be. 

Today, we're a FTSE 250 company driven by our incredible team of over 1,000 Trainliners from 50+ nationalities, based across London, Paris, Barcelona, Milan, Edinburgh and Madrid. With our focus on growth in the UK and Europe, now is the perfect time to join us on this high-speed journey. 

Introducing the Trainline Security Team

Trainline is investing in the next evolution of our security program and we’re hiring a

Senior Information Security Risk Analyst.

As part of Trainline's Information Security (InfoSec) team, reporting to the GRC

Manager, the Senior Information Security Risk Analyst will help mature and maintain

our risk management practices across the entire organisation, including the growing

landscape of AI risk. This role sits at the intersection of technology, business

operations, and assurance, ensuring that security risks from traditional cyber threats

to AI-specific risks such as data quality, model bias, and third-party AI dependencies

are understood, effectively managed, and aligned with our business risk appetite.

You'll work across departments, including corporate functions, Engineering, Data

Science, Legal, Procurement, Enterprise Risk, and Internal Audit to maintain a

comprehensive view of information, cyber, and AI risks. Your role will be instrumental

in embedding strong risk governance in our cloud-first, AI-driven environment,

conducting AI risk assessments for new and existing use cases, supporting the delivery

of our unified security framework, and managing risk while supporting regulatory,

audit, and compliance efforts across ISO 27001, ISO 22301, Cyber Essentials, NIS 2, and

PCI DSS.

As a Senior Information Security Risk Analyst at Trainline, you will:

• Lead the identification, documentation, and tracking of security and cyber risks across all functions and departments.

• Maintain the Information Security Risk Framework and Register in line with enterprise risk methodology, supporting the delivery of centralised risk reporting via the CISO/GRC Dashboard.

• Facilitate risk workshops, control self-assessments (CSAs), and policy reviews

  with business units.

• Track risk remediation efforts and escalate critical project, operational and supplier risks to appropriate forums.

• Collaborate with engineering, legal, privacy and product teams to assess and

  document risk impacts.

• Support the development and implementation of the AI Readiness and Governance framework, including conducting AI risk assessments for new and existing AI use cases, applying the risk classification model, and maintaining the AI use case register. This includes evaluating risks around data quality, model bias, transparency, third-party AI dependencies, and regulatory compliance.

• Conduct structured AI risk assessments across the business, working with product, data science, and engineering teams to evaluate AI use cases against the risk classification model, assess control adequacy, and ensure high-risk use cases have approved controls before production release.

• Support the implementation and ongoing maintenance of the unified internal control framework, mapping controls across ISO 27001, ISO 22301, Cyber Essentials, and PCI DSS.

• Leverage AI tools and techniques to streamline repetitive GRC tasks such as policy gap analysis, control mapping, vendor questionnaire processing, and risk reporting.

• Provide risk advisory for new product launches, technology and AI adoptions, and vendor integrations ensuring Security by Design and informed risk decision making.

• Support internal education and awareness around security risk and governance.

We would love to hear from you if you have ...

• Proven experience in Information Security or Cyber Risk, with direct experience in a cloud-first, tech-driven environment.

• Experience conducting AI risk assessments, including evaluating risks related to data privacy, model bias, hallucination, third-party AI tooling, and regulatory compliance.

• Familiarity with AI governance frameworks such as ISO 42001, the EU AI Act risk classification approach, or NIST AI RMF.

• Experience with common infosec standards/frameworks particularly ISO 27001, ISO 22301, and PCI DSS.

• Experience with Cyber Essentials and NIS 2 is a strong advantage.

• Clear communicator able to translate technical risks for non-technical audiences.

• Hands-on experience with GRC platforms and tooling (e.g. ServiceNow GRC, Archer, LogicGate, Vanta, or similar) including configuration, workflow design, and reporting.

• Experience working with internal audit, privacy, legal and other cross-functional business stakeholders.

• Strong verbal and written communication skills, with the ability to influence at all levels.

• Comfortable navigating ambiguity, competing priorities, and organisational scale-up challenges.

Nice to have

• Experience assessing large language model (LLM) deployments, AI-as-a-service

  integrations, or machine learning pipelines from a security and governance perspective.

• Experience building automated compliance evidence pipelines or continuous control monitoring.

• Demonstrable experience automating GRC processes whether through scripting, no-code/low-code platforms, API integrations, or GRC-specific tooling.

• Active and proficient use of AI tools (e.g. LLMs, AI assistants, AI-powered search) to accelerate day-to-day work

• Background in security engineering, DevSecOps, or technical GRC implementation alongside traditional risk management.

• Experience with data analytics or BI tools (e.g. Power BI, Tableau) for risk and compliance reporting.

• Contributions to GRC community knowledge (blog posts, conference talks, open-source tools).

More information:

Enjoy fantastic perks like private healthcare & dental insurance, a generous work from abroad policy, 2-for-1 share purchase plans, an EV Scheme to further reduce carbon emissions, extra festive time off, and excellent family-friendly benefits. 

We prioritise career growth with clear career paths, transparent pay bands, personal learning budgets, and regular learning days. Jump on board and supercharge your career from day one! 

We're operate a hybrid model to work and ask that Trainliners work from the office a minimum of 60% of their time over a 12-week period. We also have a 28-day Work from Abroad policy.

Our values represent the things that matter most to us and what we live and breathe everyday, in everything we do: 

• 💭 Think Big - We're building the future of rail 

• ✔️ Own It - We focus on every customer, partner and journey 

• 🤝  Travel Together - We're one team 

• ♻️ Do Good - We make a positive impact 

We know that having a diverse team makes us better and helps us succeed. And we mean all forms of diversity - gender, ethnicity, sexuality, disability, nationality and diversity of thought. That's why we're committed to creating inclusive places to work, where everyone belongs and differences are valued and celebrated.

Interested in finding out more about what it's like to work at Trainline? Why not check us out on LinkedIn, Instagram and Glassdoor!