InfoSec Lead

1. Compliance & Certification Management

Own end-to-end lifecycle management of PCI DSS certification — scoping, gap assessments, remediation tracking, QSA engagement, and annual renewals.

Maintain and renew ISO 27001 certification including surveillance audits, internal audits, ISMS documentation, and continual improvement. • Proactively identify and drive adoption of any new certifications required by regulators, customers, or business partners (e.g. SOC 2, DPDP alignment, RBI guidelines).

Maintain a compliance calendar and ensure zero lapses in certification validity. 2. DPDP (Digital Personal Data Protection) Act Compliance • Lead ShopSe's compliance programme under India's DPDP Act, 2023.

Conduct data mapping and classification exercises; maintain an updated data inventory.

Draft, implement, and operationalise privacy notices, consent mechanisms, and data principal rights workflows. Coordinate with product, engineering, and legal teams to embed privacy-by-design principles.

Manage Data Fiduciary obligations and liaise with the Data Protection Board when required.

External & Regulatory Audit Management

Serve as the primary point of contact for all external audits conducted by regulated entities on ShopSe in its capacity as a TSP (Technology Service Provider) or LSP (Lending Service Provider).

Coordinate bank and NBFC partner audits, including audit scheduling, evidence collection, and response management. • Ensure audit readiness at all times; maintain an evergreen evidence repository.

Track and close all audit observations and non-conformities within agreed timelines.

Build and maintain strong relationships with auditors, regulators, and partner compliance teams.

Information Security Management

Define, implement, and maintain the Information Security Management System (ISMS) and security policies.

Conduct periodic risk assessments, vulnerability assessments, and threat modelling.

Oversee VAPT (Vulnerability Assessment & Penetration Testing) — vendor management, scoping, and remediation tracking.

Manage security incident response — detection, containment, RCA, and reporting. • Drive security awareness and training programmes across the organisation.

Vendor & Third-Party Risk Management

Assess security posture of third-party vendors and technology partners.

Maintain a vendor risk register and conduct periodic reviews.

Ensure contractual security obligations (MSA/DPA clauses) are in place with all critical vendors.

Requirements Essential Qualifications & Experience

7–8 years of hands-on experience in information security, compliance, or GRC roles — ideally as a #2 or #3 in an infosec team where you were doing the execution, not just overseeing it.

Proven track record of managing PCI DSS and ISO 27001 certifications end-to-end.

Prior experience in a fintech, payments, or BFSI environment as a TSP or LSP is strongly preferred.

Deep understanding of RBI guidelines for technology and outsourcing (e.g. Master Directions on IT, Outsourcing Guidelines).

Working knowledge of DPDP Act, 2023 and its operational implications.

Experience handling regulatory/partner audits independently.

Technical Skills

Strong knowledge of ISO 27001, PCI DSS (v4.0), NIST CSF, and related frameworks.

Proficiency in risk assessment methodologies and security control frameworks.

Familiarity with cloud security (AWS/Azure/GCP) and SaaS security considerations.

Hands-on experience with GRC tools Certifications (Required / Preferred)

CISM, CISSP, or CISA — at least one is required.

ISO 27001 Lead Implementer or Lead Auditor — highly preferred.

PCI DSS Internal Security Assessor (ISA) — preferred

Any DPDP/privacy certification (e.g. CIPP, OneTrust Certified) is a plus.

Soft Skills

Excellent stakeholder management — comfortable engaging with C-suite, regulators, auditors, and bank partners.

Strong written and verbal communication; ability to translate technical risk into business language.

Self-starter with the ability to build and run a function independently.

Detail-oriented, methodical, and deadline-driven.