We're Osome - an international fintech startup making the lives of entrepreneurs easier. We help thousands of businesses kick admin, accounting and bookkeeping out of their day-to-day, so they can spend more time on what's important to them. We've developed a unique solution that combines SaaS with a human-in-the-loop approach to provide full-fledged services in real-time.

We're experiencing tremendous growth in both clients and team members. We have over 500 people in our global offices 🌎. We're looking for more bright minds who'd love to change the world by solving complex problems.

What you'll do:

⭐ Lead SOC2 and ISO27001 compliance initiatives, owning the implementation, maintenance, and continuous improvement of security controls and evidence collection for successful audits.

⭐ Design and implement security controls across infrastructure and application layers, ensuring compliance with SOC2 Trust Services Criteria and ISO27001 Annex A controls.

⭐ Develop and maintain security policies and procedures, including incident response plans, disaster recovery procedures, risk management frameworks, and security awareness programs.

⭐ Conduct risk assessments and security audits, identifying gaps in security posture and working with engineering teams to remediate vulnerabilities and strengthen defenses.

⭐ Implement security automation and monitoring, integrating security tools into CI/CD pipelines and establishing continuous compliance validation across the SDLC.

⭐ Manage security tooling and infrastructure, including SIEM solutions, vulnerability scanners, penetration testing tools, and security information management platforms.

⭐ Secure cloud infrastructure and applications, implementing AWS security best practices, IAM policies, network segmentation, encryption at rest and in transit, and secure API design.

⭐ Integrate security into DevOps workflows, embedding SAST, DAST, dependency scanning, and container security tools to shift security left in the development process.

⭐ Coordinate and support compliance audits, serving as the primary technical contact for external auditors and gathering evidence of control effectiveness.

⭐ Monitor and respond to security incidents, leading incident response efforts, conducting forensic analysis, and implementing post-incident improvements.

⭐ Enforce Infrastructure as Code (IaC) security policies, ensuring secure provisioning and configuration management across Terraform, CloudFormation, and AWS CDK deployments.

⭐ Collaborate with platform and application teams, providing security guidance on architecture decisions, code reviews, and threat modeling exercises.

⭐ Maintain vendor security assessments, conducting third-party risk assessments and managing the vendor security review process.

⭐ Build security awareness culture, developing and delivering security training programs to engineering teams and promoting secure development practices.

⭐ Track and report on security metrics, providing regular updates on compliance status, security posture, and remediation progress to leadership.

⭐ Stay current with evolving security threats and compliance requirements, adapting security programs to address emerging risks and regulatory changes.

Who you are:

⭐ 3+ years experience in security and compliance engineering, with hands-on experience managing SOC2 Type II and ISO27001 certification programs from implementation through successful audit.

⭐ Deep expertise in SOC2 Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) and ISO27001 control requirements, with proven track record of achieving and maintaining certifications.

⭐ Strong cloud security experience, particularly in AWS, including expertise in IAM, Security Hub, GuardDuty, VPC security, KMS, CloudTrail, and other security services.

⭐ Experience with Infrastructure as Code security, reviewing and securing Terraform, CloudFormation, and AWS CDK configurations to prevent misconfigurations and enforce security policies.

⭐ Solid understanding of application security, including API security, OAuth, JWT, authentication/authorization mechanisms, secure coding practices, and common vulnerability classes (OWASP Top 10).

⭐ Experience with security monitoring and incident response, using SIEM platforms, log analysis tools, and implementing detection and response capabilities.

⭐ Strong documentation and communication skills, able to create clear security policies, runbooks, architectural decision records, and present technical security concepts to non-technical stakeholders.

⭐ Proficiency in scripting and automation, using Python, Bash, or similar languages to automate security checks, compliance evidence collection, and remediation workflows.

⭐ Proven ability to work cross-functionally, collaborating effectively with platform, application, DevOps, and business teams to drive security initiatives and build a security-first culture.

⭐ Audit management experience, coordinating with external auditors, managing remediation timelines, and maintaining continuous compliance readiness.

⭐ Knowledge of additional compliance frameworks such as GDPR, PCI-DSS, NIST, or similar regulatory requirements is a plus.

Nice to have:

⭐ Proficiency in security automation and DevSecOps practices, integrating security tools like SAST (SonarQube, Snyk), DAST (OWASP ZAP, Burp Suite), and container security (Trivy, Aqua Security) into CI/CD pipelines.

⭐ Experience with Kubernetes security, including pod security policies, network policies, RBAC, and container runtime security.

⭐ Familiarity with serverless security best practices, securing Lambda functions, API Gateway, DynamoDB, and event-driven architectures.

⭐ Relevant security certifications such as CISSP, CISM, CEH, AWS Security Specialty, or similar are highly valued.

Our Benefits 🙌

Osome grows alongside you, but we already have a few perks:

⭐ The opportunity to join a goal-driven startup with big ambitions

⭐ The chance to join a growing, highly-skilled R&D team, and to help shape and define the way we work

⭐ An open, inclusive working environment, with founders deeply-rooted in the startup space

⭐ An agile working model focused on goals and performance

⭐ Private medical insurance

⭐ Quarterly social events

⭐ Learning opportunities and mentorship from peers and leaders, including a yearly continuous professional development budget.

Equal Opportunity Statement

At OSOME, creating a culture where individuals of all backgrounds feel comfortable really matters.

Everyone who applies will receive fair consideration for employment. We do not discriminate based upon race, colour, religion, sex, sexual orientation, age, marital status, gender identity, national origin, disability, or any other applicable legally protected characteristics in the location in which the candidate is applying. We want to ensure that we represent the diversity of talent in the society we live in today.

If you have any accessibility requirements that would make you more comfortable during the application and interview process, please let us know so that we can support you.