Information Security & Compliance Manager

OnTrack Retail Limited (OTRL) is a UK rail retail technology company of 35 people, building and operating digital ticketing platforms for some of the UK's major train operators, including GTR, Southeastern, and TransPennine Express. Our consumer-facing brand, TicketyBoo, is a train ticket booking app available to passengers across Great Britain.

We hold ISO 27001 accreditation and PCI DSS compliance, and operate in a regulated, high-availability environment where governance and security are central to everything we do.

We are at an exciting point in our growth. We are actively pursuing new contract opportunities across the UK rail sector and have embarked on an accelerated programme to strengthen our compliance and accreditation posture. This role is central to that programme

This is a newly created position, reflecting the increasing importance of compliance and accreditation to OTRL's commercial success and operational integrity. You will own and manage our compliance programme in its entirety, from day-to-day maintenance of existing certifications through to leading new accreditation projects.

You will report directly to the Managing Director and work closely with our technical leads, operations team, and external certification bodies. This is a hands-on role: you will not be managing a large team, but you will be driving a significant and genuinely impactful programme of work across a business that takes compliance seriously.

You will inherit and build on the following:

• ISO 27001 - Information Security - Certified -Maintain and develop
• Cyber Essentials Plus - Newly achieved (June 2026) - Maintain annual renewal
• PCI DSS - Compliant - Maintain
• ISO 22301 - Business Continuity - Documentation complete, testing underway - Lead to certification
• ITIL v5 - Service Management - Programme in planning - Coordinate training cohort
• ISO 9001 - Quality Management - Under evaluation - Assess and potentially lead
• ISO 20000 - IT Service Management - Under evaluation - Assess and roadmap

• Own the full compliance calendar across all current and target certifications, ensuring surveillance audits, renewals, and evidence collection are managed proactively
• Lead OTRL to ISO 22301 certification, building on existing documentation and testing programme
• Manage our ISO 27001 programme through its annual surveillance and recertification cycle
• Coordinate the ITIL v5 Foundation training cohort and support Practice Manager candidates
• Assess the business case and feasibility for ISO 9001 and ISO 20000 and, where approved, lead implementation
• Manage the relationship with our certification body and external auditors

• Support OTRL's data protection programme, working alongside our internal and Group DPOs who retain overall accountability
• Own day-to-day operational data protection activity, DSAR processes, privacy impact assessments, and data breach documentation
• Maintain our Records of Processing Activity (RoPA) and keep data protection policies current
• Support incident response processes where personal data is involved

• Maintain OTRL's supplier compliance framework, including contractual review cycles and third party security assessments
• Manage Standard Contractual Clauses and international data transfer documentation
• Support procurement processes with compliance due diligence on new suppliers

• Own OTRL's policy suite, maintaining, reviewing, and updating policies on an annual basis
• Run the internal audit programme across ISO 27001 and ISO 22301, and subsequently any additional standards
• Manage staff compliance training and attestation processes
• Maintain the risk register and support management review processes

• Own the compliance and accreditation sections of tender responses, maintaining an up-to-date evidence library and statement of compliance that can be drawn on quickly when procurement windows open
• Work with the MD to develop and communicate OTRL's compliance roadmap to clients and procurement bodies

• Hands-on experience implementing or maintaining ISO 27001, you have lived through at least one certification cycle, not just supported from a distance
• Experience with at least one further ISO standard (ISO 22301, ISO 9001, or ISO 20000) at a practical implementation level
• Solid working knowledge of UK GDPR and practical experience of data protection compliance in a technology or payments environment
• Demonstrable ability to own and drive a compliance programme with limited supervision in a small, fast-moving organisation
• Strong documentation skills, you write clearly, structure well, and produce audit-ready evidence without gold-plating
• Comfortable working across technical and non-technical stakeholders

• ISO Lead Auditor qualification (27001 or equivalent), this is a genuine differentiator
• ITIL Foundation certification or familiarity with the framework
• Experience in a fintech, payments, or regulated technology environment
• Familiarity with PCI DSS compliance requirements
• Experience supporting public sector or regulated procurement processes
• Knowledge of the UK rail industry or exposure to RDG/TOC commercial environments

• A direct reporting line to the Managing Director and genuine influence over a business-critical programme
• The chance to build a compliance function largely from scratch in a company that takes it seriously
• A varied, substantial role, this is not a tick-box maintenance job
• Flexible hybrid working
• Salary of £50,000 - £65,000 depending on experience
• 25 days holiday plus bank holidays
• Support for relevant professional development and certification
• Vitality health insurance