Fractional CISO (SOC2)

Fractional CISO

• 2–3 days per week
• 1 day a week in London (City)
• Initial 3-month engagement (likely extension)

Partnered with an AI-driven digital health startup that’s redefining care across the UK and US.

As they scale commercially and prepare for continued US growth, they’re looking for a hands-on Fractional CISO to work directly alongside the CTO and take ownership of their security, governance and compliance maturity.

This is not a “strategy-only” advisory role. They need someone who can operate at Board level whilst also getting deep into controls, engineering processes, access management and audit readiness.

What you’ll be doing

• The immediate priority is leading the SOC 2 programme end-to-end, driving Type I readiness and laying the operational foundations for Type II.
• Crucially, the environment needs to be architected against NIST SP 800-53 from day one, so the controls implemented now can later support frameworks such as FedRAMP, TX-RAMP and broader US public-sector healthcare procurement without rework

You’ll:

• Own the SOC 2 programme from scoping through audit delivery
• Define the system boundary, Trust Services Criteria and evidence strategy
• Lead Vanta implementation, continuous monitoring and audit preparation
• Select and manage the external auditor relationship
• Build a reusable control framework mapped across SOC 2, NIST 800-53, HIPAA, GDPR and ISO 13485
• Mature engineering governance around secure SDLC, CI/CD, IaC, change management and release controls
• Strengthen identity and access management across cloud infrastructure, SaaS tooling and production environments
• Implement least-privilege access controls, PAM processes and auditable JML workflows
• Improve Microsoft 365 / Entra ID security posture including Conditional Access, DLP and endpoint compliance
• Drive incident response, logging, monitoring, backup and disaster recovery maturity
• Lead third-party risk management and security reviews
• Support enterprise customer security reviews and questionnaires with US healthcare partners

What they’re looking for

• Proven experience leading multiple SOC 2 Type I & II programmes end-to-end
• Strong working knowledge of NIST SP 800-53 control families and cross-framework mapping
• Experience within healthtech, medtech, fintech or another regulated SaaS environment
• Hands-on understanding of cloud security, IAM, secure engineering practices and operational resilience
• Experience working with AICPA auditors and compliance automation tooling
• Ability to balance pragmatism with strong security standards in a fast-moving scale-up
• Comfortable operating across engineering teams, senior leadership, enterprise customers and investors
• CISSP, CISM or equivalent preferred

Please apply and we will contact you to discuss further and your charge rate