Remote Information Security & Compliance Lead @ RetinAI Medical

About Us

Ikerian AG (formerly RetinAI Medical) is a fast-growing medical device software company headquartered in Bern, Switzerland. Our mission is to enable the right decisions sooner in healthcare, through transformative AI & data management solutions for disease screening and monitoring. Join our diverse team of entrepreneurs, developers, researchers, and commercial experts who are collectively shaping the future of healthcare.

Job Description

Reporting to the CTO, the Information Security & Compliance Lead owns our Information Security Management System (ISMS). You will drive ISO 27001 certification, comply and maintain EU AI act, DE Digital service act, GDPR/HIPAA/PIPEDA/Swiss Data Protection and UK IT Governance act (UKGDPR) compliances and any other data and cybersecurity, lead risk management and supplier security, and act as single point of contact for auditors, customers and regulators. This is a hands-on, standalone senior role with dotted-line influence over Engineering, IT Ops, HR and Procurement.

Key Responsibilities

• Lead ISO 27001 implementation & certification
• Finalise scope, risk methodology, Statement of Applicability, and control rollout.
• Chair the ISMS Steering Committee and present quarterly KPIs to leadership.
• SOC2/HITRUST or similar certification.  
• Own ongoing security & privacy compliance
• Maintain ISO 27001, GDPR (EU/CH), HIPAA (US) and MDR Annex I IT clauses and FDA IT & Cybersecurity clauses.
• Serve as designated Data Protection Officer (DPO) and Data Security Officer (DSO).
• EU AI act, DE Digital service act, PIPEDA/Swiss Data Protection and UK IT Governance act (UKGDPR) compliances. 
• Risk management & continuous improvement
• Keep the Asset/Risk Register current; run annual risk assessment & treatment plans.
• Drive corrective actions from incidents, audits and penetration tests.
• Audit & customer assurance
• Plan and host internal audits, external surveillance audits and customer assessments.
• Produce security white-papers, Due-Diligence Questionnaires (DDQs) and SoC-type artefacts.
• Supplier & cloud security governance
• Own supplier onboarding, security questionnaires, right-to-audit clauses and periodic reviews.
• Security engineering enablement
• Collaborate with DevOps to harden cloud infrastructure (AWS) and CI/CD pipelines.
• Embed Secure-SDLC practices (threat modelling, SAST/DAST, dependency scanning).
• Awareness & culture
• Deliver onboarding training, phishing simulations and role-based security sessions.
• Publish monthly security metrics and incident learnings to the wider team.

Requirements

5–8 years in information security / GRC, including end-to-end ISO 27001 or SOC 2 implementation experience in a cloud-native environment.

Proven track record as ISMS owner or Lead Auditor; managing audits and corrective actions.

Familiarity with GDPR, HIPAA and vendor-risk management for SaaS or medical-device software.

Bachelor’s or Master’s in Information Security, Computer Science, or similar.

ISO 27001 Lead Implementer/Auditor, CISM or CISSP (strong plus).

Excellent written & spoken English; strong stakeholder influence, training ability and concise reporting to exec/board level.

Self-starter comfortable in a high-autonomy startup; able to prioritise and execute with limited resources.

Eligible to work remotely within Europe; able to travel to Switzerland ~ 3 times / year.

Benefits

• Competitive salary & bonus plus participation in our Employee Stock Option Plan.
• Remote-first culture with flexible hours and true work-life balance.
• Budget for certifications, conferences and equipment of your choice.
• Opportunity to build a green-field ISMS that directly impacts patient outcomes.
• Inclusive, collaborative team that values ownership and rapid iteration.