Senior Cyber Security (GRC) Analyst

80422 - Senior Cyber Security (GRC) Analyst

This Senior Cyber Security (GRC) Analyst will report to the Cyber Security Governance, Risk & Compliance Manager and will work within the Information Systems directorate based in either our London or Crawley office. You will be a permanent employee.

You will attract a salary of up to £75,000.00 and a bonus of 7.5%. This role can also offer blended working after probationary period (6 months) - 3 days in the office and 2 remote

Close Date: 25/03/2025

We also provide the following additional benefits

• 25 Days Annual Leave plus bank holidays. 
• Reservist Leave – Additional 18 days full pay and 22 unpaid
• Personal Pension Plan – Personal contribution rates of 4% or 5% (UK Power Networks will make a corresponding contribution of 8% or 10%)
• Tenancy Loan Deposit Scheme, Season Ticket Loan
• Tax efficient benefits: Cycle to Work, Home & Tech, and Green Car Leasing Schemes
• Occupational Health support
• Switched On – scheme providing discount on hundreds of retailers’ products
• Discounted gym membership
• Employee Assistance Programme

Job purpose

The Senior Governance Risk and Compliance (GRC) Analyst will support the Cyber Security GRC Manager in developing IT governance, risk management, and compliance strategies across UK Power Networks information applications and users to safeguard essential business services and operations from cyber threats.

Dimensions

• People - Work collaboratively in a team of circa 8-10 permanent and temporary GRC resources and specialist 3rd Party GRC service providers. Mentor less experienced GRC analysts, providing guidance and training.
• Financial - no direct budget responsibility.
• Industry and Regulatory – deputise for the GRC manager to represent UKPN in energy sector industry forums and regulatory working groups, working collaboratively with Ofgem and the Department for Energy Security and Net Zero
• Communication – communicate and work with all teams and partners in UK Power Networks. Good verbal, written, and presentational skills to express risks and the potential possible effects to the business and make reasoned recommendations for management action to mitigate or reduce the risks.
• Stakeholders – regular and ongoing interaction with senior management across IT, IS and the Business; Build relationships with internal support teams, internal and external auditors, specialist 3rd party service providers and partners to manage IT risk, and to monitor mitigation plans and actions.

Principal accountabilities

• Risk Management: Conduct cyber security risk assessments following the UK Power Networks risk assessment framework and methodology, identifying and explaining findings and treatment actions to important partners. Ensure all risks relating to the control environment are captured and remediation actions defined, tracked, monitored and followed-up with owners including communication of third-party assessments and actions.
• Reporting: Produce management information related to the risk and control environment. Support IS teams to define main control metrics to demonstrate their effectiveness. Prepare regulatory submissions and provide assurance for UK Power Networks policy compliance within IT which includes main performance metrics and management reporting.
• Information Security Management System Support: Operate and maintain the information security management system and artefacts, in compliance with ISO 27001/27002 including the governance forum agenda and minutes.
• Policies and Standards: establish GRC policies, standards and procedures to monitor UKPN information security controls, exceptions, risks, and testing including management reporting on performance.
• Controls Framework: Ensure a fit for purpose and robust IT control environment and support a roadmap for IT controls improvements. Requiring an understanding of technical issues and controls.
• Compliance: Design, implement, and run processes to monitor UKPN IT compliance to legal and regulatory requirements such as Smart Energy Code, Cyber Essentials, National Cyber Security Centre (NCSC) Networks & Information Systems (NIS) Regulations Cyber Assessment Framework (CAF) and all IT related audits (internal and external) where the scope is wholly or significantly relevant to the companies cyber security controls.
• Business Continuity and Disaster Recovery: Own and maintain IT resilience and business continuity plans, plan, coordinate test exercises. Conduct business continuity reviews and evaluate resilience and business continuity activities.
• GRC Systems and Tools Support: support the technical implementation, maintenance and configuration of the suite of GRC tools, products and systems to ensure effective operation of GRC frameworks and capabilities.
• Stakeholder Management: Engage and work with important partners across IT, IS and the Business, maintaining daily working relationships with internal and external support teams, internal and external auditors, UKPN regulator Ofgem, third party managed service providers and partners to manage all IT risks across the enterprise.
• Supply Chain and 3rd Party: Engage, interact and ensure 3rd party supplies are meeting cyber security expectations. Gather evidence and assurance, risk assess and create reports and governance metrics for measuring the ongoing risk and impact that 3rd party suppliers present to UKPN.

Nature and scope

The Information Systems Department works across UK Power Networks, supporting us in the achievement of our vision to maintain its position as best DNO. The team achieve this through the provision of technology solutions, and the optimisation of current solutions to improve how we operate. Continuous improvement, customer service and seamless delivery is at the heart of this ethos and are therefore underpinned by effective cyber security.

You will assess Cyber and IT risks and undertaking risk management activities within UK Power Networks. Also you will support UK Power Networks cyber security maturity improvements in processes that are necessary to protect our customers from cyber threats.

You will support all other team members, the rest of Information Systems teams, IT Service Providers and partners across UK Power Networks to implement and improve IS and IT risk management and operational control capabilities that are important to safeguarding UKPN information assets, business services and operations.

• Knowledge: We ask that you understand governance, risk management, and compliance principles, in addition to a knowledge of relevant laws, regulations, and industry standards. We are looking for a detailed knowledge and practical expertise in at least 3 of the following specialist areas: -
• Specific Industry Standards
• IS/IT Operational Controls and Governance
• IT/IS Risk Management
• Business Continuity Planning and Disaster Recovery
• Supply Chain and 3rd Party Risk Management
• Problem Solving: The role must have strong analytical and problem-solving skills to recommend pragmatic mitigating solutions mitigate for IT risks across the organisation; must also be able to develop and implement new governance and compliance strategies and procedures.
• Accountability: The Senior role ensures we are compliant with relevant laws, regulations, and industry standards, in a sustainable way. They are also responsible for conducting regular control and risk assessments, and reporting on GRC activities to senior management and partners.

You will ensure that UKPN can demonstrate and maintain ongoing compliance to the legal and regulatory demands that are necessary for UKPN to retain its 'license to operate' and provide its main services as a DNO. A cornerstone for this is to maintain a strong cyber security posture across the IT estate by developing a comprehensive controls framework whilst ensuring that the daily operational changes and multiple project deliverables re-enforce rather than weaken the posture and protect the company's information assets.

Qualifications:

• Practical experience in a GRC role or related profession e.g. risk, audit, cyber security or similar practical experience in IT or OT role with a desire to move into cyber security, must have some relevant training or experience of cyber security risk assessment.
• Detailed knowledge and experienced in defining, implementing, operating maintaining, and improving information security management systems (ISMS).
• Experience of internal and external audit engagements, orchestrating and delivering cyber security risk and control assessments and a good working knowledge of risk processes, frameworks, and procedures.
• Specific GRC related professional training or an academic level equivalent in a related subject with a recognised information security related certification e.g. CISSP, CompTIA, CISA, CISM, CRISC, MSc Information Security, degree or other formal technical qualifications e.g. apprenticeship, in a related area e.g. networking, cyber security, Information Technology, Operational Technology.
• Knowledge of compliance, security and regulatory frameworks such as Cyber Essentials, Smart Energy Code (SEC), Network and Information Systems Directive (NIS) National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF), ISA/IEC 62443, ISO/IEC 27001/27002, GDPR, Cloud Security Alliance (CSA) Star framework, SOC2 Type 2 audits. Information Technology Infrastructure Library (ITIL), Control Objectives for Information and Related Technologies (CoBIT), etc.
• Proficient in at least one or more of the following, within a corporate environment:
• IT / OT operational risks and controls assessment and assurance
• Business Continuity Planning and Disaster Recovery testing assurance.
• 3rd Party Supply chain risks, controls and assurance.
• Physical security risks and controls.
• Policy, Process, Documentation and Governance
• Experience with technical risk assessments in either Information Technology (IT) or Operational Technology (OT) environments, including Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA).
• Working within a regulated environment, preferably Energy sector Critical National Infrastructure (CNI) and an understanding of power distribution systems or industry best practice would be beneficial.

We ask that you can collaborate with both technical, non-technical and executive audiences.

Health & Safety Responsibilities

Managers and supervisors carry both legal and company responsibilities for ensuring the health and safety of their employees, those under their control and those who might be affected by the work undertaken, i.e. public, visitors and employees of other organisations. This includes briefing individuals working for them and ensuring there is the necessary understanding, competence and application of requirements to work safely and without harming the environment.

Employees will ensure they understand the health and safety risks involved in their work activities and their responsibility to apply the controls needed to manage those risks to acceptable levels. Similarly where work activities can have an adverse impact upon the environment, and where there are legal requirements, employees will understand those impacts and the controls they must ensure are applied.

If in doubt ask!

We are committed to equal employment opportunity regardless of race, colour, ancestry, religion, sex, national origin, sexual orientation, age, citizenship, marital status, disability, gender, gender identity or expression, or veteran status. We are proud to be an equal opportunity workplace.

If you have any queries in connection to this vacancy or your application, please contact us at careers@ukpowernetworks.co.uk quoting the vacancy reference number and a member of the team will get in touch with you as soon as possible.