Skip to main content

This job has expired

You will need to login before you can apply for a job.

Senior Cyber Security (GRC) Analyst

UK Power Networks
London, London, United Kingdom
Closing date
1 Jul 2024

View more

Reference Number - 79076

This Senior Cyber Security (GRC) Analyst will report to the Cyber Security Governance, Risk & Compliance Manager and will work within Information Systems based in either our Crawley or London office. You will be a permanent employee.

You will attract a salary level depending on your experience and a bonus of 7.5%. This role can also offer blended working after probationary period (6 months) - 3 days in the office and 2 remote

Close Date: 30/06/2024

We also provide the following additional benefits
  • Annual Leave
  • Personal Pension Plan - Personal contribution rates of 4% or 5% (UK Power Networks will make a corresponding contribution of 8% or 10%)
  • Tenancy Loan Deposit scheme
  • Tax efficient benefits: cycle to work scheme
  • Season ticket loan
  • Occupational Health support
  • Switched On - scheme providing discount on hundreds of retailers products.
  • Discounted access to sports and social clubs
  • Employee Assistance Programme.


You will will support the Cyber Security GRC Manager in developing IT governance, risk management, and compliance strategies across UK Power Networks information systems, applications and users to safeguard essential business services and operations from cyber threats.

  • People - Work collaboratively in a team of circa 8-10 permanent and temporary GRC resources and specialist 3rd Party GRC service providers. Mentor less experienced GRC analysts, providing guidance and training.
  • Financial - no direct budget responsibility.
  • Industry and Regulatory - deputise for the GRC manager to represent UKPN in energy sector industry forums and regulatory working groups, working collaboratively with Ofgem and the Department for Energy Security and Net Zero
  • Communication - collaborate with all teams and partners in UK Power Networks. Good verbal, written, and presentational skills to articulate risks and the potential possible effects to the business and make reasoned recommendations for management action to mitigate or reduce the risks.
  • Partners - regular and ongoing interaction with senior management partners across IT, IS and the Business; collaborate with internal support teams, internal and external auditors, specialist 3rd party service providers and partners to manage IT risk, and to monitor mitigation plans and actions.

  1. Risk Management: Conduct cyber security risk assessments following the UK Power Networks risk assessment framework and methodology, identifying and explaining findings and treatment actions to important partners. Ensure all risks relating to the control environment are captured and remediation actions defined, tracked, monitored and followed-up with owners including communication of third-party assessments and actions.
  2. Reporting: Produce management information related to the risk and control environment. Support IS teams to define important control metrics to demonstrate their effectiveness. Prepare regulatory submissions and provide assurance for UK Power Networks policy compliance within IT which includes key performance metrics and management reporting.
  3. Information Security Management System Support: Operate and maintain the information security management system and artefacts, in compliance with ISO 27001/27002 including the governance forum agenda and minutes.
  4. Policies and Standards: develop GRC policies, standards and procedures to monitor UKPN information security controls, exceptions, risks, and testing including management reporting on performance.
  5. Controls Framework: Ensure a fit for purpose IT control environment and support a roadmap for IT controls improvements. Requiring an understanding of technical issues and controls.
  6. Compliance: Design, implement, and run processes to monitor UKPN IT compliance to legal and regulatory requirements such as Smart Energy Code, Cyber Essentials, National Cyber Security Centre (NCSC) Networks & Information Systems (NIS) Regulations Cyber Assessment Framework (CAF) and all IT related audits (internal and external) where the scope is wholly relevant to the companies cyber security controls.
  7. Business Continuity and Disaster Recovery: Manage IT resilience and business continuity plans, plan, coordinate test exercises. Conduct business continuity reviews and evaluate resilience and business continuity activities.
  8. GRC Systems and Tools Support: support the technical implementation, maintenance and configuration of the suite of GRC tools, products and systems to ensure effective operation of GRC frameworks and capabilities.
  9. Stakeholder Management: Engage and work with important partners across IT, IS and the Business, maintaining daily working relationships with internal and external support teams, internal and external auditors, UKPN regulator Ofgem, third party managed service providers and partners to manage all IT risks across the enterprise.
  10. Supply Chain and 3rd Party: Engage, interact and ensure 3rd party supplies are meeting cyber security expectations. Gather evidence and assurance, risk assess and create reports and governance metrics for measuring the ongoing risk and effect that 3rd party suppliers present to UKPN.


The Information Systems Department works across UK Power Networks, supporting us in the achievement of our vision to maintain its position as best DNO. The team achieve this through the provision of technology solutions and the optimisation of current solutions to improve how we operate. Continuous improvement, customer service and seamless delivery is at the heart of this ethos and are therefore strongly underpinned by effective cyber security.

As Senior GRC Analyst you will assesses Cyber and IT risks and undertake risk management activities within UK Power Networks. Also the role will support UK Power Networks cyber security maturity improvements in processes that are necessary to protect our customers from cyber threats.

You will support all other team members, the rest of Information Systems teams, IT Service Providers and partners across UK Power Networks to implement and improve IS and IT risk management and operational control capabilities that are important to safeguarding UKPN information assets, business services and operations.
  • We ask that you understand governance, risk management, and compliance principles, in addition to knowledge of relevant laws, regulations, and industry standards. We ask that you have a detailed knowledge and practical expertise in at least 3 of the following specialist areas: -
  • Specific Industry Standards
  • IS/IT Operational Controls and Governance
  • IT/IS Risk Management
  • Business Continuity Planning and Disaster Recovery
  • Supply Chain and 3rd Party Risk Management
  • You will have problem solving skills to recommend pragmatic mitigating solutions to mitigate IT risks across the organisation; must also be able to develop and implement new governance and compliance strategies and practices.
  • Accountability: The Senior role ensures we are compliant with relevant laws, regulations, and industry standards, in a sustainable way. They are also responsible for conducting regular control and risk assessments, and reporting on GRC activities to senior management and partners.

Your principal challenge is to ensure that UKPN can demonstrate and maintain ongoing compliance to the legal and regulatory demands that are necessary for UKPN to retain its 'license to operate' and provide its primary services as a DNO. A cornerstone for this is to maintain a cyber security posture across the IT estate by developing a comprehensive controls framework whilst ensuring that the daily operational changes and multiple project deliverables re-enforce rather than weaken the posture and protect our information assets.

  • Practical experience in a GRC role or related profession e.g. risk, audit, cyber security or similar practical experience in IT or OT role with a desire to move into cyber security, must have some relevant training of cyber security risk assessment.
  • Detailed knowledge and experienced in defining, implementing, operating maintaining, and improving information security management systems (ISMS).
  • Experience of internal and external audit engagements, orchestrating and delivering cyber security risk and control assessments and knowledge of risk processes, frameworks, and procedures.
  • Specific GRC related professional training or an academic level equivalent in a related subject with a recognised information security related certification e.g. CISSP, CompTIA, CISA, CISM, CRISC, MSc Information Security, degree or other formal technical qualifications e.g. apprenticeship, in a related area e.g. networking, cyber security, Information Technology, Operational Technology.
  • Knowledge of compliance, security and regulatory frameworks such as Cyber Essentials, Smart Energy Code (SEC), Network and Information Systems Directive (NIS) National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF), ISA/IEC 62443, ISO/IEC 27001/27002, GDPR, Cloud Security Alliance (CSA) Star framework, SOC2 Type 2 audits. Information Technology Infrastructure Library (ITIL), Control Goals for Information and Related Technologies (CoBIT).
  • Proficient in at least one or more of the following, within a corporate environment:
  • IT / OT operational risks and controls assessment and assurance
  • Business Continuity Planning and Disaster Recovery testing assurance.
  • 3rd Party Supply chain risks, controls and assurance.
  • Physical security risks and controls.
  • Policy, Process, Documentation and Governance
  • Experience with technical risk assessments in either Information Technology (IT) or Operational Technology (OT) environments, including Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA).
  • Working within a regulated environment, preferably Energy sector Critical National Infrastructure (CNI) and an understanding of power distribution systems or industry best practice would be beneficial.
  • Ability to communicate with both technical, non-technical and executive audiences.

Health & Safety Responsibilities

Managers and supervisors carry both legal and company responsibilities for ensuring the health and safety of their employees, those under their control and those who might be affected by the work undertaken, i.e. public, visitors and employees of other organisations. This includes briefing individuals working for them and ensuring there is the necessary understanding, competence and application of requirements to work safely and without harming the environment.

Employees will ensure they understand the health and safety risks involved in their work activities and their responsibility to apply the controls needed to manage those risks to acceptable levels. Similarly where work activities can have an adverse impact upon the environment, and where there are legal requirements, employees will understand those impacts and the controls they must ensure are applied.

If in doubt ask!

We are committed to equal employment opportunity regardless of race, colour, ancestry, religion, sex, national origin, sexual orientation, age, citizenship, marital status, disability, gender, gender identity or expression, or veteran status. We are proud to be an equal opportunity workplace.

Get job alerts

Create a job alert and receive personalised job recommendations straight to your inbox.

Create alert