ISO 27001 Lead Auditor
Senior Information Security Risk Advisor
Our Oil & Gas Operator client is currently recruiting for a pivotal role focused on embedding security across digital and operational technology (OT) environments, ensuring resilience against evolving cyber threats.
The successful candidate will lead 2nd Line of Defence (LOD2) IT and Information Security risk assurance across IT and OT. Acting as a “Secure by Design” advisor, you will set assurance plans for critical assets, conduct risk assessments for new platforms and applications, advise on security architecture and OT standards, and drive supplier assurance in partnership with Procurement.
You will track high‑risk deviations, oversee remediation plans, and provide clear, business‑focused risk reporting to senior stakeholders.
Key Responsibilities
Risk Assessment & Secure by Design
* Perform structured IT and information security risk assessments and threat modelling for new platforms, systems, applications, and material changes.
* Provide security architecture guidance (patterns and guardrails) aligned to recognised frameworks such as NIST CSF and ISO 27001.
* Define and agree proportionate control selection (prevent, detect, correct), including identity, data, and platform controls.
* Conduct IT control walkthroughs to validate design and operating effectiveness; document evidence and findings.
LOD2 Assurance & Critical Assets
* Own and deliver the LOD2 assurance plan, with specific focus on critical assets and safety‑related systems.
* Define assurance scopes, frequency, and performance metrics.
* Track high‑risk deviations and risk acceptances, drive remediation, and report residual risk to senior stakeholders and business risk owners.
OT / ICs Security
* Lead LOD2 assurance across OT sites against established OT security standards, determining assessment frequency aligned to risk appetite.
* Provide advisory support on OT security alignment, advocating segmentation, zoning, secure remote access, monitoring, and patching controls in line with ISA/IEC 62443 principles.
Supplier & Third‑Party Assurance
* Deliver supplier assurance activities in collaboration with Procurement, including pre‑contract due diligence, control reviews, and ongoing attestations.
* Partner with Legal to ensure contractual SLAs and KPIs embed security requirements, supporting remediation where gaps are identified.
Reporting & Governance
* Maintain risk registers, control libraries, and assurance test plans.
* Provide clear, executive‑ready reporting on issues and residual risk.
* Collaborate with 1st Line risk owners, Internal Audit (LOD3), and managed service providers to close control gaps and feed lessons learned into standards and patterns.
Skills & Experience
* Experience in information risk, security assurance, or IT audit within regulated, safety‑critical, or industrial environments (energy/oil & gas experience advantageous).
* Strong working knowledge of NIST CSF, ISO 27001, UK GDPR, and supplier assurance practices; familiarity with the UK CAF desirable.
* Proven experience leading compliance and assurance functions, Secure‑by‑Design reviews, and control testing (design and operating effectiveness).
* Solid understanding of OT/ICS risk, including exposure to SCADA and industrial control system interfaces.
* Excellent stakeholder management and communication skills, with the ability to present risk clearly and concisely to senior audiences.
* Familiarity with GRC/IRM platforms (e.g., ServiceNow) and common cloud environments such as M365 and Azure for workflow and evidence management.
Advantageous Certifications
Governance & Audit
* ISO 27001 Lead Auditor
* CISM
Architecture & Design
* SABSA
* CISSP
OT / ICs
* SANS GICSP
* ISA/IEC 62443
This is an excellent opportunity to play a strategic role in strengthening enterprise‑wide security assurance across both IT and OT environments within a complex, safety‑critical setting.
#J-18808-Ljbffr