Cyber Risk Analyst

Job Title: Cyber Risk Analyst (Contractor)

Department: IT – Governance, Risk & Compliance (GRC)

Reporting to: Information Security Manager (GRC)

The Cyber Risk Analyst will be responsible for delivering hands‑on qualitative and quantitative cyber, IT, and OT risk assessments. The role focuses on identifying, assessing, documenting, and supporting the mitigation of cyber and information security risks in line with recognised frameworks, regulatory requirements, and industry best practices. This is a delivery‑focused role operating primarily on day‑to‑day risk activities.

• Identify, assess, and monitor cyber, information security, and OT risks using established risk management practices.
• Maintain accurate and up‑to‑date risk registers, including risk treatment plans and control profiles.
• Work closely with IT teams, risk owners, and the wider GRC function to gather risk‑related data and support mitigation planning and reporting.
• Support supply chain and third‑party cyber risk assessments in collaboration with security assurance activities.
• Contribute to cyber risk quantification initiatives, including the use of structured methods or tools to express cyber risk in business or financial terms.
• Support compliance with internal controls and external regulatory and legislative requirements.

• Bachelor’s degree in Cybersecurity, Information Technology, Risk Management, or a related discipline.
• 3–5 years’ experience in an information security or cyber risk assessment role.
• Practical experience with cyber risk management frameworks and methodologies such as ISO 27005, OCTAVE Allegro, and FAIR or FAST risk quantification.
• Strong understanding of information security principles, frameworks, and regulatory obligations.
• Experience maintaining compliance documentation aligned to standards and regulations including NIS‑D CAF, ISO 27001 / 27002, NIST CSF 2.0, IEC 62443, PCI‑DSS, GDPR, and the Data Protection Act.
• Strong analytical, problem‑solving, and written communication skills.
• Proven ability to work with stakeholders to assess risks and agree mitigation strategies.
• Ability to work independently while contributing effectively within a team.

• Industry‑recognised certification or working towards certification, such as CRISC.

Role Scope and Impact This role is responsible for the practical delivery of cyber, IT, and OT risk assessments. Inadequate risk identification or mitigation could result in cyber incidents, data exposure, service disruption, financial loss, regulatory non‑compliance, and reputational damage.

Stakeholder Interaction The role involves regular interaction with internal IT teams and risk owners, as well as engagement with third‑party service providers. Communication is primarily advisory and collaborative, supporting effective risk assessment and reporting.

Management and Resources This role does not have line management responsibility, budget ownership, or direct control of assets or projects.