Governance, Risk & Compliance (GRC) Analyst

  • Job Reference: 79221
  • Date Posted: 8 July 2024
  • Employer: UK Power Networks
  • Location: Crawley, West Sussex
  • Salary: On Application
  • Bonus/Benefits: Excellent Benefits and Bonus
  • Sector: Information Technology (IT)
  • Job Type: Permanent
  • Work Hours: Full Time

Job Description

Governance, Risk & Compliance (GRC) Analyst

Reference Number - 79221

This Governance, Risk & Compliance (GRC) Analyst will report to the Cyber Security Governance Manager and will work within the Information Systems directorate based in our Crawley or London offices. You will be a permanent employee.

You will attract a salary of £43,000.00 and a bonus of 7.5%. This role can also offer blended working after probationary period (6 months) - 3 days in the office and 2 remote

Close Date:.22/07/2024

We also provide the following additional benefits

  • 25 Days Annual Leave plus bank holidays
  • Personal Pension Plan - Personal contribution rates of 4% or 5% (UK Power Networks will make a corresponding contribution of 8% or 10%)
  • Tenancy Loan Deposit scheme
  • Tax efficient benefits: cycle to work scheme
  • Season ticket loan
  • Occupational Health support
  • Switched On - scheme providing discount on hundreds of retailers products.


You will support the Cyber Security GRC Manager in implementing and maintaining IT governance, risk management, and compliance capabilities and services across UK Power Networks information systems, applications and users to safeguard essential business services and operations from cyber threats.


  • Work collaboratively in a team of circa 8-10 permanent and temporary GRC resources and specialist 3rd Party GRC service providers.
  • No direct budget responsibility.
  • You will keep informed and up to date with energy sector industry and regulatory requirements and developments including Ofgem and the Department for Energy Security and Net Zero


  1. Risk Management: support cyber security risk assessments and help to validate findings, suggest treatment actions to important partners. Document, monitor and follow up remediation actions on all risks relating to the control environment.
  2. Reporting and Metrics: Gather input data for management information reporting related to the risk and control environment.
  3. Policies and Standards: help develop GRC policies, standards and procedures to monitor information security operational controls, exceptions, risks, and testing including management reporting on performance.
  4. Controls Framework: Ensure a robust IT control environment and support a roadmap for IT controls improvements.
  5. Compliance: Run processes to monitor UKPN IT compliance to legal and regulatory requirements such as Smart Energy Code, Cyber Essentials, National Cyber Security Centre (NCSC) Networks & Information Systems (NIS) Regulations Cyber Assessment Framework (CAF) and all IT related audits (internal and external) where the scope is wholly or significantly relevant to the companies cyber security controls.


The Information Systems Department works across UK Power Networks, supporting us in the achievement of our vision to become the best performing DNO. The team achieve this through the provision of technology solutions, and the optimisation of current solutions to improve how we operate. Continuous improvement, customer service and seamless delivery is at the heart of this ethos and are therefore strongly underpinned by effective cyber security.

  • We ask that you have a practical understanding of governance, risk management, and compliance principles, and an awareness of relevant laws, regulations, and industry standards. We are looking for a detailed knowledge and practical expertise in at least 3 of the following specialist areas:
    • Specific Industry Standards
    • IS/IT Operational Controls and Governance
    • IT/IS Risk Management

Your principal challenge is to ensure that UKPN can demonstrate compliance to the various legal and regulatory demands that are important for UKPN to retain its 'license to operate' and provide its primary services as a DNO. A cornerstone for this is to maintain a strong security posture across the IT estate by developing a comprehensive controls framework and protect our information assets.


  • Practical experience in a GRC role or related profession e.g. risk, audit, cyber security or similar experience in IT or OT role with a desire to move into cyber security, must have some relevant training or experience of cyber security risk assessment.
  • Experience in operating maintaining and improving information security management systems (ISMS).
  • Specific GRC related professional training or an academic level equivalent in a related subject with a recognised information security related certification e.g. CISSP, CompTIA, CISA, CISM, CRISC, MSc Information Security, degree or other formal technical qualifications e.g. apprenticeship, in a related area e.g. networking, cyber security, Information Technology, Operational Technology.
  • Good knowledge of compliance, security and regulatory frameworks such as Cyber Essentials, Smart Energy Code (SEC), Network and Information Systems Directive (NIS) National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF), ISA/IEC 62443, ISO/IEC 27001/27002, GDPR, Cloud Security Alliance (CSA) Star framework, SOC2 Type 2 audits. Information Technology Infrastructure Library (ITIL), Control Objectives for Information and Related Technologies (CoBIT), etc.