Job Description

Responsible for establishing and delivering a robust second-line cyber assurance capability across Sellafield Ltd. The role ensures that cyber security controls, processes, and systems are independently assessed for effectiveness, compliance, and alignment with regulatory expectations and business risk appetite.

Operating within a highly regulated and safety-critical environment, the postholder supports the Head of GRCA and the wider cyber security function by providing meaningful insight into the organisation’s cyber resilience and driving continuous improvement. The Team Lead works closely with risk and compliance leads, ICT delivery teams, and internal/external audit functions to ensure assurance is embedded, risk-informed, and proportionate. The role also supports regulatory engagement and contributes to maintaining confidence in Sellafield Ltd’s cyber security posture.

Principal Accountabilities

• Lead the development and execution of a risk-based cyber assurance strategy and annual plan, ensuring alignment with organisational objectives and regulatory expectations.
• Oversee the delivery of second-line assurance activities, including control effectiveness testing, process evaluations, and thematic reviews across IT, OT, technical architecture, and supply chain domains.
• Provide independent, expert assurance on the adequacy and effectiveness of cyber security controls, risk mitigations, and governance arrangements.
• Take ownership to proactively identify, assess, and escalate risks that could impact safety, compliance, and/or project delivery.
• Ensure timely communication of potential risks to relevant stakeholders and contribute to mitigation planning.
• Coordinate with first-line ICT, engineering, and supply chain teams, as well as third-line audit, to ensure assurance coverage is integrated, efficient, and comprehensive.
• Produce high-quality assurance reports, dashboards, and insights for senior leadership, governance forums, and regulatory stakeholders.
• Support the Head of GRCA in managing regulatory engagement, including preparation for inspections, audits, and the provision of defensible assurance evidence.
• Monitor, track, and verify the remediation of assurance findings, ensuring timely closure and embedding of lessons learned.
• Maintain up-to-date knowledge of emerging cyber threats, regulatory developments, and assurance best practices to inform planning and continuous improvement.
• Champion a culture of cyber accountability, transparency, and maturity through effective stakeholder engagement and assurance-led insights.
• Mentor and develop cyber assurance advisors, fostering capability growth and consistency in assurance delivery.

Authorities & Dimensions

• Budget Responsibility: Contributes to the management of assurance activities within the GRCA budget.
• Line Management: Direct line management of 3 – 4 senior analysts (principal advisors), with indirect oversight of approx. 14 assurance professionals.
• Decision-Making Authority: Authority to define assurance scope, resource allocation, and report findings to governance forums.
• Reporting Line: Reports to Head of GRCA; supports engagement with ONR and internal audit.

Essential Skills

• Strong experience in cyber assurance, risk management, audit, or control testing within a regulated environment.
• Proven experience building or scaling assurance functions in complex technical environments spanning IT/OT, and supply chain domains.
• Experience managing managers in technical functions, including performance management, capability development, and resource planning.
• In-depth understanding of cyber security frameworks (e.g., NCSC CAF, ISO 27001, NIST CSF).
• Experience designing and delivering assurance programmes and reporting to senior stakeholders.
• Ability to assess technical and procedural controls and communicate findings clearly.
• Strong analytical, reporting, and stakeholder engagement skills.
• Degree or equivalent experience in cyber security, audit, or a related field.
• Relevant certifications (e.g., CISA, ISO 27001 Lead Auditor, CISSP).

Desirable Skills

• Experience in the nuclear or critical national infrastructure (CNI) sector.
• Familiarity with ONR SyAPs, NISR 2003, and HMG SPF.
• Experience with assurance automation or continuous control monitoring.
• Knowledge of risk-based assurance methodologies.

Additional Information

• Open VN
• Number of Vacancies: 1
• Contac: Nicola Lyons

The interview dates for this vacancy are to be confirmed.

ASW’s may have the right to apply for internal Sellafield Ltd vacancies. Please note if you are an Agency Supplied Worker you are required to attach evidence of all qualifications obtained to support your application. We require a minimum of A*-C (9-4) GCSE in English Language, Maths & Science/IT or equivalent / higher qualification.

Competencies will be provided if you are invited to interview.

Sellafield Ltd are recognised as a Disability Confident Employer (Level 3). Disability Confident employers offer an interview to disabled applicants that meet the minimum criteria for a vacancy. Sellafield Ltd define the minimum criteria as the ‘essential skills’ which are listed on the vacancy notice. Whilst completing your application form, you will be able to indicate if you wish to be considered under the disability confident scheme. If you would prefer to discuss this directly with us, please contact the GBS Recruitment team on recruitment@sellafieldcloud.co.uk

Please ensure that you save a copy of this advert for future reference if you make an application for this role.

The closing date for this vacancy is 5th July 2026.